Cisco has disclosed a serious vulnerability in the encryption used in some of its Nexus 9000 switches, but said the bug will not be fixed.
“A vulnerability in the Cisco ACI [application-centric infrastructure] multi-site CloudSec encryption feature of Cisco Nexus 9000 Series fabric switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic,” Cisco’s advisory states.
The impact is that an attacker on the path between ACI sites could intercept encrypted traffic, apply cryptanalysis to break the encryption, and “read or modify” traffic transmitted between two sites.
The bug is present in Cisco Nexus 9332C and Nexus 9364C switches and the Cisco Nexus N9K-X9736C-FX line card, and the advisory says encryption on these devices should be turned off.
However, this vulnerability, which is rated High with a CVSS score of 7.4, will not be fixed.
“Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability”, the company stated.
“Customers who are currently using the Cisco ACI multi-site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C switches and the Cisco Nexus N9K-X9736C-FX line card are advised to disable it and to contact their support organisation to evaluate alternative options.”
Since there’s no fix available, affected units will presumably have to be replaced.