Cisco not patching Nexus switch vulnerability

By

Broken encryption.

Cisco has disclosed a serious vulnerability in the encryption used in some of its Nexus 9000 switches, but said the bug will not be fixed.

Cisco not patching Nexus switch vulnerability

“A vulnerability in the Cisco ACI [application-centric infrastructure] multi-site CloudSec encryption feature of Cisco Nexus 9000 Series fabric switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic,” Cisco’s advisory states.

The impact is that an attacker on the path between ACI sites could intercept encrypted traffic, apply cryptanalysis to break the encryption, and “read or modify” traffic transmitted between two sites.

The bug is present in Cisco Nexus 9332C and Nexus 9364C switches and the Cisco Nexus N9K-X9736C-FX line card, and the advisory says encryption on these devices should be turned off.

However, this vulnerability, which is rated High with a CVSS score of 7.4, will not be fixed.

“Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability”, the company stated.

“Customers who are currently using the Cisco ACI multi-site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C switches and the Cisco Nexus N9K-X9736C-FX line card are advised to disable it and to contact their support organisation to evaluate alternative options.”

Since there’s no fix available, affected units will presumably have to be replaced.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?