Offices could end up deserted on Fridays if four-day work weeks become the norm – Copyright AFP Jim WATSON
Cisco have released a security advisory on a vulnerability (CVE-2023-20185) that impacts its ACI Multi-Site CloudSec encryption on Cisco Nexus 9000 Series Fabric Switches. Cisco shared with the business community that it will not be releasing any patches and there are no workarounds.
The vulnerability could allow an unauthenticated, remote attacker to read or modify inter-site encrypted traffic. Here, a successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites.
Josh Stephen provides advice on how to approach a CVE released by Cisco. Stephen is CTO of BackBox and has decades of experience in network operations and engineering.
Putting the security issue in context, Stephen says: “According to Statista, in 2022, internet users worldwide discovered over 25 thousand new common IT security vulnerabilities and exposures (CVEs), the highest reported annual figure to date. In addition, CVEs increased by 25 percent from 2021 to 2022.”
Looking at the issue in hand, Stephen discusses the significance: “This particular vulnerability only impacts Cisco Nexus 9332C, 9364C, and 9500 spine switches (the last ones equipped with a Cisco Nexus N9K-X9736C-FX Line Card) only if they are in ACI mode, are part of a Multi-Site topology, have the CloudSec encryption feature enabled, and are running firmware 14.0 and later releases.”
In terms of the implications for impacted firms, Stephen observes: “The big initial challenge for network engineers is to identify if this very specific vulnerability will impact their network that’s likely comprised of hundreds or even thousands of switches.”
This is not straightforward and brings with it challenges, notes Stephen: “The increased vulnerabilities and need for patches, and the fact that most vulnerabilities require an OS update in order to patch, make investigating and patching vulnerabilities increasingly disruptive and time-consuming. The only way to resolve this issue and help network engineers and operations keep the network secure is cross-vendor automation that includes compliance and is scalable.”
The process is also likely to be lengthy: “Without a network source of truth that’s always accurate and up to date, the process to figure out if you’re even impacted could take a very long time. It could mean poring through a spreadsheet listing all devices, and then logging into the potentially affected devices one by one, and running commands to check the model number and software versions are installed. If you have a network source of truth, you can run a query and immediately find out if you have been exposed.”
In terms of further advice, Stephen advises: “After investigating exposure, if there is sensitive traffic that you’re worried about, then you need to consider rearchitecting something or changing some route tables. You may now be thinking about what you need to do to protect your company before upgrading or replacing the switches.”
Going forwards, Stephen recommends: “Usually within a few days after identifying a vulnerability, the manufacturer will release a patch or new version of the software and the mitigation would be to perform an upgrade. Once you’ve mitigated the risk with a temporary solution, you wait until the vendor provides a patch, validate that it’s functioning correctly, and then re-route traffic to its original path. If you have a network automation platform, that will take care of the upgrade. While necessary, any change, even an upgrade, can introduce operational or security vulnerabilities. Upgrade automation needs reliable instant restore or fallback. If something goes wrong, you want to be able to roll back to where you started. You need something that has a retry loop in it.”
