{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/nexus-9000-series-fabric-switches-in-aci-mode/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2023-20185"}],"_cs_exploited":false,"_cs_products":["Nexus 9000 Series Fabric Switches in ACI mode"],"_cs_severities":["high"],"_cs_tags":["cve-2023-20185","information-disclosure","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA vulnerability exists within the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches when operating in ACI mode. This flaw enables an unauthenticated, remote adversary to potentially decipher and manipulate encrypted traffic traversing between sites. The vulnerability, identified as CVE-2023-20185, originates from an issue in the cipher implementation employed by the CloudSec encryption feature. Cisco has deprecated and removed the affected ACI Multi-Site CloudSec encryption feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a network position on-path between ACI sites.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts intersite encrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the weak cipher implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the intercepted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data within the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker re-encrypts (or forwards unencrypted) the modified traffic toward the destination.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-20185 allows unauthorized reading and modification of data transmitted between ACI sites. The impact can range from data breaches and intellectual property theft to manipulated financial transactions and compromised control systems. The lack of a workaround necessitates immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply configuration changes to remove usage of the CloudSec encryption feature.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns indicative of man-in-the-middle attacks targeting intersite communication.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts targeting intersite traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-aci-cloudsec/","summary":"A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.","title":"Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/"}],"language":"en","title":"CraftedSignal Threat Feed — Nexus 9000 Series Fabric Switches in ACI Mode","version":"https://jsonfeed.org/version/1.1"}