THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
08-Aug-23 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
IOSXE |
17 |
17.11.1a |
Defect ID | Headline |
---|---|
CSCwc72594 | SNMP should not allow weak authentication and privacy algorithms for v3 user |
In IOS XE release 17.11.1a and later, weak cryptographic algorithms, specifically MD5 for authentication; DES and 3DES for encryption, are no longer allowed by default due to their vulnerabilities. If you are upgrading an affected system to Release 17.11.1a or later, you must make a configuration change; otherwise, SNMP will be disabled.
Cisco IOS XE software allows the use of weak crypto algorithms with SNMP for users who need that capability to provide backwards compatibility. Prior to Cisco IOS XE Release 17.11.1a, these weak crypto algorithms are available by default. In Release 17.11.1a and later, these algorithms are disabled by default due to the risk they present. You must explicitly enable them in the configuration to continue to use them.
If the weak crypto algorithms are not updated to use stronger algorithms, or if the configuration is not explicitly enabled to allow weak crypto algorithms prior to the 17.11.1a upgrade, then SNMP v3 users with such configuration will be disabled. This will result in service interruptions for SNMP after the upgrade and remote SNMP operation to the device will fail.
Device(config)#snmp-server user <username> <grpname> v3 auth md5 <password>
weaker algorithm MD5, DES and 3DES is not allowed for snmp user
Device(config)#snmp-server user <username> <grpname> v3 auth md5 <password> priv des <password>
weaker algorithm MD5, DES and 3DES is not allowed for snmp user
The following SNMP functions will be impacted:
SNMP set, get, get-bulk, and snmpwalk operations from the management station.
SNMP trap and inform will not be sent from the device.
Recommended Solution
The solution is to update to stronger cryptographic algorithms, specifically SHA or SHA-2 as the authentication protocol; and AES as the privacy protocol for the SNMP v3 user.
Prior to upgrading to IOS XE release 17.11.1a or later, identify if any of the affected algorithms (MD5, DES, 3DES) are in use by running the following command:
Device#show snmp user
User name: test-user
Engine ID: 80000009030000505684BD11
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: test-group
To update these algorithms, use the following configuration command:
snmp-server user <username> <groupname> v3 auth <sha|sha-2(256, 384, 512)> <password> priv aes <128|192|256> <password>
Workaround (Not Recommended)
If it is not possible to update the SNMP v3 user with stronger crypto algorithms, then the following configuration command is required to continue to use the weak algorithms:
Device(config)#crypto engine compliance shield disable
Note: This command is only available in Cisco IOS XE Release 17.7.1a and later and will only take effect after a reboot. Cisco does NOT recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.