Field Notice: FN - 72509 - Weak cryptographic algorithms are not allowed for SNMP user configuration after IOS XE 17.11.1a release - Configuration Change Recommended

Available Languages

Updated:August 15, 2023

Document ID:FN72509

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	08-Aug-23	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	IOSXE	17	17.11.1a

Defect Information

Defect ID	Headline
CSCwc72594	SNMP should not allow weak authentication and privacy algorithms for v3 user

Problem Description

In IOS XE release 17.11.1a and later, weak cryptographic algorithms, specifically MD5 for authentication; DES and 3DES for encryption, are no longer allowed by default due to their vulnerabilities. If you are upgrading an affected system to Release 17.11.1a or later, you must make a configuration change; otherwise, SNMP will be disabled.

Background

Cisco IOS XE software allows the use of weak crypto algorithms with SNMP for users who need that capability to provide backwards compatibility. Prior to Cisco IOS XE Release 17.11.1a, these weak crypto algorithms are available by default. In Release 17.11.1a and later, these algorithms are disabled by default due to the risk they present. You must explicitly enable them in the configuration to continue to use them.

Problem Symptom

If the weak crypto algorithms are not updated to use stronger algorithms, or if the configuration is not explicitly enabled to allow weak crypto algorithms prior to the 17.11.1a upgrade, then SNMP v3 users with such configuration will be disabled. This will result in service interruptions for SNMP after the upgrade and remote SNMP operation to the device will fail.

Device(config)#snmp-server user <username> <grpname> v3 auth md5 <password>

weaker algorithm MD5, DES and 3DES is not allowed for snmp user

Device(config)#snmp-server user <username> <grpname> v3 auth md5 <password> priv des <password>

weaker algorithm MD5, DES and 3DES is not allowed for snmp user

The following SNMP functions will be impacted:

SNMP set, get, get-bulk, and snmpwalk operations from the management station.

SNMP trap and inform will not be sent from the device.

Workaround/Solution

Recommended Solution

The solution is to update to stronger cryptographic algorithms, specifically SHA or SHA-2 as the authentication protocol; and AES as the privacy protocol for the SNMP v3 user.

Prior to upgrading to IOS XE release 17.11.1a or later, identify if any of the affected algorithms (MD5, DES, 3DES) are in use by running the following command:

Device#show snmp user

User name: test-user

Engine ID: 80000009030000505684BD11

storage-type: nonvolatile active

Authentication Protocol: MD5

Privacy Protocol: DES

Group-name: test-group

To update these algorithms, use the following configuration command:

snmp-server user <username> <groupname> v3 auth <sha|sha-2(256, 384, 512)> <password> priv aes <128|192|256> <password>

Workaround (Not Recommended)

If it is not possible to update the SNMP v3 user with stronger crypto algorithms, then the following configuration command is required to continue to use the weak algorithms:

Device(config)#crypto engine compliance shield disable

Note: This command is only available in Cisco IOS XE Release 17.7.1a and later and will only take effect after a reboot. Cisco does NOT recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)