Sunday, September 20, 2015

Cisco CUCM weak ephemeral Diffie-Hellman public key

At the time of this writing, due to one or more SSL vulnerabilities that were discovered in CUCM’s web server you may suddenly be prevented from accessing the administrative interface. This is the result of various Internet browser upgrades attempting to protect you from these vulnerabilities but in the process, preventing access to the CUCM web pages.  The good news is because your CUCM servers are typically not exposed to remote users, the only threat would be from malicious users inside your network, and then only malicious users extremely knowledgeable in these vulnerabilities and possible exploits, and then only those literate in Cisco CUCM or other UC applications.   While compromises to your CUCM server's security may be unlikely, keeping up to date with software patches / upgrades is prudent.

Your new browser looking out for your best interests.
For your reference, Cisco publishes information re: security advisories here:

Google has decided to be rather unforgiving (maybe call it condescending?) and not even provide an interactive way for a Chrome user to opt out of their security measures.

The real fix is to upgrade / patch your systems to versions that rectify the vulnerabilities.

In the interim, there are workarounds for most browsers if you care to suggest your users go that route.

For Firefox (the one I use):
Navigate to about:config in the address bar.
Choose “I’ll be careful”
Search for security.ssl3.dhe_rsa_aes
Double click security.ssl3.dhe_rsa_aes_128_sha  and security.ssl3.dhe_rsa_aes_256_sha to change them to false.
Restart Firefox.

For Chrome (I haven’t tried this personally but is the commonly referenced workaround):
In MS Windows, right click on desktop and choose New | Shortcut
In the location field, including the double quotation marks enter "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0039,0x0033
Choose Next and enter a name like “CUCM Chrome” and Finish.
You should be able to use that shortcut to start a version of Chrome access the CUCM interface.

No comments:

Post a Comment