So this popped up in my Twitter feed today, and some slight panic set in, as we have clients with Cisco switches and router. A quick check showed we have 107 Cisco devices out in the wild.
Time to check if any of our devices are affected, and establish what the risks are.
Lots of running show running-config | begin crypto and looking for the crypto PKI trustpoint configuration to see if it expires on 01 Jan 2020.
- SIP over TLS calls will not complete.
- Devices registered to Cisco Unified CME with encrypted signaling enabled will no longer function.
- Cisco Unified SRST with encrypted signaling enabled will not allow devices to register.
- Cisco IOS dspfarm resources (Conference, Media Termination Point, or Transcoding) with encrypted signaling enabled will no longer register.
- STCAPP ports configured with encrypted signaling will no longer register.
- Calls through a gateway using MGCP or H.323 call signaling over IPSec without a pre-shared key will fail.
- API calls that use the Cisco Unified Communications Gateway Services API in Secure Mode (using HTTPS) will fail.
- RESTCONF might fail.
- HTTPS sessions to manage the device will display a browser warning which indicates that the certificate has expired.
- AnyConnect SSL VPN sessions will fail to establish or report an invalid certificate.
- IPSec connections will fail to establish.
Thankfully Cisco do provide a solution, but we do need to see what other impact IOS upgrade would have.
The solution is to deploy one upgrade the Cisco IOS or Cisco IOS XE software to a release that includes the fix:
- Cisco IOS XE Software Release 16.9.1 and later
- Cisco IOS Software Release 15.6(3)M7 and later; 15.7(3)M5 and later; or 15.8(3)M3 and later
After you upgrade the software, you must ALSO regenerate the self-signed certificate and export it to any devices that might require the new certificate in their trust-store.
End result is 37 devices affected. Now to run some tests and apply updates.