cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29715
Views
59
Helpful
34
Replies

CSCvo60450 - Encryption RC4/AES256 & MS AD CVE-2022-38023 patch

According to this bug, it stated:  When user authentication initiates from ISE, ISE will connect and send the encryption types that are supported (RC4, AES128, and AES256). This enhancement is for AD tuning to only send AES 256

This is exactly what I am seeing between my Cisco ISE version 3.1 patch-5 (latest patch) and Microsoft Windows Active Directory (AD).  My Cisco ISE is integrated with AD for user authentication.  In other words, the ISE has to communicate with AD for username and password.  When I capture the traffic on the ISE, I can clearly see the ISE sent RC4 to AD and AD responded back with RC4 with the RPC_Netlogon protocol, as seen below:

Cisco ISE to AD request:

Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(186703)
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 4
Auth Rsrvd: 0
Auth Context ID: 186703
Secure Channel Verifier
Sign algorithm: HMAC-MD5 (0x0077)
Seal algorithm: RC4 (0x007a)
Flags: 0000

This is the response from Active Directory:

Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(186703)
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 186703
Secure Channel Verifier
Sign algorithm: HMAC-MD5 (0x0077)
Seal algorithm: RC4 (0x007a)
Flags: 0000

The problem is that come April 2023, Microsoft will release a patch, AD CVE-2022-38023 patch, to start removing RC4 from Active Directory.  Does it mean the communication between Cisco ISE and Microsoft Active Directory will be broken?  

The Cisco bug ID CSCvo604 listed the following Known Affected Releases Cisco ISE versions:

003.002(000.542)  --> version 3.2
003.001(000.518)  --> version 3.1
003.000(000.458)  --> version 3.0
002.007(000.356)  --> version 2.7
002.006(000.903)  --> version 2.6
... and more versions after this.
 
The bug ID also does NOT list any known fixes releases.  Does that mean that I will have an outage when RC4 is removed from Active Directory in April with the Microsoft AD CVE-2022-38023 patch ?
 
TIA
 
34 Replies 34

Surendra
Cisco Employee
Cisco Employee

1. The update on April 11th will have no impact on ISE communication to Active Directory. That was the first urgent concern.
2. We are still communicating with Active Directory on less secure protocols, that is a longer term open item that will be addressed with a security advisory and fix to ISE. Once we have a timeline for a fix we'll work internally to get a Security Advisory out that can be tracked. In the mean time it is also tracked by CSCvo60450.

It is important to note that MS is enforcing only "RequireSeal" for RPC communication and irrespective of the setting for this registry, there is no tested impact with ISE - AD Communication. If customers decide to enforce not using RC4 by setting the "RejectMd5Clients" to 1 EXPLICITLY on their own discretion, then it is bound to fail as we do not use any other encryption method apart from this as it stands today. The change that is being brought by MS on April 11 or July 11 does not have any impact on ISE-AD communication with the tests that were done so far. Please keep a track of this bug to get any further notifications/updates on the timelines of having a better encryption method than we have today. It is our priority as well.

Thank you for taking the time to comment. 

Hello @Surendra , is there an update as 2023Jun and 2023-Jul-11 is approaching?

  • Can we expect a security advisory before 2023Jul11 ?
  • Can we expect a solution or workaround for customers who do intend to set "RejectMd5Clients" to 1 explicitly? If I understand well, those clients will have ISE-AD connection broken.

I guess an official document is preferred by Cisco to hundreds of TAC cases. (Count is 53 so far)

Thanks.

Any news in this matter since May? It seems that the change on the MS AD has no impact but still I am wondering if it is possible to disable RC4 at all on the ISE. Wouldn't this be a clean solution?

Or will this be implemented by Cisco in a software patch soon?

5840 Events 9th Aug.pngAm having same confusion , can somebody please clear the confusion.

my AD team has recently deployed the path CVE-2022-38023 and says that the 5840 event id is still not impacted ( as it just categorized as Warning ) my ISE Servers are still communicating with AD on RC4 ( find latest snap ) 

in future if the Microsoft removes the RC4 then what do i need to do on ISE ( do i need to do it manually if yes how to do it ..? 

 

As stated earlier in the thread, Cisco has an open Enhancement bug to support AES256 for this communication and the engineering team is currently working on this enhancement. More information will be available when the fix is available.
https://bst.cisco.com/bugsearch/bug/CSCvo60450

I don't think Cisco is taking security seriously.  This issue has been going on for at least ten years now.

Hi @Greg Gibbs ,

According to the status page of this bug, it is now "Fixed", but there are no fixed versions released.  Can you give an estimate as to when we can expect the patch?

According to the internal bug notes, this will be in the next patch release for all 3.x versions.

Current target ETAs (which could slip without notice) are mid-October for 3.2 p4 and end of November for 3.1 p8 and 3.3 p1.

Our Windows lead has said these event ids can be ignored. It is basically just saying the same thing everyone has been saying in this thread. RC4 is still going to be used by RPC_NETLOGON. Just "RequireSeal" and don't set "RejectMd5Clients".
As far as I know Microsoft doesn't have a timeline for removing RC4 from NETLOGON. If they do, ISE won't be the only system affected. Any non-Microsoft system that authenticates to AD (LINUX) will be affected.

 

p3sysnet
Level 1
Level 1

Hi and Happy New Year to all! Seems like an update for the known fixed releases are now released for weeks now. But unfortunately, the recommended version 3.2P4 is not included there. Only 3.1P8 and 3.3P1.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo60450

 

hslai
Cisco Employee
Cisco Employee

@p3sysnet The bug fix did not make it in time into ISE 3.2 Patch 4 but should be there in Patch 5. Please note that we cannot disclose any release ETA here.

@hslai:  Does it mean that in 3.2 patch-5, Cisco ISE will be using AES and NOT RC4 to communicate with Microsoft Active Directory for RPC_NETLOGON?

Confirmed issue is resolved in ISE 3.1 patch-8:

From ISE to Active Directory:

Secure Channel Verifier
Sign algorithm: HMAC-SHA256 (0x0013)
Seal algorithm: AES-128 (0x001a)
Flags: 0000
Sequence No: e697bb8f09964d7b
Packet Digest: a7edba5c662ccb43
Nonce: 969502ca6eec23f0
Microsoft Network Logon, NetrLogonSamLogonEx

From Active Directory back to ISE:

Auth Info: NETLOGON Secure Channel, Packet privacy, AuthContextId(64)
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 4
Auth Rsrvd: 0
Auth Context ID: 64
Secure Channel Verifier
Sign algorithm: HMAC-SHA256 (0x0013)
Seal algorithm: AES-128 (0x001a)
Flags: 0000
Sequence No: 4dd78fd7bee759a2
Packet Digest: 3d09bcc793447472
Nonce: dd5e957913f3438e

@adamscottmaster2013 Yes, as you demonstrated in your confirmation that ISE 3.1 Patch 8 negotiates and uses AES-128 as the seal algo.