cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6638
Views
20
Helpful
11
Replies

update to 2.5.8.12 login problem

Peter __
Level 1
Level 1

Just a warning if you have special characters in your password at the start and update to 2.5.8.12 you may not be able to login.

 

Recommend you make another admin user and backup your config 

 

Should you be locked out you have to reset login with cisco default change password Swap firmware Image to old 2.5.7.85 reboot then load your config login change your password then Swap firmware Image to new 2.5.8.12 and your up and running again. 

11 Replies 11

marce1000
VIP
VIP

 

          - Useful but you also may want to specify the device/model which gave you this problem.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

SG350-10 10-Port Gigabit but guess other models will have the same problem 

matthew1471
Level 1
Level 1

Same problem with SG350-10MP.. This is a stupid bug and will catch anyone out who cares about security!

How to reset password: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb4985-administrator-password-recovery-for-300-and-500-series-manag.html

Fully agree ! This is not funny whether or not it can be solved via password reset.

I did not experience this issue upgrading an SG350X-12PMV from v2.5.7.85 to v2.5.8.12. (Password 60+ characters/350+ bits/multi-case alphanumeric plus special characters.)

Martin Aleksandrov
Cisco Employee
Cisco Employee

Hello,

 

You may need to log a case with the TAC so they can investigate and eventually file a bug. Following the standard process, this can be escalated and fixed with some of the next firmware releases.

 

Thanks,

Martin

matthew1471
Level 1
Level 1

According to the release notes the password encryption changed between 2.5.5.47 and 2.5.7.85 but I had no problems with that release.

I have verified that the username line in my config file was the same in an externally backed up 2.5.7.85 config file as when I recovered it from 2.5.8.12 using the console cable.

My password I've now checked was/is exactly 20 characters long with just lowercase and uppercase alphanumerics (it had no special characters).

What is possible is between 2.5.5.47 and 2.5.7.85 my password age was not updated and between 2.5.7.85 and 2.5.8.12 it had erroneously expired.

 

Resetting it using a console cable to exactly the same password as before works fine.. of course the line now looks different due to a different password age (presumably the date the password was set is stored in there) and salt ("In current release user credentials are salted and hashed using PBKDF2 based on HMAC-SHA-512 hash").

 

So while I haven't changed the outcome - I can bring clarity that it's unlikely to be specific passwords or a config upgrade issue that is causing the issue rather password expiry.

 

In my 2.5.5.47 config I had no reference to ageing but in 2.5.7.85+ I have "passwords aging 0 ", I wonder if there's an expiry bug we will see in the default ageing period (potentially 180 days). I'll keep my console cable handy.

Same issue with SG250X and 2.5.8.12. Update completed, rebooted and now "invalid password". 16 lenght with only & and ^ as special chars. Rest numbers and letters (mixed case)

Another SG350X updated at the same time (same version number), with the same password complexity and lenght has no issue. 16 lenght with only @ and ^ as specials chars. Rest numbers and letters (mixed case)

Cristian-P
Level 1
Level 1

I have the same issue on a SG250-26 with the firmware 2.5.8.15. After the update was finished, I switched the boot version with the new firmware, rebooted the device and I am unable to login. The password contains only alpha-numeric characters and an *

 

I saw a couple of what I believe that are related issues, after the firmware upgrade.

 

This is very annoying, because I personally don't have physical access to the switch. Also, the SG250 does not have CLI in order to reset the password, and you are only left with the option to reset the switch.

 

Maybe CISCO is trying now to force some users to buy more expensive devices.

pchristian1
Level 1
Level 1

Having this same exact problem right now. Though I updated the firmware quite some time ago. I've been able to log in and out with no problems for a long time.

Switches went offline due to a recent and prolonged power outage. Now I can no longer login to this specific switch with that specific FW.

 

I know that the config and password is good though because I can still contact the switch with a specific snmp string, and get specific outputs. Sadly it's RO access though.

In this case, it'd be really helpful if there were exploit code publicly available for the remote code execution vulnerability they announced last month. Hahah...

 

To clarify on how I know the config and therefore the password are "good", is that the password to login to the webgui and the specific snmp community string were set at the same time.

I'm longer able to login to the webgui because of an alleged invalid username/password. Yet, I'm able to connect via our specific snmp string.