THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
Base Software | RI.2024 | RI.2024.01, RI.2024.02, RI.2024.03, RI.2024.04, RI.2024.05, RI.2024.06, RI.2024.07, RI.2024.08, RI.2024.09, RI.2024.10, RI.2024.11, RI.2024.12 | This Field Notice affects the following applications: BroadWorks Application Server (AS), BroadWorks Execution Server (ES), BroadWorks Media Server (MS), BroadWorks Network Function Manager (NFM), BroadWorks Profile Server (PS) |
Defect ID | Headline |
CSCwn59843 | SSH clients and SFTP will fail to connect to SSH servers after upgrade |
When upgrading Cisco BroadWorks servers to releases RI2024.01 to 2024.12, some clients fail to connect to SSH servers if they are configured to use diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 key exchange algorithms with a diffie-hellman key size that is not a multiple of 64.
This affects the following groups of clients:
Note: These services are only impacted when trying to connect to servers that use diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 key exchange algorithms with a diffie-hellman key size that is not a multiple of 64.
Cisco determined that the /etc/ssh/moduli file that specifies the moduli used for the diffie-hellman group exchange algorithms may be configured on Cisco BroadWorks nodes without a key size that is a multiple of 64.
Cisco BroadWorks customers may experience issues when running CDR reports, SNMP reports, pushing device management files, or pushing files to new BroadWorks servers. Enterprise migrations may fail when attempting to push a file, the node controller might fail to execute the BIND command, and the software controller might fail to apply patches.
The ApacheMinaSshdLog input channel logs may display an error message as shown in the following example:
InvalidAlgorithmParameterException[DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 2070 is not supported]
Solution
To resolve this issue, customers must upgrade all Cisco BroadWorks nodes (AS, NS, MS, XS, PS, and NFM servers) to Cisco BroadWorks Release RI.2025.01, which disables diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256.
Workaround
There is no workaround for this issue.
To determine if a Cisco BroadWorks node is affected, use an OpenSSH client and connect to each BroadWorks node. Once connected to the Cisco BroadWorks node, inspect the /etc/ssh/moduli file. This file specifies the moduli used for the diffie-hellman group exchange algorithms. The Size column contains a number that corresponds to the diffie-hellman key size minus one. For example, if an entry in /etc/ssh/moduli has a size of 2047, then the key size is 2048, which is a multiple of 64. If any of these entries +1 is not a multiple of 64, then Cisco BroadWorks SFTP and SSH clients might fail to connect to this server if diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 are negotiated as key-exchange algorithms.
Version | Description | Section | Date |
1.0 | Initial Release | — | 2025-MAR-05 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance