MS KB 3161639/3161608 break CUCM – UCCX web access

The other week I ran into an instance where a group of customers were unable to access Cisco Unified Intelligence Center. Upon further investigation I was unable to get to admin pages of much of the collaboration suite and call control systems from these users computers either. The suite was on various versions of 9.0.X and 9.1.X due to restraints with many third party integration’s. This issue will occur on anything using the cipher suite mentioned below and is not limited to these versions or applications. This is ultimately where the problem stems from but I’ll take you down the path.

To start I’m going to list the fixes in case you don’t want to read my troubleshooting methodology. Then I will walk you through my discovery and detail the fixes. Remember, which fix is correct for your situation will vary based on use case, security policies, etc.

Fix 1: Uninstall Microsoft Updates causing issue
Fix 2: Re-issue certificate (if possible) using strong ciphers (may require upgrading applications)
Fix 3: Use a different web browser
Fix 4: Re-order ciphers via Group Policy

As this issue just recently popped up I was attempting to diagnose the scope of the issue so I started gathering data. Attempting from my workstation I wasn’t having any issue getting to the pages. However, I use a different browser than the house wide standard. When I attempted using the standard browser I too was unable to access the web interfaces. So if it works in third party browsers but not Internet Explorer the question quickly becomes why?

I began to check with the team that roles out Windows workstations and maintains their application and OS patching. They had indicated that patches for the previous month had been rolled out. Off to Programs and Features to find what may have been installed on my workstation. After digging through Microsoft’s site I found an update that had installed that indicated it had adjusted some cipher suites and their order. That seems like a logical option as I’ve ran into many times where one browser can access a site but another can’t and it ends up related to the browsers various security options. So, I open up the site in a browser that works and verify the certificate.

Cert

As we can see in the screenshot above the certificate blatantly indicates what cipher(s) it is using. So now it’s time to look at the ciphers before and after the Microsoft updates. I have obtained a list in order from a workstation with the update, and one without.

Prior to the update the cipher list was as follows:

As you can see the cipher that the certificate was using is at the top of the order. In this situation there is no issue getting to the admin pages. However, after the update the order of ciphers changes complete.

As we can see above there are now a bunch of ciphers preferred above the valid one our certificate is using. This is what ultimately ends up causing Internet Explorer to be unable to open the admin webpages. So now comes the question of…how do we fix it? There are a few options.

First, we can uninstall the updates that caused the cipher suite update. In this case to the best of my research abilities I have discovered three updates that could be potentially installed causing the cipher list to change.

https://support.microsoft.com/en-us/kb/3172605 is the July update that supersedes the June update below.
https://support.microsoft.com/en-us/kb/3161608 is the June update that is said to fix issues in the update below.
https://support.microsoft.com/en-us/kb/3161639 is the update that first re-ordered the ciphers

Naturally the ciphers were updated for improved security of the OS and Internet Explorer web browser so uninstalling the update (especially since some were roll up of multiple updates) this is likely a no go. This leads us to the question of updating the certificate.

While that sounds great, unfortunately some of the older collaboration and call control applications (as in CUCM, Unity Connection, UCCX, etc) do not give you an option of selected a cipher suite when generating a certificate. You could update the application as whole but you may have constraints around you that limit that ability.

An obvious option is to just plain out use a different web browser. Many of us working in the I.T. field likely already have multiple browsers but this impacted end users utilizing reporting dashboards and more. In an organization where standards are kept for user workstations another browser may not be allowed.

The final option I discovered before call the issue resolved was to simply reorder the cipher suite manually. You can do this via group policy. Either locally or business wide. To do it locally you open up Group Policy editor (in run dialog enter gpedit.msc) and navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. Under this section you can reorder the ciphers to your desired output. In putting the cipher in question at the top access was re-established with the pages in question.

Matt Ouellette is a certified information technology professional residing in Southwest Michigan. His technology findings and advice can be found on his PacketPilot blog. Mr. Ouellette spent 4 years as an I.T. Technician before stepping into a Network Engineer role at Bronson Health Group. Since completing his Associates Degree in Network Administration Matt has taken a head on approach to career enrichment through obtaining credentials such as CCNP, CCNA Voice, MCSA: Server 2008, and VCP5. This passion for continued learning allows him to deliver up to date quality technical solutions.

Permanent link to this article: http://www.packetpilot.com/ms-kb-31616393161608-break-cucm-uccx-web-access/