Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2138
Views
0
Helpful
4
Replies

RV042 TLS Security Scan Failure

Mike Silva
Level 1
Level 1

‎03-30-2013 11:04 PM

Hi,

As part of my business' PCI compliance regime, we are regularly scanned for vulnerabilities.  Today we started getting notifications of failure on all of the QuickVPN ports (443, 60443) for the following:


Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability


06/11/12

CVE 2009-3555

Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions,

and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.

Cisco, will you be issuing a firmware update to address this anytime in the near future?  Presumably it effects all the other RV routers as well.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Mike Silva
Level 1
Level 1

‎03-30-2013 11:06 PM

Bonus points for a setting to disable QuickVPN entirely.

0 Helpful

SamirD
Level 5
Level 5

‎04-01-2013 11:29 AM

To disable QuickVPN completely, you can probably set up a static route to do that.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

janickle
Level 1
Level 1

‎04-01-2013 02:13 PM

Hi Mike,

I did a scan against the RV042G looking for which methods it can negotiate at for the SSL/TLS connections and some of them are below 256bits.  At this time I am not aware of any plans to change this.  However, if you were to open a case with Cisco Small Business by calling 1-866-606-1866 we could open a service request based on the PCI issues you are seeing and request development to look further into SSL/TLS negotiation process.  Be sure to let the engineer you speak know about this forum post.   

Thanks,
Jason Nickle

0 Helpful

keithshook
Level 1
Level 1
In response to janickle

‎02-23-2018 06:13 AM

Ok just now 2/23/18  talked to cisco small business support under Case ID:  684027960  and was advised by the engineer Carlos, that NO Cisco Small business devices will be PCI compliant.  Only the enterprise units will be.

 

told them that I am sorry but after selling cisco stuff for 29 years that we must sever our relationship for SBS products and find another vendor. 

 

Thanks Cisco!!

 

Tell me small shops are gonna buy your enterprise products!!  Bulls*&$!

 

That's the official word!

 

 

0 Helpful
Customers Also Viewed These Support Documents