cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1992
Views
0
Helpful
4
Replies

RV042 TLS Security Scan Failure

Mike Silva
Level 1
Level 1

Hi,

As part of my business' PCI compliance regime, we are regularly scanned for vulnerabilities.  Today we started getting notifications of failure on all of the QuickVPN ports (443, 60443) for the following:


Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability


06/11/12

CVE 2009-3555

Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions,

and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.

Cisco, will you be issuing a firmware update to address this anytime in the near future?  Presumably it effects all the other RV routers as well.

4 Replies 4

Mike Silva
Level 1
Level 1

Bonus points for a setting to disable QuickVPN entirely.

SamirD
Level 5
Level 5

To disable QuickVPN completely, you can probably set up a static route to do that.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

janickle
Level 1
Level 1

Hi Mike,

I did a scan against the RV042G looking for which methods it can negotiate at for the SSL/TLS connections and some of them are below 256bits.  At this time I am not aware of any plans to change this.  However, if you were to open a case with Cisco Small Business by calling 1-866-606-1866 we could open a service request based on the PCI issues you are seeing and request development to look further into SSL/TLS negotiation process.  Be sure to let the engineer you speak know about this forum post.   

Thanks,
Jason Nickle

Ok just now 2/23/18  talked to cisco small business support under Case ID:  684027960  and was advised by the engineer Carlos, that NO Cisco Small business devices will be PCI compliant.  Only the enterprise units will be.

 

told them that I am sorry but after selling cisco stuff for 29 years that we must sever our relationship for SBS products and find another vendor. 

 

Thanks Cisco!!

 

Tell me small shops are gonna buy your enterprise products!!  Bulls*&$!

 

That's the official word!