Looks like the RV042G needs another firmware updates as the units we have in the field are now not passing PCI DSS Scans. Dealing with the compliance scanning companies, they are telling me that the firmware is the way to fix this. Here are the errors reported:
Cross-site scripting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
Description: Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server.
Response splitting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
Description: Some programs on web servers place user- supplied parameters into certain HTTP headers.
I am using port 443 for remote access to the devices. Moving the port simply changes the reported failure to that port. Any suggestions or has anyone heard for a firmware update coming soon for this device?
The failure i am getting for PCI compliance is that the SSL Keylength is to short (1024 bits instead of the required 2048 bits) the error is comming on port 60443 (The port used by quickvpn - a service I am not using)
Unfortunately I do not think Cisco is going to do anything about this. I have emailed my sales support contact (no response), called tech support (clueless on when or if there will be a firmware update - the only way to fix this) and posted here (no response from Cisco).
With that said, we have begun a transition away from Cisco Small Business gear. While this is disappointing for us, supporting their router platform is just not a priority for them (or so it seems).
If we get lucky, maybe a new firmware will drop. Fingers crossed!
If I find or get more information I will post back here (please do the same).