cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4139
Views
0
Helpful
2
Replies

Failing PCI Compliance Scan - SSL Weak...

cwaroquet
Beginner
Beginner

Hello,

I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).

I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512

Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.

Thank you in advance for your help,

Christophe

--------------------------------------------------------------------------------------------

Threat ID: 126928

Details:

IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:

THREAT REFERENCE

Summary:
SSL Weak Cipher Suites Supported

Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928

Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

-------------------------------------------------------------------------------------------

Threat ID: 142873

Details:

IP Address: XX.XXX.X.XXX

Host: XX.XXX.X.XXX

Path:

THREAT REFERENCE

Summary:
SSL Medium Strength Cipher Suites Supported

Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873

Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
SSLv3
DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
TLSv1
DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:

The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

2 Replies 2

Jasbryan1
Beginner
Beginner

Chris,

As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.

Jason

I do believe the ASA5505 are PCI 3.0 Compliant.

Thank you Jason for your very helpful answer.

I use the router and remote login via VPN and I think (although I need to make sure) the failing port (60443) is used for VPN so that would not work. I checked the ASA5505 and the price seems reasonable so I will give it a try. Any suggestion on where to buy and get support in case I need it?

Thanks again,

Christophe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: