Problem with Security Cert. /PCI Compliance Problems.

Unanswered Question
Jul 21st, 2011

We recently replaced an older RV042 router with a brand new RV042 v3 in the office. Shortly thereafter, we started failing our PCI compliance scans from SecurityMetrics. Basically, in order to stay "verified secure", SecurityMetrics just routinely scans our public IP address for security vulnerabilites because we handle some sensitive information in our organization. The scan results are as follows:

Security Vulnerabilities
ProtocolPortProgramRiskSummary
TCP443https4Synopsis : The remote service supports the use of anonymous SSL ciphers. Description : The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack. Note: This is considerably easier to exploit if the attacker is on the same physical network. See also : http://www.openssl.org/docs/apps/ciphers     .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
[Hide]
TCP443https4Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
[Hide]



Whenever I go to log on to the router with a browser (IE, Firefox, Chrome), I get a warning that there is a problem with the security certificate and I have to add an exception in order to view the page. I think these two problems are somehow related but I haven't a found solution yet.

SecurityMetrics support pretty much said it's not their problem and to contact the router mfg. instead.

Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
David Carr Thu, 07/21/2011 - 13:51

Tyson,

Make sure that administration to the router via https is turned off.  Then turn off remote management and remote vpn options.

After that you should pass the pci compliance scan.

hpchadmn67 Thu, 07/21/2011 - 14:02

Can you tell me where that setting is located? I had thought of that before but never found an option to disable it.

::edit::

Setting for disabling https admin, that is.

Te-Kai Liu Thu, 07/21/2011 - 14:43

According to the release notes, firmware 4.0.3.03 has resolved this issue.

Disabled support for low- and medium-strength ciphers (for example, 128

bits or shorter) for SSL encryption.

jasbryan Thu, 07/21/2011 - 14:50

Tyson,

Under firewall tab,

Make sure remote management is disabled.

Now disable HTTPS

Save settings.

Thanks,

Jasbryan

Cisco Support Engineer

.:|:.:|:.

hpchadmn67 Fri, 07/22/2011 - 06:35

Thanks. I will try simply disabling the https first and if that doesn't work, I'll upgrade the firmware.

I can't run a scan on demand so I'll have to wait a few days until the next one runs.

Actions

Login or Register to take actions

This Discussion

Posted July 21, 2011 at 1:27 PM
Stats:
Replies:5 Avg. Rating:
Views:1273 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard