Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
5
Helpful
9
Replies

Cisco RV320 remote management fails PCI compliance

Go to solution
jacob_gur
Level 1
Level 1

‎02-25-2015 12:01 PM

Cisco RV320 remote management (port 443) fails PCI compliance by a major PCI compliance vendor (Trustwave).

 

Failing issues:

  1. SSLv2 supported (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2969)
  2. HTTP Trace/Track methods enabled (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2320, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0386)
  3. HTTP Server Overlapping Byte-Range Denial of Service (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192)

 

Other serious issues:

1. Auto-Completion Enabled for Password Fields

2. SSL certificates with a public key of less than 2048 bits are more susceptible to man in the middle attacks (Yes, I can create a new certificate with >= 2048 bits, but the default self-signed cert should be at least 2048)

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Bruncko
Level 4
Level 4

‎02-27-2015 03:21 PM

If you have still valid warranty for your RV320 device, I would suggest you to address those issues directly to Small Business Support Center (SBSC) via their customer service system. As those are security related concerns AND device RV320 is not on EoL list in meantime, I hope that this could be addressed and fixed in future releases of firmwares for this device.

I am afraid, that nobody else on this forum could move forward your question here on forum as those options are not configurable (at least not officially) and must be fixed on firmware level only. You have to use official channels to make this corrected.

View solution in original post

9 Replies 9

Go to solution
Michal Bruncko
Level 4
Level 4

‎02-27-2015 03:21 PM

If you have still valid warranty for your RV320 device, I would suggest you to address those issues directly to Small Business Support Center (SBSC) via their customer service system. As those are security related concerns AND device RV320 is not on EoL list in meantime, I hope that this could be addressed and fixed in future releases of firmwares for this device.

I am afraid, that nobody else on this forum could move forward your question here on forum as those options are not configurable (at least not officially) and must be fixed on firmware level only. You have to use official channels to make this corrected.

Go to solution
jacob_gur
Level 1
Level 1
In response to Michal Bruncko

‎03-01-2015 06:42 PM

Thanks Michal. I was not aware of that process. I thought Cisco product people read these forums. So I'll plan to contact them as you advised.

0 Helpful

Go to solution
Michal Bruncko
Level 4
Level 4
In response to jacob_gur

‎03-02-2015 12:31 AM

hi Jacob

yes, some of them reads forum contents and discussion and they hare mostly very helpful. But they are focusing mainly on configuration-related issues, not issues related to firmware like you are. Yes, they probably read your content, but without additional official way of customer support they didn't do nothing as per their internal rules.

0 Helpful

Go to solution
SamirD
Level 5
Level 5

‎02-28-2015 09:19 AM

Almost all routers fail any major PCI compliance standards.  There is only one router that I know of that has passed all PCI compliance and that one is made by Mako Networks.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

Go to solution
jacob_gur
Level 1
Level 1
In response to SamirD

‎03-01-2015 06:41 PM

The RV320 router passed PCI compliance the last time we were tested 2 months ago with remote management enabled. It only failed in this last test. The failing issues which I posted above seem pretty straightforward for Cisco to fix.

0 Helpful

Go to solution
SamirD
Level 5
Level 5
In response to jacob_gur

‎03-02-2015 01:24 PM

Were you on a different firmware then?

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

Go to solution
jacob_gur
Level 1
Level 1
In response to SamirD

‎03-02-2015 01:38 PM

Yes, I recently updated the firmware from 1.1.1.06 to 1.1.1.19.

0 Helpful

Go to solution
SamirD
Level 5
Level 5
In response to jacob_gur

‎03-03-2015 04:55 AM

:(  This is a case of one fix breaking another. 

As a temporary workaround, if the previous firmware passed compliance, I would revert to that firmware until a new update comes out with the fix for the current firmware's issue.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

Go to solution
tsp123456
Level 1
Level 1

‎03-04-2016 01:49 PM

Had this same problem too, even with newer firmware 1.2.1.14 

Somehow it appears that unchecking the box for Remote Management in the UI still doesn't truly block access to port 443 on the WAN; it merely blocks access to the UI?

Our solution was to disable remote management and, importantly, create a DENY firewall rule for the WAN port scanned by trustwave that specifically blocks port 443

Look at page 79 of admin guide
Obviously, this may have to be done from the intranet side as that this is disabling remote management, and the 443 port too; so be sure you have access to the device from another port.
0 Helpful
Customers Also Viewed These Support Documents