Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failing PCI Compliance Scan - SSL Weak...

Hello,

I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).

I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512

Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.

Thank you in advance for your help,

Christophe

--------------------------------------------------------------------------------------------

Threat ID: 126928

Details:

IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:

THREAT REFERENCE

Summary:
SSL Weak Cipher Suites Supported

Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928

Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

-------------------------------------------------------------------------------------------

Threat ID: 142873

Details:

IP Address: XX.XXX.X.XXX

Host: XX.XXX.X.XXX

Path:

THREAT REFERENCE

Summary:
SSL Medium Strength Cipher Suites Supported

Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873

Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
SSLv3
DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
TLSv1
DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:

The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

2 REPLIES
New Member

Re: Failing PCI Compliance Scan - SSL Weak...

Chris,

As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.

Jason

I do believe the ASA5505 are PCI 3.0 Compliant.

New Member

Re: Failing PCI Compliance Scan - SSL Weak...

Thank you Jason for your very helpful answer.

I use the router and remote login via VPN and I think (although I need to make sure) the failing port (60443) is used for VPN so that would not work. I checked the ASA5505 and the price seems reasonable so I will give it a try. Any suggestion on where to buy and get support in case I need it?

Thanks again,

Christophe

3394
Views
0
Helpful
2
Replies