3

We have a Cisco RV-042 Small Business router and our PCI scans flagged it as being vulnerable to CVE-2014-0224 (CCS Injection/Man-in-the-Middle). It appears to be another OpenSSL vulnerability.

We have the latest firmware (Apr 2014) installed, but can't wait around forever for Cisco to fix. So I have a few questions:

1) There is an option to disable SSL on the router. Does anyone know what the effects of this are? Does this only impact the web admin, or would VPN also be impacted?

2) Cisco seems to have fallen over a cliff on support of their products. What alternatives have you had success with that provide regular firmware updates (especially for PCI/Security related issues) and good support for their products?

Sam
  • 423
  • 1
  • 7
  • 13
  • 1
    It's still ["currently under investigation"](http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl)?! That _is_ slow. – Michael Hampton Oct 20 '14 at 15:02
  • Also... exactly _what_ on the router was flagged? – Michael Hampton Oct 20 '14 at 15:11
  • "The version of OpenSSL running on this host is vulnerable to a man in the middle attack due to the improper handling of ChangeCipherSpec messages. This vulnerability can allow remote attackers the ability to read and inject messages within client connections." They go on to mention remediation: "This issue was fixed in OpenSSL versions 0.9.8za, 1.0.0m, and 1.0.1h. It is strongly recommended to install the newest, stable version of OpenSSL." Unfortunately, Cisco has been slow to patch the new version of OpenSSL into their firmware. – Sam Oct 20 '14 at 15:19
  • Exactly what was flagged: tcp/443, tcp/60443 – Sam Oct 20 '14 at 15:21
  • You need to turn off remote administration of the router as a stop-gap measure, to take care of port 443. I dunno what's on port 60443. – Michael Hampton Oct 20 '14 at 15:21
  • Remote management is already disabled. – Sam Oct 20 '14 at 15:23
  • Then you shouldn't have seen port 443 open on an external scan. Are you scanning internally? Tell us what's really going on here. – Michael Hampton Oct 20 '14 at 15:24
  • Trustwave is set up to scan our data center IP addresses and the company IP address. The Cisco RV-042 router plugs directly into the Internet, so it is what is being scanned when they hit our company IP, correct? – Sam Oct 20 '14 at 15:28
  • Maybe, maybe not. Did you forward port 443 somewhere? – Michael Hampton Oct 20 '14 at 15:30
  • There is no port forwarding set up on the router. There are no servers on the network that are available to the outside world. – Sam Oct 20 '14 at 15:36
  • OK, so the big questions you need to answer are: What is answering on port 443 on your IP address? And, perhaps more importantly, why is your RV042 in scope anyway? Are you even processing cardholder data there? – Michael Hampton Oct 20 '14 at 15:38
  • Pretty sure it is the RV-042 is answering the request. It prompts for a certificate when you hit the IP, but then immediately shuts off the connection after you accept the certificate. When remote management is enabled, you get the admin screen. The RV-042 is in scope because our customer service reps take phone orders and enter in payment data, bringing our office network into scope. – Sam Oct 20 '14 at 15:42
  • I guess that only leaves you with the nuclear option. Replace it. – Michael Hampton Oct 20 '14 at 15:42
  • Which was the reason for question #2! :) I just don't want to slap in another Cisco product and be stuck in a corner again. Are there other brands that offer the functionality/reliability, but also keep up with firmware and provide decent service? Not looking for a "so-and-so is best", just some alternatives that people have had success with. – Sam Oct 20 '14 at 15:46

1 Answers1

3

I propose for now that you:

  1. Ensure that remote administration of the RV-042 is actually disabled.
  2. Dispute the finding with Trustwave and cite that you have a compensating control, namely, that all connections to those ports are immediately dropped.

In the long term you should probably find another router, the software for which is better supported by its manufacturer. (I'm not going to make any recommendations, though.)

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • So, last night after hours I disabled HTTPS on the router. I was a little hesitant to do it because I couldn't find any documentation on what issues it might cause (e.g. - breaking VPN, messing up HTTPS for web clients, etc). VPN still works and nothing seems to be broken, so it appears that it was only there for the Remote Administration. I re-ran the Trustwave scan and it came back clean. – Sam Oct 21 '14 at 14:52