Cisco CVE-2014-0224 Vulnerability

Sam asked:

We have a Cisco RV-042 Small Business router and our PCI scans flagged it as being vulnerable to CVE-2014-0224 (CCS Injection/Man-in-the-Middle). It appears to be another OpenSSL vulnerability.

We have the latest firmware (Apr 2014) installed, but can’t wait around forever for Cisco to fix. So I have a few questions:

1) There is an option to disable SSL on the router. Does anyone know what the effects of this are? Does this only impact the web admin, or would VPN also be impacted?

2) Cisco seems to have fallen over a cliff on support of their products. What alternatives have you had success with that provide regular firmware updates (especially for PCI/Security related issues) and good support for their products?

My answer:

I propose for now that you:

  1. Ensure that remote administration of the RV-042 is actually disabled.
  2. Dispute the finding with Trustwave and cite that you have a compensating control, namely, that all connections to those ports are immediately dropped.

In the long term you should probably find another router, the software for which is better supported by its manufacturer. (I’m not going to make any recommendations, though.)

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.