Disabling SSLv3 & early TLS for PCI DSS compliance
PCI Compliance – SSL the time to migrate is now.
For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. SSL/early TLS was removed as an example of strong cryptography in PCI DSS v3.1 (April 2015).
SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. Now SSL & early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
PCI Compliance – How should businesses respond.
The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2 as not all implementations of TLS v1.1 are considered secure.
PCI Compliance – How do I ensure SSLv3.0 is disabled on my LANCOM router.
- If the router has a minimal configuration, upgrade the router to at least LCOS 8.84RU4 or 9.00RU3 (we recommend latest LCOS 10.12RU2 if router is capable), then factory default the router and configure from scratch.
- If the router has an extensive configuration we again recommend to update to the latest firmware possible and then apply the appropriate script found on LANCOM knowledge-base here.
PCI Compliance – Will disabling SSLv3.0 mean LANCOM routers pass PCI DSS compliance scans?
Yes but PCI DSS compliance scans from Approved Scanning Vendors check more than just SSLv3. After June 30, 2018, all entities MUST have stopped use of SSL & early TLS as a security control, and use only secure versions of the protocol. Failure to comply with this instruction will impact ASV scan results and will ultimately negatively impact on PCI compliance. A document on the PCI DSS requirements regarding SSL & early TLS can be read here.
For the convenience of LANCOM resellers looking to future proof their customer’s SSL/TLS settings, as well as pass PCI DSS testing now and into the future, we have formulated a script that will disable every instance of SSL v3.0, TLS v1.0 and TLS v1.1 leaving only the latest TLS v1.2 enabled. This script also locks down other security algorithm settings to ensure LANCOM routers will pass PCI DSS compliance scans.
- Disables SSLv3.0,
- Disables TLSv1.0
- Disables TLSv1.1
- Disables RC4-40, 56, & 128 Crypto-Algorithms
- Disables DES, DES40 & 3DES Crypto-Algorithms
- Disables 3des-cbc & 3des-ctr Cipher Algorithms
- Disables Arcfour, Arcfour 128 & Arcfour 256 Cipher Algorithms
- Disables Blowfish-cbc & Blowfish ctr Cipher Algorithms
- Disables hmac-md5 & hmac sha1 MAC Algorithms
- Disables DH Group 1 & 14 Key Exchange Algorithms
- Disables Diffie Hellman Groups 1 & 5
- Disables *ALL WAN remote access except for SSH
*Note HTTPS WAN remote access can be enabled if a valid SSL certificate from a trusted Certificate Authority is loaded into the router. Even with HTTPS disabled you can still fully manage a LANCOM router over SSH Port 22 using the latest version of LANconfig and the CLI.
How to resume Windows 10 initial setup (OOBE) after a power interruption.
When a new PC running Windows 10 is going through its initial setup routine, also known as the Out Of Box Experience (OOBE), it is susceptible to to corruption of the routine it the unlikely event of a power interruption.
If a power interruption does occur during OOBE then there is a likelihood of the following on screen message being displayed during the next boot. Pressing OK at this state causes the PC reboot but it will show the same error message and so on in a loop.
The problem can be easily fixed by making a small change to a registry key.
The procedure is as follows.
- When the error above appears please press “Shift + F10” to start the Command Prompt.
- At the command prompt type “Regedit” and press ENTER.
- Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\ChildCompletion”
- In the right hand pane Right Click “setup.exe” and click “Modify”.
- Change the “Value Data” field to 3 and Click “OK”.
- Close the registry editor, close the Command Prompt and Click “OK” on the error message.
- The PC should restart and then commence OOBE again.
Are LANCOM devices affected by the “KRACK” attack on WPA2?
The security loophole named KRACK is a vulnerability in the WPA2-key handshake used for secure communication in Wi-Fi networks. This vulnerability is a man-in-the-middle attack, whereby the key negotiation between a client and an access point is manipulated in such a way that an attacker can intercept the data communication.
There are three possible attack scenarios:
- A vulnerability in the key handshake is exploited at the client end of the connection. In this case, the manufacturer of your client must provide a fix.
- A LANCOM device operated in client mode is also vulnerable to the key-handshake exploit. This scenario is currently being clarified.
- A LANCOM access point is operated as a base station and offers fast roaming (802.11r). In this scenario, LANCOM devices with Wi-Fi are also affected. The default settings for this feature are disabled, which means there is no risk on the LANCOM device side.
LANCOM are currently working on a security update for fast roaming (802.11r) and it will be released as soon as possible. The following describes where you can check to see if you are using fast roaming (802.11r) and, if applicable, how you disable it.
To deactivate fast roaming (802.11r) on a Wi-Fi enabled router or access point, activate the standard settings for “WPA2 key management” for all of the affected SSIDs.
You can adjust this setting in LANconfig under:
“Wireless LAN -> Encryption -> WLAN encryption settings -> Wireless network X”
on the tab “Advanced -> WPA2 key management”
To deactivate fast roaming (802.11r) on a network managed by a WLAN controller, activate the standard settings for “WPA2 key management” for all of the affected SSIDs.
You can adjust this setting in LANconfig under:
“WLAN controller -> Profiles -> Logical WLAN networks (SSIDs)… -> Name of the SSID -> WPA2 key management”.
For more information on the KRACK attack please see the website related to the discovery below.