Re: ReadyNAS Weak Encryption PCI Compliance Fails TLS1.0 & SSLv3

whip313 · ‎2015-08-14

We have two ReadyNas 314 units that host FTPS connections available to the internet. How can we disable TLSv1.0 and SSLv3 as encryption algorithms?

Even though absolutely no credit card data ever passes through these devices or is stored on them, simply having them responding on our network is enough to cause us to fail our PCI compliance scan every time.

TLSv1.0 Supported Medium 5.00 Fail Note to scan customer:

This vulnerability is not recognized in the National Vulnerability

Database. TLS v1.0 violates PCI DSS and is considered an automatic

failing condition.

Insecure Certificate Signature

Algorithm in Use, CVE-2004-

2761

Medium 5.00 Fail

SSL Certificate Public Key Too

Small

Medium 5.00 Fail

SSLv3 Supported, CVE-2014-

3566

Medium 5.00 Fail Note to scan customer:

SSL v3.0 violates PCI DSS and is considered an automatic failing

condition.

All of these conditions are being triggered by the ReadyNAS devices.

Please tell me there is a way to get into the CLI and disable them? If not, we need a new firmware immediately. This is unacceptable.

Danthem · ‎2015-08-14

Sent you a PM

ReadySECURE · ‎2015-08-20

Hi,

Did you get this resolved?

Could you also provide what firmware version you were using during the testing?

ray-sprong · ‎2016-02-12

What was the resolution of the failed compliance issue? I have the same problem with the FVS318V3 running V3.0_28.

JohnRo · ‎2016-02-12

Hello ray-sprong,

Welcome to the community!

Firmware version V3.0._28 is the fix for critical vulnerability issue (SSL/TLX Authentication GAP issue). If yours is not fixed, try a firmware reflash followed by a factory reset and see if it will resolve it.

Let us know.

thanks,