SSL Certificate - Signature Verification Failed Vulnerability -PCI issue with Sonic TZ

I have a client with a SonicWall TZ 205, and we are running into an issue with PCI compliance scans.
Right now we are struggling to resolve a failure with "SSL Certificate - Signature Verification Failed Vulnerability".

Sonic support is clueless - does anyone here have a thought? Thanks in advance!
Greg MasonOwnerAsked:
Who is Participating?
 
Blue Street TechLast KnightCommented:
Hi Greg,

There could be a few different reasons for this. First off, I'd encourage you to upgrade your firewall to the latest model like a TZ300. It has the technology to actually thwart and protect your network from today's attacks. Security is an ongoing process...its not a product and there is never a panacea.

Regarding your SSL Cert failure. How are you using SSL Certs in the SonicWALL...e.g. for Remote Management, for VPN's, etc.?

If I were to guess you are probably using it for Remote Management from the WAN (so you can login to the firewall from the WAN). SonicWALL has stopped producing firmware upgrades for your unit since it is EOL (End of Life).

Here is how I'd handle this provided that you are using Remote Management as I assumed...

1. Inspect & identify your currently SSL Cert. In Firefox go to your firewall management IP so that the login page appears (make sure HTTPS is explicitly used), then click on the lock icon > Show connection Details > More information. The Security dialogue box should pop up like this:
SSL Cert detailsRecord (screen capture or the like) the highlighted part or the Encryption Cipher Suite used.

2. I'd download and install the latest available firmware for your unit. Then go to System > Administrative and click Regenerate Certificate under Web Management Settings. Reboot the firewall.

3. Now go & identify the new cert as described in #1 and compare the two Certificates' Encryption Cipher Suite. You should see a change but if you don't that means the Certificate's Encryption Cipher Suite is tombstoned and aside from upgrading the unit the only other solution would be to roll-out SSL-VPN w/2FA enabled, management enabled & procure/install a Public CA SSL Cert so that you can management the firewall from the WAN via the SSL-VPN, which in any case is the best way to manage the firewall from a security standpoint. After you have tested the SSL-VPN WAN management you would then disable WAN management. When your PCI scan comes around again remote management will not exist and you will pass!

Let me know if you have any other questions!
0
 
Greg MasonOwnerAuthor Commented:
Thanks! I'll try the "regenerate cert" suggestion.

Just an FYI but EOS (END OF SUPPORT) for the TZ205 is 7/2020. LRM (Limited Retirement Mode) for the 205 started last August - the latest version of firmware came out in October of 2017. So not quite end of life, although I agree that a gen 6 unit would be a good investment.
0
 
Blue Street TechLast KnightCommented:
Technically that is true, however, without firmware releases I see the units as product EOL's because firmware is what includes dire security enhancements such as supporting TLS1.3, and DPI-SSL, etc.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
Greg MasonOwnerAuthor Commented:
You are right. But in the Sonic world, LRM is a time during which firmware updates continue to be issued - only now they are limited to critical bugs and security vulnerabilities. It's just that no new features are added.

Check https://www.sonicwall.com/en-us/support/product-lifecycle-tables

We are waiting for the new PCI scan to run. Hopefully before hell itself freezes over...
0
 
Blue Street TechLast KnightCommented:
It will be stable but still new security enhancements will not be added such as support for DPI-SSL (in the case where it is not already) or TLS1.3. DPI-SSL is a security baseline since over 72% of web traffic is not encrypted.

To clarify, Cert Regeneration will only matter in the case where you update the firmware or there is some type of corruption with the cert. If neither of those apply, then deploying SSL-VPN is your only option if you still want to remotely manage the SonicWALL.
0
 
Greg MasonOwnerAuthor Commented:
Well, hell hasn't quite frozen over, but the PCI scan came back "compliant". Your suggestion seems to have worked! Thanks.

Oh wait - the Pope says there IS no hell anymore....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.