PCI Compliance Failing with Extended Master Secret TLS Extension (TLS Triple Handshake)

06/14/2020 7 3569

DESCRIPTION:

An example of the PCI report which has failed with TLS triple handshake will look like this :

The Payment Card Industry (PCI) Data Security Standard is required if you intend to use a payment gateway such as debit/credit cards. There is a common industry standard, that your firewall should adhere to so that your network remains prudent to potential vulnerability.

The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the server certificate. Consequently, an active attacker can set up two sessions, one with a client and another with a server, such that the master secrets on the two sessions are the same. On successful exploitation, it becomes vulnerable to a man-in-the-middle attack, where the attacker can simply forward messages back and forth between the client and the server.

RESOLUTION:

This issue has been reported on the SonicOS firmware 6.5.4.5-53n and earlier. And, our engineering team is working on this (see below the DTS cases).

Please contact SonicWall Support by directly calling the support number or by logging to mysonicwall.com > Resources and Support and Create a new case. You may need to attach the PCI report and Tech Support Report (TSR) on to the case.

NOTE: TSR can be obtained from SonicWall management page under INVESTIGATE | System Diagnostics

There is a hotfix released which is only provided through Tech Support with necessary files from the SonicWall device to addres this issue.

For other PCI compliance scan certificate errors, please check SonicWall KB article < https://www.sonicwall.com/support/knowledge-base/pci-compliance-scan-certificate-errors/170505611400120/ >

ISSUE ID:

DTS 222714 /Jira : GEN6-1193