Failing PCI Compliance Scan - SSL Weak...

Similar Messages

• Rv082 fails PCI compliance test scan

  The rv082 v2 with firmware 2.0.2.01-tm fails PCI compliancy scans for the following vulnerability:
  tcp (tcp/1)
  TCP reset using approximate sequence number
  CVE-2004-0230
  Is there any fix for this?  Configuration change?  Future firmware fix?
  Thanks,
  dr

  Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).
  You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.
  --- Rich Matheisen MCSE&I, Exchange MVP

• PCI compliance scans failed with Sophos UTM

  From one of my training guides

  We have a Sophos UTM and use some RED devices at a few remote offices. We have just completed our quarterly PCI compliance scans and we are failing now due to port 3400 accepting SSL RC4 Cipher Suites. I've opened a ticket with Sophos' support to see if they could provide documentation that this is a false positive or provide some other solution. Their response thus far has been advising us to make a feature request @ feature.astaro.org. Obviously not the response we are looking for.My question is has anyone run into something like this before? How did you address the issue?My only thought at this point is to replace the RED devices at the remote offices and utilize another type of vpn. This is not the most desirable option as it means flying someone out to the remote offices and a network restructure. If anyone has some better...
  This topic first appeared in the Spiceworks Community

• Upgrade firmware for PCI compliance scan

  I have a WRT54G ver. 5 wireless router running ver. 1.02.0 firmware. I'm anticipating a PCI compliance scan which my bank requires since I transmit credit card numbers from here for my online business. I'm wondering if I should upgrade to the latest firmware version (1.02.6) before the scan. The router is working fine and I'm a great believer in not fixing things if they aren't broken. Does the upgrade make security improvements (which I should have) or just fix problems (which I don't have)?

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• ISA500 series PCI compliance scans

  We have a single customer who's having a problem with their credit card PCI vendor, First Data, scanning their ISA550W running 1.2.15.  Of all my customers with an ISA500 series device, this is the only customer who has had a PCI vendor tell them they cannot run their scans and that they must whitelist an entire /24 to allow the scans to continue.  The only open port is an encrypted remote support port and there are no other ACLs in place to block anything other than the defaults that ship with the ISA.  Anyone have any ideas why the First Data would have a problem with the ISA550W?

  Thanks for your reply.  First Data http://biz.yahoo.com/ic/14/14441.html well, what can you say, they're big bully and in this case you have to love what ended up being the problem.  First Data sent this to the customer:
  This is an automated email to notify you that a PCI vulnerability scan of the IP  addresses or domains used by CUSTOMER NAME could not be completed. This scan  is included as part of your PCI Rapid Comply services.
  Please confirm  that the following IP addresses or domains are the ones you use for the  transmission of cardholder data. Unless you have paid extra to your Internet  Service Provider to get a "static" IP address, your IP address may have  changed.
  xxx.xxx.xxx.xxx
  Also, please make sure you have added the  following IP addresses to your firewall (and/or IDS/IPS) whitelist:
  38.123.140.0/24 for the duration  of your PCI scan. If another department within your organization (or a vendor)  manages your firewall and IDS/IPS, please make them aware of this scan and  request that the above IP addresses are temporarily added to the  whitelist.
  You need to have a passing PCI scan to be compliant.  Therefore, once you have confirmed that the target hosts are correct and that  your firewall and IDS/IPS whitelist allows access by 38.123.140.0/24, please schedule  another PCI scan of the networks used to process, transmit, or store cardholder  data.
  Thank you,
  First Data PCI Rapid Comply Support Team
  [email protected]
  As you stated, what these fools don't seem to get is by whitelisting their IPs any outside network scans (this isn't done by an internal software scanner but from their remote network) becomes moot.  I tried explaining to their trained monkey that the proper behavior for a firewall that detects remote scans is to block those scans.  The guy kep reading to me off his 3"x5" index card (I'm sure it wasn't a card, but you get my drift).  He clearly had never even seen a firewall let alone managed a network.
  After a couple hours of bouncing around inside First Data and shaking limbs, my customer got a call back from their account rep who stated that they were totally PCI compliant and that the e-mail was BOGUS!  The e-mail was sent out just after 10AM Sunday, 23 June 2013 and we were notified 24 hours later.  So 26 hours later this company who prides itself on being one of the biggest CC processing companies out there is too lazy to send a follow-up e-mail admitting they sent out false notifications wasting their customers' time and mine.  I asked their media rep who called me back about 3 hours after I got the call from the customer, "who gets the bill for my time?"  She had no answer.  Hopefully the lawsuits pending against PCI and CC processors will have a chilling effect on their strong arm tactics and their clueless PCI scans.

• PCI compliance, need to disable SSL version 2

  I'm running OS X 10.7.2 and I recently failed my PCI compliance scan.  I was informed that I have SSLv2 and SSLv3 and that I need to disable SSLv2.  The company that performs the scan says that they can't help me do it and that I should call my ISP, ATT Uverse.  I've done this and spent several hours being bounced around and they don't seem to understand what I'm talking about or how to fix it.  So...my questions is how can I disable SSLv2?? I'm not very "code" savy so if you could walk me throught the steps that would be very helpful.  I really don't wnat to try tech support with ATT again!  TIA

  Launch the Terminal application by entering the first few letters of its name into a Spotlight search. Drag or copy -- do not type -- the following line into the window, then press return:
  launchctl list | sed 1d | awk '!/0x|com\.apple/ {print $3}'
  Post any lines of output that appear below what you entered -- the text, please, not a screenshot.

• Patching vulnerabilities for PCI compliance

  Hi
  My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
  What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
  SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
  OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                 CVE-2014-3511
                                                                                                                 CVE-2014-3510
                                                                                                                 CVE-2014-3507
                                                                                                                 CVE-2014-3508:
                                                                                                                 CVE-2014-5139:
                                                                                                                 CVE-2014-3509:
                                                                                                                 CVE-2014-3505:
                                                                                                                 CVE-2014-3506
  Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

  If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
  OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
  Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
  If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

• CF 7 PCI compliance issue

  There is a security flaw in the wildcard ISAPI DLL in CF7 - Documented here:
  http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-o n-iis-server-even-after-applying-fix-834141.aspx
  Is there an update to this ISAPI DLL that fixes this issue?
  Thanks.

  Jochem,
  You wrote:
  >So configure a Host header in your IIS website.
  I wish it was easy as that.
  Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
  Enable the DLL and the private IP headers are leaked.
  >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
  That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
  It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
  The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
  "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

• PCI Compliance Issue

  I'm trying to make our Exchange 2013 server PCI compliant.  TO do this, I've turned off SSL2 and 3, PCT1, and TLS 1.0.  
  When I turn off TSL1.0, none of our Outlook clients can connect.  Is there a change I need to make somewhere so they use TLS1.1 or above?
  N00b here, so I may have the terminology wrong.
  Thanks.

  Jochem,
  You wrote:
  >So configure a Host header in your IIS website.
  I wish it was easy as that.
  Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
  Enable the DLL and the private IP headers are leaked.
  >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
  That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
  It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
  The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
  "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

• RV016 - SSL too weak Vulnerabilities on network due PCI Compliance

  DISABLE REMOTE MANAGEMENT AND HTTPS.................

  RV016 - SSL too weak  Vulnerabilities on net: work due PCI COMPLIANCE
  DISABLE REMOTE MANAGEMENT AND HTTPS..............

• Compliance scan fails

  I have SCVMM 2012 R2 running on Windows Server 2012 R2; the host servers are 2012 R2 as well.  I have established a baseline and done compliance scans without issue in the past.  However, I have now added additional items into the baseline and
  now, after a long timeout period, get the following when I try to do a compliance scan on any host.
  Error (2931)
  VMM is unable to complete the request. The connection to the VMM agent on the virtualization server (host.domain.com) was lost.
  Unknown error (0x80338029)
  Recommended Action
  Ensure that the Windows Remote Management (WS-Management) service and the VMM agent are installed and running and that a firewall is not blocking HTTPS traffic.
  This can also happen due to DNS issues. Try and see if the server (host.domain.com) is reachable over the network and can be looked up in DNS. You can ping the virtualization server from VMM management server and make sure that the IP address returned
  matches the IP address locally obtained from the virtualization server.
  If the error still persists, restart the virtualization server, and then try the operation again.
  The firewall is disabled on the SCVMM server and the host servers.  I have verified there are no DNS issues and that WS-Management is running.  I have rebooted all servers.  I have even removed the baseline and created an entirely
  new baseline, but always get the same error.  Anyone seen this issue?

  Hi Kristian,
  Yes, UR1 and the SQL script have both been applied.
  Yes, Hyper-V Management Server Service has been restarted (indeed the host itself has been restarted), to no avail. Other hosts in the same cluster work OK..
  When I enable and run tracing, this is the last message when it fails
  [2]1284.28C4::?2014?-?04?-?13 15:03:11.414 [Microsoft-VirtualMachineManager-Debug]4,4,WsmanAPIWrapper.cs,3426,Exception [System.Runtime.InteropServices.COMException (0x80338029): The WS-Management service cannot complete the operation within the time specified
  in OperationTimeout.       at WSManAutomation.IWSManSession.Invoke(String actionUri, Object resourceUri, String parameters, Int32 flags)     at Microsoft.Carmine.WSManWrappers.MyIWSManSession.Invoke(String
  actionUri, Object resourceUri, String parameters, Int32 flags)     at Microsoft.Carmine.WSManWrappers.WsmanAPIWrapper.Invoke(String actionUri, WSManUri targetUri, Hashtable parameters, Type returnType, Boolean isCarmineMethod, Boolean forceResponseCast)]
  while retrieving underlying WMI error to throw. Got string "<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858793" Machine="myserver-01.mydomain.com"><f:Message>The
  WS-Management service cannot complete the operation within the time specified in OperationTimeout.  </f:Message></f:WSManFault>",{00000000-0000-0000-0000-000000000000}
  I've checked WS-MAN config and comms on and between VMM and the Host and all seems to be OK.
  Many thanks,
  Dave

• Skype Causing PCI Compliance Failure

  Hi,
  As part of my business, I have to undergo PCI Data compliance scans every 3 months. Everything has been okay, but I recently failed a scan, and received this message:
  Description: Skype for Windows < 5.8.0.154 Unspecified Vulnerability (uncredentialed check) Synopsis: The remote Skype install has an unspecified vulnerability. Impact: According to its timestamp, the version of Skype installed on the remote Windows host reportedly has an as-yet unspecified vulnerability.
  The suggested "Resolution" is to 'Upgrade to Skype for Windows 5.8.0.154 or later.'
  I am running Wndows on VMWare Fusion on my Mac. Initially, I deleted Skype altogether from Windows and updated Skype on my MAC OS X, and still received the same message So I reinstalled the latest version of Skype for Windows, and STILL received a fail on the scan.
  Is there some way to fix this? It looks like resolving this issue will fix up all the problems I've been having. Any help would be greatly appreciated.

  Hi there ... your post was a long time ago, but wondered if you managed to solve the problem of Skype clients causing PCI compliance to fail?  We are going through the same issues at the moment, all Skype clients updated, yet we are still failing every test.  If you managed to find a fix, would be great to know!  Cheers.

• Privacy: PCI compliance, etc

  Hi,
  I'm creating a privacy policy for my MUSE website, can you help answer these questions. I have free basic site with my membership:
  1) Is your website getting regular security scans that meet or exceed PCI Compliance standards?
  2) Is your website receiving regular malware scans?
  3) Does your website have and use an SSL certificate?
  If any are no, can you tell me what it takes to upgrade to a yes?
  Thanks,
  Anita

  I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

• PCI Compliance and sessionid

  A recent scan of an ecommerce site I've developed and hosted
  on a shared server at CrystalTech has failed a PCI compliance test
  recently. It previously passed them.
  The report says that sessionids are predictable and therefore
  insecure. This threatens my relationship with the credit card
  companies. The good folks at CrystalTech have not been helpful yet.
  Is anyone familiar with this issue or have valuable thoughts?
  Interestingly, Securitymetrics calls it "Allaire Coldfusion".
  Man, are they out of date.

  It's a faulty report. Refer them to the following URL:
  http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=sharedVars_06.html

• PCI Compliance Azure Websites (CVE-2014-6321)

  Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
  Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
  Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.

  I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!