Patching vulnerabilities for PCI compliance

Similar Messages

• Upgrade firmware for PCI compliance scan

  I have a WRT54G ver. 5 wireless router running ver. 1.02.0 firmware. I'm anticipating a PCI compliance scan which my bank requires since I transmit credit card numbers from here for my online business. I'm wondering if I should upgrade to the latest firmware version (1.02.6) before the scan. The router is working fine and I'm a great believer in not fixing things if they aren't broken. Does the upgrade make security improvements (which I should have) or just fix problems (which I don't have)?

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• Disable SSL v2 and weak cipers on a RV325 for PCI compliance

  How do you disable SSL v2 and weak cipers on a RV325 to become PCI compliant?

  Hello
  per Cisco RVS4000 product site information this router is already end of life since January 30, 2010. Last date of support is also already missed - April 30, 2013. This means that according Cisco policy no further updates to existing firmware will be done - neither security-related fixes. And I am afraid that this is fact with which you have to deal.
  regarding RV320 - it seems that there is no any possibility to restrict SSL/TLS protocol/version by your own in current version. Francis - I would recommend you to open service request to Cisco SMB Support if you still have valid support contract. I hope there is good chance to get it fixed as this security related inability.
  lastly - for all products (including RVS4000) - I would suggest to keep management interface of router separated most as possible - i.e. restrict access to management interface only to single subnet/host(s) only (via Firewall feature). With having administration/management subnet and certain client(s) which is a part of this subnet can help to avoid eavesdropping your connection to router. Of course disabling remote management is the best thing you can do in any case (including avoid of possible firmware bugs, loggin attempts and so on).

• E Business columns for PCI Compliance

  Does Oracle have a documentation with configuration details to meet Payment Card Industry standards requirements? We are implementing Oracle Advanced Security against Oracle E Business and need to know what columns we should specifically address within E Business to protect our PII/PCI data.
  Any help would be greatly appreciated.
  Bill

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• IDS/IPS for PCI compliance requirements

  I have the traditional IPS/IDS modules in my Cisco ASA's. Is there an application that can collect all my logs and send alerts when a threat is detected? Is the IME still a valid product? What is the limitations of the IME?

  Have a look at Microsoft Endpoint Protection for Windows Azure.
  http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
  http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

• CCX PCI Compliance

  Hi All,
  I am looking to achieve PCI compliance for my networking infrastructure, which includes CCX, currently runnng version 4.1 with IVR being used for credit card authentication. Not really sure where to start on this, so if anybody has any pointers on how the requirements for PCI compliance translates to what we actually need to do to the server, that would be much appreciated.
  Rgds

  I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

• Pci compliance for very small biz using mac and ipad

  I run a very SMALL business. We have one MacBook an iPad and an iPhone. We run everything through a second party merchant card processor/software (mindbody). However, according to the PCI compliance survey I just finished, I am supposed to run quarterly internal scans for vulnerabilities. Does antivirus software do this?
  Also, what firewall settings do I need on my mac to be PCI compliant?
  I know this may be a very simple question, but the PCI survey assumes everyone has an IT department with a ton of policies and procedures. Trying to figure out how to be compliant as a super small business without all that infrastructure.

  Anti-virus software would not do PCI vulnerability scanning. You need specialized software to do that. Unfortunately, I cannot recommend specific software. My wife's small business was wrestling with PCI issues some time ago, and they're currently not doing any kind of internal scans. I don't know why not. They do get scanned externally periodically, to look for vulnerabilities in their setup that could allow people outside their network to gain access.
  PCI compliance is a scam anyway. It doesn't prevent the numerous breaches that so many high-profile companies have been facing lately, and you can bet they're dotting their i's and crossing their t's with respect to PCI compliance. They have the budget to do so.
  Your Mac should not need the firewall on. That shouldn't affect PCI compliance, if the Mac is properly configured and does not have any services open in System Preferences -> Sharing.

• RV016 - SSL too weak Vulnerabilities on network due PCI Compliance

  DISABLE REMOTE MANAGEMENT AND HTTPS.................

  RV016 - SSL too weak  Vulnerabilities on net: work due PCI COMPLIANCE
  DISABLE REMOTE MANAGEMENT AND HTTPS..............

• Fully patched SBS failiing PCI scan for MS10-070

  I have a fully patched SBS 2011 server that is failing our PCI compliancy scan due to MS10-070. I am not sure how to clear this issue as it appears I have applied all patches to date. All help is appreciated.

  I too am having this very same problem with an SBS 2011 and a Trustwave PCI Scan. Same scan failure, MS10-070.
  I do not have .NET 4.5 installed either.
  According to ASoft .NET Version Detector, I have the following:
  <32Bit>
  2.0.50727.5737
    ->C:\Windows\Microsoft.NET\Framework\v2.0.50727
  4.0.30319.296
    ->C:\Windows\Microsoft.NET\Framework\v4.0.30319
  <64Bit>
  2.0.50727.5737
    ->C:\Windows\Microsoft.NET\Framework64\v2.0.50727
  4.0.30319.296
    ->C:\Windows\Microsoft.NET\Framework64\v4.0.30319
  < Installed .NET Frameworks >
  .NET FW 2.0 SP 2 (CLR:2.0)
  .NET FW 3.0 SP 2 (CLR:2.0)
  .NET FW 3.5 SP 1 (CLR:2.0)
  .NET FW 4.0 Client (CLR:4.0)
  .NET FW 4.0 Full (CLR:4.0)
  The "evidence" listed by trust wave is as follows:
  https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=lXZlKIAaV2DQCh8KTxGhBga0MRSGLTRT9DSz8blSZp-D_-ZPudrzAKWqHdY35UWsutw3Ntl-4wvao6MPLFScquOdB1ltjYYHOqxwXXy4-cMH0botA64x54vVSrQvbWfqeeqj1b7G7AQhZLaT-GYmx1N5BV60glFQdELeLVBMDvHtrJqdKd8_uVn0Dbduk18U0&t=ffffffff940d030f
  https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=p6YZ1NuXPX8YwTxRRD40xEKpXBuPB3YUgQ3hjNGQxb_5tTy2dU9nG0cHEomkwkiNf4PP8G6eTLYZjXf70cl8npvIQIjbTj1Gi4nA5G5YYhpWctDt3JQRY9yZV6x9RNeD2_PoFyDJ8BBhYAlkHyfqLGzUUYBmdjuVdkzZFPoZMXQ1&t=ffffffff940d030f
  https://xx.xx.xx.xxx/Remote/WebResource.axd?d=exxOBoRssUcc64ztYfy_H0dLRaK691IwOZsT_ZgvH1h4puvZrQFRDaop4RO9S8crNjGUdI2DJaltVrI6S1kcTPACO-elHaY3hv-EIlFENLU1&t=634955083192463937
  When I click on the links of the evidence, I get a page returned full of text. The evidence seems like it is real and not a false positive being that I do get a return. All of my Windows Updates are current, so I really don't know where to go with this.

• PCI Compliance for the iPad

  Has anyone implemented a PCI compliant iPad application? If so, were there specific steps you used?

  There are a number of credit card processing applications in the iTunes Store, and at least a couple claim PCI compliance, if that's what you mean. Do a Power Search for apps with "credit card" and browse through the results, or search a site like appshopper.com. Once you find one, you can contact the developer and ask if they'll share tips.
  If that's not what you're referring to, please post back and elaborate.
  Regards.
  Message was edited by: Dave Sawyer

• Failing PCI Compliance Scan - SSL Weak...

  Hello,
  I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
  I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
  Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
  Thank you in advance for your help,
  Christophe
  Threat ID: 126928
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Weak Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 126928
  Information From Target:
  Here is the list of weak SSL ciphers supported by the remote server :
  Low Strength Ciphers (< 56-bit key)
  SSLv2
  EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
  EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of weak
  ciphers.Details:
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
  Threat ID: 142873
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Medium Strength Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 142873
  Information From Target:
  Here are the medium strength SSL ciphers supported by the remote server :
  Medium Strength Ciphers (>= 56-bit and < 112-bit key)
  SSLv2
  DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
  SSLv3
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  TLSv1
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of
  medium strength ciphers.Details:
  The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

  Chris,
  As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
  Jason
  I do believe the ASA5505 are PCI 3.0 Compliant.

• SAP Short Dumps and PCI Compliance

  We've run into an issue with our PCI Compliance audit around being able to see unencrypted credit cards in short dump messages in SAP.  Has anyone run into this issue?
  Only work around I've got at this point is to restrict all access to short dumps and require many documented signoffs before turning on and off access to a short dump.  This is pretty cumbersome, and still leaves a hole in my overall security.
  We've managed to purge restricted CC data from our XI logging, and done everything right with encryption, but this short dump issue just doesn't seem to have a solution.
  Can anyone help?  We're on 6.0.
  Thanks!

  Hi David,
  This is an interesting situation you have described. ABAP short-dumps or run-time errors as they are also known as, are unhandled exceptions during program execution. The conditions that cause such exceptions is unknown or cannot be handled at run-time. To help analyze what went wrong with the said program during execution, it is necessary for the dump to contain all possible information including data values passed between programs when the error occurs. Encryption of restricted data values is a program step in itself. If the dump were to occur after this step then of course it would contain encrypted CC info. Unfortunately in your case it exposes restricted CC info because the dump occurs BEFORE this step.
  I don't believe there is a way to prevent this from happening -- for the same reason that the program logic does not know at run-time how to "handle" the exception. If occurrences of such dumps is fairly common in your system, you may want to investigate the likely causes -- for example, missing or incorrect customization. Analyzing the short dumps will probably give you a clue. Your customization team may be able to identify a pre-condition that causes this unhandled exception. If this exception can then be handled (via a program change) that returns a meaningful error instead of a short dump you would be able to close the security hole. This however entails modification to SAP standard code. I don't usually recommend such changes, but given the sensitive nature of your data it may be worth consideration.
  I personally advocate restricted access to ST22. The steps you have undertaken to enforce this may be cumbersome despite efforts to keep it simple. I suppose that's the price we pay in administering the system. If you have not already done so, you may also want to ensure that short-dumps that contain restricted CC info are not saved (using the "Keep" feature in ST22) for easy retrieval at a later point in time or they are saved, it be available only to 'restricted eyes'. Short-dumps are normally saved in the system for 7 or 14 days (not sure of exact # of days). The bigger challenge in my opinion is: How do you prevent the restricted info from being viewed by the user who during the course of program/transaction execution encounters the said short dump? No amount of security controls around ST22 will mitigate this risk. The only option that remains is program change (as mentioned above). But to get there you first need to know what causes the exception.
  Regards.
  Ashutosh

• Critical patch update for Oracle 10g As 10.1.0.3

  Hi,
  I am facing some security vulnerabilities regarding apache in Oracle 10g applcation server.
  could you please suggest critical patch update for this version.
  Thanks in advance.
  Regards,
  Sathya

  Hi,
  Check below security update from oracle. Check your product in list.
  http://www.oracle.com/technetwork/topics/security/alerts-086861.html
  Thanks,
  JD

• CF 7 PCI compliance issue

  There is a security flaw in the wildcard ISAPI DLL in CF7 - Documented here:
  http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-o n-iis-server-even-after-applying-fix-834141.aspx
  Is there an update to this ISAPI DLL that fixes this issue?
  Thanks.

  Jochem,
  You wrote:
  >So configure a Host header in your IIS website.
  I wish it was easy as that.
  Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
  Enable the DLL and the private IP headers are leaked.
  >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
  That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
  It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
  The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
  "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

• Rv082 fails PCI compliance test scan

  The rv082 v2 with firmware 2.0.2.01-tm fails PCI compliancy scans for the following vulnerability:
  tcp (tcp/1)
  TCP reset using approximate sequence number
  CVE-2004-0230
  Is there any fix for this?  Configuration change?  Future firmware fix?
  Thanks,
  dr

  Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).
  You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.
  --- Rich Matheisen MCSE&I, Exchange MVP