PCI Compliance Azure Websites (CVE-2014-6321)

Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.

I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

Similar Messages

  • Patching vulnerabilities for PCI compliance

    Hi
    My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
    What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
    SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
    OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                   CVE-2014-3511
                                                                                                                   CVE-2014-3510
                                                                                                                   CVE-2014-3507
                                                                                                                   CVE-2014-3508:
                                                                                                                   CVE-2014-5139:
                                                                                                                   CVE-2014-3509:
                                                                                                                   CVE-2014-3505:
                                                                                                                   CVE-2014-3506
    Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

    If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
    OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
    Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
    If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

  • CF 7 PCI compliance issue

    There is a security flaw in the wildcard ISAPI DLL in CF7 - Documented here:
    http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-o n-iis-server-even-after-applying-fix-834141.aspx
    Is there an update to this ISAPI DLL that fixes this issue?
    Thanks.

    Jochem,
    You wrote:
    >So configure a Host header in your IIS website.
    I wish it was easy as that.
    Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
    Enable the DLL and the private IP headers are leaked.
    >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
    That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
    It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
    The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
    "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

  • PCI Compliance Issue

    I'm trying to make our Exchange 2013 server PCI compliant.  TO do this, I've turned off SSL2 and 3, PCT1, and TLS 1.0.  
    When I turn off TSL1.0, none of our Outlook clients can connect.  Is there a change I need to make somewhere so they use TLS1.1 or above?
    N00b here, so I may have the terminology wrong.
    Thanks.

    Jochem,
    You wrote:
    >So configure a Host header in your IIS website.
    I wish it was easy as that.
    Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
    Enable the DLL and the private IP headers are leaked.
    >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
    That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
    It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
    The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
    "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

  • Problem with multiple WordPress Azure Websites?

    I've been using Azure to host my Wordpress blog for a while with no issues. Today I tried creating a 2nd Wordpress website on Azure though and I'm having a problem.
    After setting up the website, when I click on <new blog>.azurewebsites.net I get to a blank white page, if I try <new blog>.azurewebsites.net/wp-admin I get redirected to <existing blog>.azurewebsites.net/wp-login to login to
    my existing blog's dashboard.
    One thing that might be worth mentioning is that when creating the new blog I used my existing MySQL database. Could that be a problem?

    Hi,
    Please try to create a new web hosting plan, then create a new wordpress and select this as your web hosting plan, refer to  http://blogs.msdn.com/b/benjaminperkins/archive/2014/10/01/azure-website-hosting-plans-whp.aspx
    for more details.
    Best Regards,
    Jambor
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Applicationhost.config updates for HTTP Slow Post with Azure Websites

    We are trying to update our Azure websites to not show as vulnerable to the HTTP Slow Post vulnerability. Some articles suggest fixing this by updating the applicationHost.config via IIS to update the connection timeout values. Obviously with Azure websites,
    we don't have access to IIS. Came across some options with Kudu and XDT to modify the application host file, as outlined on these two sites:
    http://azure.microsoft.com/en-us/documentation/articles/web-sites-transform-extend/#transform
    http://rtigger.com/blog/2014/03/31/number-til-modifying-you-azure-applicationhost-dot-config
    Currently am using the following as our applicationHost.xdt (I have this both in our application root, as well as in a SiteExtensions folder as I wasn't clear which one was required).
    <?xml version="1.0"?> 
    <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform"> 
    <system.applicationHost>
            <sites>
                <siteDefaults>
                    <limits connectionTimeout="00:00:30"
    xdt:Transform="Insert" />
                </siteDefaults>
                <applicationDefaults applicationPool="DefaultAppPool" />
                <virtualDirectoryDefaults allowSubDirConfig="true" />
            </sites>
            <webLimits connectionTimeout="00:00:30"
    xdt:Transform="Insert" />
    </system.applicationHost>
    </configuration> 
    We also set the WEBSITE_PRIVATE_EXTENSIONS app-setting to 1 as instructed.
    When testing our site using a 3rd party tool, it appears the setting is not getting applied. Hoping someone can point out where our error may be. Alternatively, is there any way to see what the current applicationHost.config is for our website? I'm curious
    if our XDT is correctly being applied, so if we could see what the resulting file was that may also allow us to further troubleshoot.
    Thanks in advance for any advise!

    Please see
    this page, which has detailed steps on finding your applicationhost.config and finding the logs from the transformation. And please make sure that your applicationhost.xdt is in your
    d:\home\site folder (and not in your site\wwwroot).
    David

  • Rv082 fails PCI compliance test scan

    The rv082 v2 with firmware 2.0.2.01-tm fails PCI compliancy scans for the following vulnerability:
    tcp (tcp/1)
    TCP reset using approximate sequence number
    CVE-2004-0230
    Is there any fix for this?  Configuration change?  Future firmware fix?
    Thanks,
    dr

    Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).
    You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.
    --- Rich Matheisen MCSE&I, Exchange MVP

  • Privacy: PCI compliance, etc

    Hi,
    I'm creating a privacy policy for my MUSE website, can you help answer these questions. I have free basic site with my membership:
    1) Is your website getting regular security scans that meet or exceed PCI Compliance standards?
    2) Is your website receiving regular malware scans?
    3) Does your website have and use an SSL certificate?
    If any are no, can you tell me what it takes to upgrade to a yes?
    Thanks,
    Anita

    I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

  • Azure Website Loading Slowly

    I created wordpress web site in azure. I am using basic web hosting mode. I uploaded my wp files to new azure web site. I selected My sql db and West EU location.
    My web site loading very slowly.
    ortacdemirel.azurewebsites.net
    (i did not redirect my dns records to azure and my web page menu links show my ex-web page)
    what is the problem?  Is there a any missing configuration?

    Hi,
    Please have a look at this article:
    http://azure.microsoft.com/blog/2014/08/11/10-ways-to-speed-up-your-wordpress-site-on-azure-websites/.
    If you are running your WordPress website on Azure Websites and want to optimize it to obtain fast page load time, then consider implementing these quick and easy steps mentioned below:
    1. Web site and Database must be in the same data center
    2. Do not use FREE MySQL database
    3. Optimize your database
    4. Compress Images
    5. Reduce HTTP requests
    6. Diagnose if your theme is slowing down your site
    7. Diagnose if any plugin is slowing down your site
    8. Turn off Pingbacks and Trackbacks if you don’t use it
    9. Specify Image dimension
    10. Caching
    Best Regards,
    Jambor
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • CVE-2014-6352

    CVE-2014-6352 is listed in windows 7 Programs and Features panel. Listed with no Publisher, no info. Does this mean I have the remote execution vulnerability or just the patch for it. It was installed Oct 23, 2014, about the same time the advisory came out.
    I want to know if I should uninstall it. It is actually listed twice in the panel?

    this Trojan came trough Microsoft PowerPoint, I suggest scan your PC
    be careful if you open documents files from the 3rd party or website
    Workarounds
    The following workarounds may be helpful in your situation:
    Apply the Microsoft Fix it solution, "OLE packager Shim Workaround", that prevents exploitation of the vulnerability              
    See Microsoft Knowledge Base Article 3010060 to use the automated Microsoft Fix it solution to enable or disable this workaround.
    Note:
    The Fix it solution is available for Microsoft PowerPoint on 32-bit and x64-based editions of Microsoft Windows, with the exception of 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1. 
    Do not open Microsoft PowerPoint files, or other files, from untrusted sources              
    Do not open Microsoft PowerPoint files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
    Enable User Account Control (UAC)
    Note User Account Control is enabled by default.1.Do one of the following to open Control Panel:1.Click Start, and then click Control Panel.
    2.Press the Windows logo key + s, type Control Panel, then open the Control Panel app.
    2.In Control Panel, click User Accounts (or User Accounts and Family Safety).
    3.In the User Accounts window, click User Accounts.
    4.In the User Accounts tasks window, click Turn User Account Control on or off (or Change User Account Control settings).
    5.If UAC is currently configured in Admin Approval Mode, a UAC message appears; click Continue.
    6.Click the check box "Use User Account Control (UAC) to help protect your computer", and then click OK.
    7.Do one of the following:1.Click Restart Now to apply the change right away.
    2.Click Restart Later.
    8.Close the User Accounts tasks window.
    For more deep info, read here
    https://technet.microsoft.com/library/security/MS14-064#ID0EM1AE

  • Azure Websites down in South East Asia?

    Looks like Azure Websites has been down for the past 30 minutes at least in South East Asia.
    Can anyone else confirm this as an issue and does anyone at Microsoft have a timeline for resolving this?
    Azure service status shows all is well at 2:41pm Sydney Australia time.
    Just waiting for irrate clients to start calling now :( Gulp!

    Hi ALL,
    Microsoft Azure team has resolved this issue, this issue was started at: 8/4/2014 4:15 UTC, and was fixed at: 8/4/2014 5:15 UTC, sorry for any inconvenience.
    Best Regards,
    Jambor
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Can the new Azure File Service be used from Azure WebSites?

    The title pretty much says it all...
    Microsoft just launched the new File Services on Azure. (http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/12/introducing-microsoft-azure-file-service.aspx).
    Can I use it from within a Azure WebSite?
    Or is it limited to use from VMs and CloudServices due to "net use" restrictions?
    Thanks

    Hi,
    Mounting the file share using SMB in windows azure websites is not supported. If you’d like to see it. I suggest you suggest the feature here..
    http://feedback.azure.com/forums/169385-web-sites
    At currently we can use rest API to do this just as Name-Dis said.
    Best Regards,
    Jambor
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Creation of Microsoft Azure Website failed. The application already exists

    Trying to create a new website, I get this error:
    Creating Microsoft Azure Website
    Creation of Microsoft Azure Website failed. The application already exists. The remote server returned an unexpected response: (409) Conflict.
    I succeeded to create this website earlier on and then I deleted it as I didn't need it anymore.
    Now I want to create it again but I get this error even though I've deleted all websites, hosting plans, cloud service, etc from my Azure account.
    Any idea on how to fix this?

    At this point, I don't know how it happened, but we'll need to dig deeper. I believe there is a sequence that can cause problems if you create a site via Current portal and delete it via Preview, but I'm not sure.
    BTW, it seems you have 2 other sites that may be in the same situation (deleted in a way that you couldn't recreated them). They're 'shortl...dev' and 't..d' (not giving full name to avoid squatters!). Do you think you'll want to recreate them later? If
    so, we can do the same maneuver to get back to a good state.

  • Creation of Microsoft Azure Website failed. Cannot move or create server. Subscription ' id ' will exceed server quota.

    I'm trying to create a new MVC website with azure cloud server. However, when creating my project/solution in visual studio I get the following error.
    Creation of Microsoft Azure Website failed. Cannot move or create server. Subscription '<id>' will exceed server quota.
    During the day I created several MVC projects, as a learning exercise, and it worked fine. Now it's failing every time I create a new MVC website with Azure.
    Every time I created a website, I have always deleted any generated Azure sites and databases via the management portal. Currently I have no websites in Azure. Thus I don't see how I've reached a quota,
    Any ideas what might be going wrong?
    My subscription is pay as you go.
    Thanks for your time,
    Rob

    Hi,
    It might be due to various other resources (sql DB, application insight, etc) that you may have created while deploying earlier websites, and filled up your Quota. Due to which, creating new resources would exceed the quota limit.
    Check for the unused resources and clear them. It may clear the error and allow you to create new websites.
    Otherwise, It should be an Account related issue than Technical issue. I suggest you contact Azure support, it is a best choice for you, Please contact support team by creating a support ticket at
    http://www.windowsazure.com/en-us/support/contact/
    Regards,
    Manu Rekhar

  • I can't access a report in reporting services in a VM via azure website with reportviewer

    Hi. I just create a VM with Reporting services, create a dataset, and a report, but when i try to access that report from my azure website via reportviewer i receive the error "the request failed with http status 401: unauthorized". Somebody with
    an idea about what is wrong?. I set reportserver URI, report Path, user and password to the reportviewer.
     Thank you in advance.

    Hi,
    Thank you for your post.
    See this article in Books Online:
    http://msdn.microsoft.com/en-us/library/ms156014.aspxfor
    information about how to configure security in Reporting Services
    http://msdn.microsoft.com/en-us/library/ms156034.aspx
    If it is the  SQL Reporting report server then follow these steps.
    Resolution: On the Server Home page select the
    Allow other Windows Azure services to access this server checkbox.
    To open the Server Home page:
    1.
    Go to https://windows.azure.com
    2. Navigate to the SQL Database server
    3. Click Firewall rules
    4. Select the Allow other Windows Azure services to access this server checkbox
    Also refer this link for more details.
    http://msdn.microsoft.com/en-us/library/hh403967.aspx
    Girish Prajwal

Maybe you are looking for