SSLv3 and TLSv1.0 PCI Compliance issues on an ASA.

Similar Messages

• WRT610n help with PCI compliance issue ICMP timestamp

  I'm having a issue with ICMP times stamps and pci compliance, they keep saying it is allowing timestamps, but my firewall shows it not checked, I see no particular option on the router to disable timestamp
  again I have a wrt610n ver 2 router
  anyone run into this?
  i sure could use some help
  Thanks!

  Did you tried to upgrade/re-flash the firmware on your linksys router.

• CF 7 PCI compliance issue

  There is a security flaw in the wildcard ISAPI DLL in CF7 - Documented here:
  http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-o n-iis-server-even-after-applying-fix-834141.aspx
  Is there an update to this ISAPI DLL that fixes this issue?
  Thanks.

  Jochem,
  You wrote:
  >So configure a Host header in your IIS website.
  I wish it was easy as that.
  Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
  Enable the DLL and the private IP headers are leaked.
  >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
  That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
  It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
  The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
  "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

• PCI Compliance Issue

  I'm trying to make our Exchange 2013 server PCI compliant.  TO do this, I've turned off SSL2 and 3, PCT1, and TLS 1.0.  
  When I turn off TSL1.0, none of our Outlook clients can connect.  Is there a change I need to make somewhere so they use TLS1.1 or above?
  N00b here, so I may have the terminology wrong.
  Thanks.

  Jochem,
  You wrote:
  >So configure a Host header in your IIS website.
  I wish it was easy as that.
  Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
  Enable the DLL and the private IP headers are leaked.
  >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
  That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
  It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
  The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
  "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

• RS480M2-IL and 6600GT pciE lockup issue, please help....

  I have an MSI RS480M2-IL motherboard and an eVGA 6600gt  pciE video card and some major problems.
  System Specs:
  eVGA 6600gt  pciE 128mb
  2 WD 320GB SATA drives (not in raid)
  Chaintech 7.1 pci sound card
  A64  3000   939pin  with Artic Cooling Freezer64 cooler
  Forton Source 450W psu (atx 2.0 with more than enough amps and watts)
  512MB corsair value 3200
  512MB mushkin decent memory
  Problem:
  Whenever I play games (battlefield2, gun etc) the system always crashes within 1 hour
  The temperatures never get high, in fact the cpu temp is only a little above idle after gaming for 45 minutes, and the GPU never exceedes 60 degrees
  What will happen is this:
  The game will be running fine, 40+ fps no lags or anything, then all of the sudden it will freeze and a few seconds of sound will repeat themselves. Sometimes the game comes back within about 20 seconds, but sometimes it does not and the system resets itself. I can sometimes alt+tab back to windows and force quit the game through task manager. When I do this I get an error message telling me that nvdisp driver has quit working and to reset.
  I have tried:
  Using onboard sound (no difference)
  Taking out one stick of memory (no difference except this creates lag in games)
  Many different set of geforce drivers (they all have the same problem)
  Any suggestions would be greatly appreciated. Thank you.

  I know from reading the BF2 forums you are not alone.  A lot of people started having probs around the 31 of Oct, apparently after a PB update was pushed out via BF2 server logon.  I was having some probs and tried updating all my drivers and BIOS which is how I found myself here.  I coud not get my video card to work (ATI 9800 Pro)at all after flashing to 9.2, but after changing a few settings I at least have my video card back.  I have not tried BF2 yet, that seems to be the overall test of any component.  I am not suggesting you flash your BIOS by any means (more trouble that it may be worth), but your problem may be with PB, at least that is what the conspiracy threorists will preach. 
  check this and see what happens...https://forum-en.msi.com/index.php?topic=89456.0, it helped me
  On the forums for BF2, I think at totalBF2.com, there were some potential fixes, but I have not tried any yet as I wiped my system to begin to unscrewing what I had done already. 
  Good luck and let us know what happens....

• SAP Short Dumps and PCI Compliance

  We've run into an issue with our PCI Compliance audit around being able to see unencrypted credit cards in short dump messages in SAP.  Has anyone run into this issue?
  Only work around I've got at this point is to restrict all access to short dumps and require many documented signoffs before turning on and off access to a short dump.  This is pretty cumbersome, and still leaves a hole in my overall security.
  We've managed to purge restricted CC data from our XI logging, and done everything right with encryption, but this short dump issue just doesn't seem to have a solution.
  Can anyone help?  We're on 6.0.
  Thanks!

  Hi David,
  This is an interesting situation you have described. ABAP short-dumps or run-time errors as they are also known as, are unhandled exceptions during program execution. The conditions that cause such exceptions is unknown or cannot be handled at run-time. To help analyze what went wrong with the said program during execution, it is necessary for the dump to contain all possible information including data values passed between programs when the error occurs. Encryption of restricted data values is a program step in itself. If the dump were to occur after this step then of course it would contain encrypted CC info. Unfortunately in your case it exposes restricted CC info because the dump occurs BEFORE this step.
  I don't believe there is a way to prevent this from happening -- for the same reason that the program logic does not know at run-time how to "handle" the exception. If occurrences of such dumps is fairly common in your system, you may want to investigate the likely causes -- for example, missing or incorrect customization. Analyzing the short dumps will probably give you a clue. Your customization team may be able to identify a pre-condition that causes this unhandled exception. If this exception can then be handled (via a program change) that returns a meaningful error instead of a short dump you would be able to close the security hole. This however entails modification to SAP standard code. I don't usually recommend such changes, but given the sensitive nature of your data it may be worth consideration.
  I personally advocate restricted access to ST22. The steps you have undertaken to enforce this may be cumbersome despite efforts to keep it simple. I suppose that's the price we pay in administering the system. If you have not already done so, you may also want to ensure that short-dumps that contain restricted CC info are not saved (using the "Keep" feature in ST22) for easy retrieval at a later point in time or they are saved, it be available only to 'restricted eyes'. Short-dumps are normally saved in the system for 7 or 14 days (not sure of exact # of days). The bigger challenge in my opinion is: How do you prevent the restricted info from being viewed by the user who during the course of program/transaction execution encounters the said short dump? No amount of security controls around ST22 will mitigate this risk. The only option that remains is program change (as mentioned above). But to get there you first need to know what causes the exception.
  Regards.
  Ashutosh

• Pci compliance for very small biz using mac and ipad

  I run a very SMALL business. We have one MacBook an iPad and an iPhone. We run everything through a second party merchant card processor/software (mindbody). However, according to the PCI compliance survey I just finished, I am supposed to run quarterly internal scans for vulnerabilities. Does antivirus software do this?
  Also, what firewall settings do I need on my mac to be PCI compliant?
  I know this may be a very simple question, but the PCI survey assumes everyone has an IT department with a ton of policies and procedures. Trying to figure out how to be compliant as a super small business without all that infrastructure.

  Anti-virus software would not do PCI vulnerability scanning. You need specialized software to do that. Unfortunately, I cannot recommend specific software. My wife's small business was wrestling with PCI issues some time ago, and they're currently not doing any kind of internal scans. I don't know why not. They do get scanned externally periodically, to look for vulnerabilities in their setup that could allow people outside their network to gain access.
  PCI compliance is a scam anyway. It doesn't prevent the numerous breaches that so many high-profile companies have been facing lately, and you can bet they're dotting their i's and crossing their t's with respect to PCI compliance. They have the budget to do so.
  Your Mac should not need the firewall on. That shouldn't affect PCI compliance, if the Mac is properly configured and does not have any services open in System Preferences -> Sharing.

• PCI Compliance and sessionid

  A recent scan of an ecommerce site I've developed and hosted
  on a shared server at CrystalTech has failed a PCI compliance test
  recently. It previously passed them.
  The report says that sessionids are predictable and therefore
  insecure. This threatens my relationship with the credit card
  companies. The good folks at CrystalTech have not been helpful yet.
  Is anyone familiar with this issue or have valuable thoughts?
  Interestingly, Securitymetrics calls it "Allaire Coldfusion".
  Man, are they out of date.

  It's a faulty report. Refer them to the following URL:
  http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=sharedVars_06.html

• APPLSYSPUB and PCI Compliance

  PCI Compliance documentation requires us to change all vendor-supplied default passwords.
  Oracle says in 'Best Practices for Securing Oracle E-Business Suite' that it recommends that you NOT change the default password for APPLYSYSPUB. (Appendix C).
  So what is a company to do? Do we change it or not?

  If by "logs" you mean the signature events the IPS Sensor generates, then the answer is mostly yes.
  The Sensor has a circular buffer for event storage. It will keep these event until they are overwritten.
  How quickly they are overwritten is a factor of buffer size, event size, packet capture options, etc (there was a forum thread on this very topic you can search for)
  If you are concerned about keeping event logs, you can install the free IME server and pull events from the sensor. If you are REALLY concerned about getting events logs you can stand up two IME servers (they will cost you some sensor overhead though) and keep them on your host, instead of your senor. Each sensor can support up to 5 devices (I think) pulling events.
  - Bob

• PCI Compliance and WorldPay

  Does anyone know where I can find something to confirm the PCi compliance to Level 1 or 2 for BC. That's assumimnung it has it. Can't intergrate WorldPay without it.
  Thanks

  When you say log a case ticket..where? I can't see anyway to do that in the BC admin panel. Help and support just brings up tutorials etc.
  To be honest I'm also concerned that the information I need isn't readily available somewhere on the BC site. Surely I'm not the only person who would like to use BC with WorldPay. Why is the info not available on the BC home page. Nothing come up with a google search either, which makes me suspect that BC isn't PCI compliant. If this is the case it's a major blunder on BC's part that needs fixing ASAP.
  Thanks

• Failing PCI Compliance Scan - SSL Weak...

  Hello,
  I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
  I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
  Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
  Thank you in advance for your help,
  Christophe
  Threat ID: 126928
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Weak Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 126928
  Information From Target:
  Here is the list of weak SSL ciphers supported by the remote server :
  Low Strength Ciphers (< 56-bit key)
  SSLv2
  EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
  EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of weak
  ciphers.Details:
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
  Threat ID: 142873
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Medium Strength Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 142873
  Information From Target:
  Here are the medium strength SSL ciphers supported by the remote server :
  Medium Strength Ciphers (>= 56-bit and < 112-bit key)
  SSLv2
  DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
  SSLv3
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  TLSv1
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of
  medium strength ciphers.Details:
  The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

  Chris,
  As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
  Jason
  I do believe the ASA5505 are PCI 3.0 Compliant.

• Patching vulnerabilities for PCI compliance

  Hi
  My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
  What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
  SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
  OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                 CVE-2014-3511
                                                                                                                 CVE-2014-3510
                                                                                                                 CVE-2014-3507
                                                                                                                 CVE-2014-3508:
                                                                                                                 CVE-2014-5139:
                                                                                                                 CVE-2014-3509:
                                                                                                                 CVE-2014-3505:
                                                                                                                 CVE-2014-3506
  Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

  If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
  OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
  Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
  If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

• Skype Causing PCI Compliance Failure

  Hi,
  As part of my business, I have to undergo PCI Data compliance scans every 3 months. Everything has been okay, but I recently failed a scan, and received this message:
  Description: Skype for Windows < 5.8.0.154 Unspecified Vulnerability (uncredentialed check) Synopsis: The remote Skype install has an unspecified vulnerability. Impact: According to its timestamp, the version of Skype installed on the remote Windows host reportedly has an as-yet unspecified vulnerability.
  The suggested "Resolution" is to 'Upgrade to Skype for Windows 5.8.0.154 or later.'
  I am running Wndows on VMWare Fusion on my Mac. Initially, I deleted Skype altogether from Windows and updated Skype on my MAC OS X, and still received the same message So I reinstalled the latest version of Skype for Windows, and STILL received a fail on the scan.
  Is there some way to fix this? It looks like resolving this issue will fix up all the problems I've been having. Any help would be greatly appreciated.

  Hi there ... your post was a long time ago, but wondered if you managed to solve the problem of Skype clients causing PCI compliance to fail?  We are going through the same issues at the moment, all Skype clients updated, yet we are still failing every test.  If you managed to find a fix, would be great to know!  Cheers.

• PCI compliance scans failed with Sophos UTM

  From one of my training guides

  We have a Sophos UTM and use some RED devices at a few remote offices. We have just completed our quarterly PCI compliance scans and we are failing now due to port 3400 accepting SSL RC4 Cipher Suites. I've opened a ticket with Sophos' support to see if they could provide documentation that this is a false positive or provide some other solution. Their response thus far has been advising us to make a feature request @ feature.astaro.org. Obviously not the response we are looking for.My question is has anyone run into something like this before? How did you address the issue?My only thought at this point is to replace the RED devices at the remote offices and utilize another type of vpn. This is not the most desirable option as it means flying someone out to the remote offices and a network restructure. If anyone has some better...
  This topic first appeared in the Spiceworks Community

• PCI compliance, need to disable SSL version 2

  I'm running OS X 10.7.2 and I recently failed my PCI compliance scan.  I was informed that I have SSLv2 and SSLv3 and that I need to disable SSLv2.  The company that performs the scan says that they can't help me do it and that I should call my ISP, ATT Uverse.  I've done this and spent several hours being bounced around and they don't seem to understand what I'm talking about or how to fix it.  So...my questions is how can I disable SSLv2?? I'm not very "code" savy so if you could walk me throught the steps that would be very helpful.  I really don't wnat to try tech support with ATT again!  TIA

  Launch the Terminal application by entering the first few letters of its name into a Spotlight search. Drag or copy -- do not type -- the following line into the window, then press return:
  launchctl list | sed 1d | awk '!/0x|com\.apple/ {print $3}'
  Post any lines of output that appear below what you entered -- the text, please, not a screenshot.