Vulnerability & Compliance Scanning 10 & 11G

Similar Messages

• Compliance scan fails

  I have SCVMM 2012 R2 running on Windows Server 2012 R2; the host servers are 2012 R2 as well.  I have established a baseline and done compliance scans without issue in the past.  However, I have now added additional items into the baseline and
  now, after a long timeout period, get the following when I try to do a compliance scan on any host.
  Error (2931)
  VMM is unable to complete the request. The connection to the VMM agent on the virtualization server (host.domain.com) was lost.
  Unknown error (0x80338029)
  Recommended Action
  Ensure that the Windows Remote Management (WS-Management) service and the VMM agent are installed and running and that a firewall is not blocking HTTPS traffic.
  This can also happen due to DNS issues. Try and see if the server (host.domain.com) is reachable over the network and can be looked up in DNS. You can ping the virtualization server from VMM management server and make sure that the IP address returned
  matches the IP address locally obtained from the virtualization server.
  If the error still persists, restart the virtualization server, and then try the operation again.
  The firewall is disabled on the SCVMM server and the host servers.  I have verified there are no DNS issues and that WS-Management is running.  I have rebooted all servers.  I have even removed the baseline and created an entirely
  new baseline, but always get the same error.  Anyone seen this issue?

  Hi Kristian,
  Yes, UR1 and the SQL script have both been applied.
  Yes, Hyper-V Management Server Service has been restarted (indeed the host itself has been restarted), to no avail. Other hosts in the same cluster work OK..
  When I enable and run tracing, this is the last message when it fails
  [2]1284.28C4::?2014?-?04?-?13 15:03:11.414 [Microsoft-VirtualMachineManager-Debug]4,4,WsmanAPIWrapper.cs,3426,Exception [System.Runtime.InteropServices.COMException (0x80338029): The WS-Management service cannot complete the operation within the time specified
  in OperationTimeout.       at WSManAutomation.IWSManSession.Invoke(String actionUri, Object resourceUri, String parameters, Int32 flags)     at Microsoft.Carmine.WSManWrappers.MyIWSManSession.Invoke(String
  actionUri, Object resourceUri, String parameters, Int32 flags)     at Microsoft.Carmine.WSManWrappers.WsmanAPIWrapper.Invoke(String actionUri, WSManUri targetUri, Hashtable parameters, Type returnType, Boolean isCarmineMethod, Boolean forceResponseCast)]
  while retrieving underlying WMI error to throw. Got string "<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858793" Machine="myserver-01.mydomain.com"><f:Message>The
  WS-Management service cannot complete the operation within the time specified in OperationTimeout.  </f:Message></f:WSManFault>",{00000000-0000-0000-0000-000000000000}
  I've checked WS-MAN config and comms on and between VMM and the Host and all seems to be OK.
  Many thanks,
  Dave

• PCI compliance scans failed with Sophos UTM

  From one of my training guides

  We have a Sophos UTM and use some RED devices at a few remote offices. We have just completed our quarterly PCI compliance scans and we are failing now due to port 3400 accepting SSL RC4 Cipher Suites. I've opened a ticket with Sophos' support to see if they could provide documentation that this is a false positive or provide some other solution. Their response thus far has been advising us to make a feature request @ feature.astaro.org. Obviously not the response we are looking for.My question is has anyone run into something like this before? How did you address the issue?My only thought at this point is to replace the RED devices at the remote offices and utilize another type of vpn. This is not the most desirable option as it means flying someone out to the remote offices and a network restructure. If anyone has some better...
  This topic first appeared in the Spiceworks Community

• Upgrade firmware for PCI compliance scan

  I have a WRT54G ver. 5 wireless router running ver. 1.02.0 firmware. I'm anticipating a PCI compliance scan which my bank requires since I transmit credit card numbers from here for my online business. I'm wondering if I should upgrade to the latest firmware version (1.02.6) before the scan. The router is working fine and I'm a great believer in not fixing things if they aren't broken. Does the upgrade make security improvements (which I should have) or just fix problems (which I don't have)?

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• ISA500 series PCI compliance scans

  We have a single customer who's having a problem with their credit card PCI vendor, First Data, scanning their ISA550W running 1.2.15.  Of all my customers with an ISA500 series device, this is the only customer who has had a PCI vendor tell them they cannot run their scans and that they must whitelist an entire /24 to allow the scans to continue.  The only open port is an encrypted remote support port and there are no other ACLs in place to block anything other than the defaults that ship with the ISA.  Anyone have any ideas why the First Data would have a problem with the ISA550W?

  Thanks for your reply.  First Data http://biz.yahoo.com/ic/14/14441.html well, what can you say, they're big bully and in this case you have to love what ended up being the problem.  First Data sent this to the customer:
  This is an automated email to notify you that a PCI vulnerability scan of the IP  addresses or domains used by CUSTOMER NAME could not be completed. This scan  is included as part of your PCI Rapid Comply services.
  Please confirm  that the following IP addresses or domains are the ones you use for the  transmission of cardholder data. Unless you have paid extra to your Internet  Service Provider to get a "static" IP address, your IP address may have  changed.
  xxx.xxx.xxx.xxx
  Also, please make sure you have added the  following IP addresses to your firewall (and/or IDS/IPS) whitelist:
  38.123.140.0/24 for the duration  of your PCI scan. If another department within your organization (or a vendor)  manages your firewall and IDS/IPS, please make them aware of this scan and  request that the above IP addresses are temporarily added to the  whitelist.
  You need to have a passing PCI scan to be compliant.  Therefore, once you have confirmed that the target hosts are correct and that  your firewall and IDS/IPS whitelist allows access by 38.123.140.0/24, please schedule  another PCI scan of the networks used to process, transmit, or store cardholder  data.
  Thank you,
  First Data PCI Rapid Comply Support Team
  [email protected]
  As you stated, what these fools don't seem to get is by whitelisting their IPs any outside network scans (this isn't done by an internal software scanner but from their remote network) becomes moot.  I tried explaining to their trained monkey that the proper behavior for a firewall that detects remote scans is to block those scans.  The guy kep reading to me off his 3"x5" index card (I'm sure it wasn't a card, but you get my drift).  He clearly had never even seen a firewall let alone managed a network.
  After a couple hours of bouncing around inside First Data and shaking limbs, my customer got a call back from their account rep who stated that they were totally PCI compliant and that the e-mail was BOGUS!  The e-mail was sent out just after 10AM Sunday, 23 June 2013 and we were notified 24 hours later.  So 26 hours later this company who prides itself on being one of the biggest CC processing companies out there is too lazy to send a follow-up e-mail admitting they sent out false notifications wasting their customers' time and mine.  I asked their media rep who called me back about 3 hours after I got the call from the customer, "who gets the bill for my time?"  She had no answer.  Hopefully the lawsuits pending against PCI and CC processors will have a chilling effect on their strong arm tactics and their clueless PCI scans.

• Failing PCI Compliance Scan - SSL Weak...

  Hello,
  I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
  I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
  Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
  Thank you in advance for your help,
  Christophe
  Threat ID: 126928
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Weak Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 126928
  Information From Target:
  Here is the list of weak SSL ciphers supported by the remote server :
  Low Strength Ciphers (< 56-bit key)
  SSLv2
  EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
  EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of weak
  ciphers.Details:
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
  Threat ID: 142873
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Medium Strength Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 142873
  Information From Target:
  Here are the medium strength SSL ciphers supported by the remote server :
  Medium Strength Ciphers (>= 56-bit and < 112-bit key)
  SSLv2
  DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
  SSLv3
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  TLSv1
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of
  medium strength ciphers.Details:
  The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

  Chris,
  As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
  Jason
  I do believe the ASA5505 are PCI 3.0 Compliant.

• Encryption Vulnerability Security SCAN DS

  I created DS instances. While running security scan for Encryption Vulnerability I found out that following ports are supporting weak SSL.
  port 636/tcp over SSL
  port 11163/tcp over SSL
  port 32772/tcp over SSL
  port 3999/tcp over SSL
  port 1636/tcp over SSL
  How to Disable ciphers which support cleartext communication. Or what is fix for this.
  Thanks
  Pramod

  Thanks Fede.
  I looked my dse.ldif file.
  It lloks like this ....
  dn: cn=encryption,cn=config
  objectClass: top
  objectClass: nsEncryptionConfig
  cn: encryption
  nsSSLSessionTimeout: 0
  nsSSLClientAuth: allowed
  nsSSLServerAuth: cert
  nsSSL2: off
  nsSSL3: on
  nsSSL3Ciphers: all
  nsKeyfile: alias/slapd-key3.db
  nsCertfile: alias/slapd-cert8.db
  numSubordinates: 1
  nsSSL2 is already off.
  Thanks
  Pramod

• SCAN RAC 11g

  We have 2 node rac running with 1 databse currently. (XXX) which is running on port 1580 and having a application tier which is running successfully.
  We need to add another database on the same nodes (YYY) but we need to run scan and database listener on port 1590 for ebiz application to talk to it.
  But I suppose in cluster's services we can't have more than 1 scan listener.
  So we propose this.
  We create a new database listener running on port 1590
  Scan listener keep running on 1580
  We clone the database from XXX to YYY and then point local_listener to 1590 and remote listener to scan.
  It will register itself and then on apps side we change the XML to point to Scan listener so it will be like this.
  EBIZ running on port 8069 pointing to database running on 1580.

  Hello all,
  for "+why not simply add a second port to SCAN and db listener?+"
  ... because the fact that you can do that:
  "+srvctl modficy scan_listener -p "1580,1590"+"
  is considered a BUG (10633024), which means the ability to do so will go away in future (11.2.0.3).
  Using SCAN with one TCP port and multiple listeners with respective ports should work just fine, if done right. For more information, see:
  MOS Note 220970.1 – RAC: Frequently Asked Questions - entry: "How to use SCAN and node listeners with different ports?"
  Hope that helps. Thanks,
  Markus

• Rv082 fails PCI compliance test scan

  The rv082 v2 with firmware 2.0.2.01-tm fails PCI compliancy scans for the following vulnerability:
  tcp (tcp/1)
  TCP reset using approximate sequence number
  CVE-2004-0230
  Is there any fix for this?  Configuration change?  Future firmware fix?
  Thanks,
  dr

  Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).
  You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.
  --- Rich Matheisen MCSE&I, Exchange MVP

• PCI scan fails, claiming MS10-070 vulnerability

  We have a site running on Azure Websites that's failing a PCI compliance scan by Trustwave because they claim that the server does not have the patches applied for the MS10-070 padding oracle vulnerability.
  Their "evidence" for this is that the resource tokens (query string d values) from webresource.axd and scriptresource.axd calls, when decoded from base64 back to binary, have a block size of 8 bytes (number of bytes in the token is always divisible
  by 8).  Apparently on patched systems the tokens are supposed to end up with something other than an 8-byte block size though I can't find the evidence for claiming this.
  I understand the vulnerability had nothing to do with the length of the tokens but existed because the server would throw an exception and return an error code when fed bad padding data. They are not testing to see if this happens; they're just looking at the
  token length.
  I have these questions:
  1. Is there something from Microsoft that I can give to them to assure them that the Azure Website platform is not running without this critical software patch from 4 years ago? The site is configured to use .NET 4.5.
  2. What is the basis for their test using block length of the token? Can anyone explain why it is or isn't a valid test? I've checked with some in-house Web servers that are definitely patched and they return tokens with 8-byte blocks as well.

  I am getting in touch with Trustwave to figure out how their scanner checks for this patch and will follow up here when we hear from them. FYI, this is not the only one showing a false positive on their scans. (https://social.msdn.microsoft.com/Forums/en-US/75d25599-442b-44b5-a22c-cd2965aa2727/pci-compliance-azure-websites-cve20146321?forum=windowsazurewebsitespreview&prof=required)

• Patching vulnerabilities for PCI compliance

  Hi
  My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
  What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
  SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
  OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                 CVE-2014-3511
                                                                                                                 CVE-2014-3510
                                                                                                                 CVE-2014-3507
                                                                                                                 CVE-2014-3508:
                                                                                                                 CVE-2014-5139:
                                                                                                                 CVE-2014-3509:
                                                                                                                 CVE-2014-3505:
                                                                                                                 CVE-2014-3506
  Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

  If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
  OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
  Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
  If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

• Skype Causing PCI Compliance Failure

  Hi,
  As part of my business, I have to undergo PCI Data compliance scans every 3 months. Everything has been okay, but I recently failed a scan, and received this message:
  Description: Skype for Windows < 5.8.0.154 Unspecified Vulnerability (uncredentialed check) Synopsis: The remote Skype install has an unspecified vulnerability. Impact: According to its timestamp, the version of Skype installed on the remote Windows host reportedly has an as-yet unspecified vulnerability.
  The suggested "Resolution" is to 'Upgrade to Skype for Windows 5.8.0.154 or later.'
  I am running Wndows on VMWare Fusion on my Mac. Initially, I deleted Skype altogether from Windows and updated Skype on my MAC OS X, and still received the same message So I reinstalled the latest version of Skype for Windows, and STILL received a fail on the scan.
  Is there some way to fix this? It looks like resolving this issue will fix up all the problems I've been having. Any help would be greatly appreciated.

  Hi there ... your post was a long time ago, but wondered if you managed to solve the problem of Skype clients causing PCI compliance to fail?  We are going through the same issues at the moment, all Skype clients updated, yet we are still failing every test.  If you managed to find a fix, would be great to know!  Cheers.

• PCI compliance, need to disable SSL version 2

  I'm running OS X 10.7.2 and I recently failed my PCI compliance scan.  I was informed that I have SSLv2 and SSLv3 and that I need to disable SSLv2.  The company that performs the scan says that they can't help me do it and that I should call my ISP, ATT Uverse.  I've done this and spent several hours being bounced around and they don't seem to understand what I'm talking about or how to fix it.  So...my questions is how can I disable SSLv2?? I'm not very "code" savy so if you could walk me throught the steps that would be very helpful.  I really don't wnat to try tech support with ATT again!  TIA

  Launch the Terminal application by entering the first few letters of its name into a Spotlight search. Drag or copy -- do not type -- the following line into the window, then press return:
  launchctl list | sed 1d | awk '!/0x|com\.apple/ {print $3}'
  Post any lines of output that appear below what you entered -- the text, please, not a screenshot.

• Fully patched SBS failiing PCI scan for MS10-070

  I have a fully patched SBS 2011 server that is failing our PCI compliancy scan due to MS10-070. I am not sure how to clear this issue as it appears I have applied all patches to date. All help is appreciated.

  I too am having this very same problem with an SBS 2011 and a Trustwave PCI Scan. Same scan failure, MS10-070.
  I do not have .NET 4.5 installed either.
  According to ASoft .NET Version Detector, I have the following:
  <32Bit>
  2.0.50727.5737
    ->C:\Windows\Microsoft.NET\Framework\v2.0.50727
  4.0.30319.296
    ->C:\Windows\Microsoft.NET\Framework\v4.0.30319
  <64Bit>
  2.0.50727.5737
    ->C:\Windows\Microsoft.NET\Framework64\v2.0.50727
  4.0.30319.296
    ->C:\Windows\Microsoft.NET\Framework64\v4.0.30319
  < Installed .NET Frameworks >
  .NET FW 2.0 SP 2 (CLR:2.0)
  .NET FW 3.0 SP 2 (CLR:2.0)
  .NET FW 3.5 SP 1 (CLR:2.0)
  .NET FW 4.0 Client (CLR:4.0)
  .NET FW 4.0 Full (CLR:4.0)
  The "evidence" listed by trust wave is as follows:
  https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=lXZlKIAaV2DQCh8KTxGhBga0MRSGLTRT9DSz8blSZp-D_-ZPudrzAKWqHdY35UWsutw3Ntl-4wvao6MPLFScquOdB1ltjYYHOqxwXXy4-cMH0botA64x54vVSrQvbWfqeeqj1b7G7AQhZLaT-GYmx1N5BV60glFQdELeLVBMDvHtrJqdKd8_uVn0Dbduk18U0&t=ffffffff940d030f
  https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=p6YZ1NuXPX8YwTxRRD40xEKpXBuPB3YUgQ3hjNGQxb_5tTy2dU9nG0cHEomkwkiNf4PP8G6eTLYZjXf70cl8npvIQIjbTj1Gi4nA5G5YYhpWctDt3JQRY9yZV6x9RNeD2_PoFyDJ8BBhYAlkHyfqLGzUUYBmdjuVdkzZFPoZMXQ1&t=ffffffff940d030f
  https://xx.xx.xx.xxx/Remote/WebResource.axd?d=exxOBoRssUcc64ztYfy_H0dLRaK691IwOZsT_ZgvH1h4puvZrQFRDaop4RO9S8crNjGUdI2DJaltVrI6S1kcTPACO-elHaY3hv-EIlFENLU1&t=634955083192463937
  When I click on the links of the evidence, I get a page returned full of text. The evidence seems like it is real and not a false positive being that I do get a return. All of my Windows Updates are current, so I really don't know where to go with this.

• Difference between Scan Listener and Node listener

  Hi,
  I read the concept of SCAN in 11g R2 Grid Infrastructure. In that i come accross the below statements
  " 3 SCAN IP's and 3 SCAN Listeners will be up in the Cluster even if onlu ONE NODE IS UP with Clusterware active. This is BECAUSE SCAN listeners are not like NODE LISTENERS; they simply reroute connections so they do not need an instance to be available beneath them to make a database connections".
  Could some one please explan me the difference between Scan Listener and Node listener?
  Thanks in advance.
  Regards,
  Stephen

  The SCAN listener is the new feature in 11g. RAC in 9i and 10g had only node listeners. In earlier releases, the clients had to know each of the node listeners and define load balancing / failover between the node listener.
  Each node in the RAC cluster has a TNS Listener listening on the VIP.
  The SCAN is a single cluster-wide listener (although actually running as three separate processes, one on each node).. The client now needs to know only the SCAN listener. It does not need information of the node listeners to be maintained in the client-side tnsnames.ora file. SCAN allows for automatic load balancing as the client is directed to the nodes that are "up and able to take new connections" only. Also, as new nodes are added to the cluster, SCAN keeps track of them, the client tnsnames.ora does not need to be updated for new nodes.
  Hemant K Chitale