PCI+ Scan Issues

Jason Lee Hayes

• March 11, 2023 14:46

I'm getting 4 vulnerabilities with my scan: 1. Information gathering e: FTP on TCP port 21. CVSS Base Score4.3- AV:N/AC:M/Au:N/C:P/I:N/A:NCVSS Temporal Score3.3- E:U/RL:W/RC:URSeverity3CategoryInformation gatheringCVE IDVendor ReferenceBugtraq IDDate UpdatedJul 1, 2021ThreatA remote management service that accepts unencrypted credentials was detected on the target host. Services like FTP with basic auth are checked. ImpactNASolutionIf possible, use alternate services that provide encryption. Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission. 2. Server Not Responding: The Web server stopped responding to 3 consecutive connection attempts and/or more than 3 consecutive HTTP / HTTPS requests. Consequently, the service aborted testing for HTTP / HTTPS vulnerabilities. The vulnerabilities already detected are still posted. For more details about this QID, please review the following Qualys KB article: Impact The service was unable to complete testing for HTTP / HTTPS vulnerabilities since the Web server stopped responding. Solution Check the Web server status. If the Web server was crashed during the scan, please restart the server, report the incident to Customer Support and stop scanning the Web server until the issue is resolved. If the Web server is unable to process multiple concurrent HTTP / HTTPS requests, please lower the scan harshness level and launch another scan. If this vulnerability continues to be reported, please contact Customer Support. 3. Server Not Responding Port 25 The service/daemon listening on the port shown stopped responding to TCP connection attempts during the scan. For more details about this QID, please review the following Qualys KB article: Impact The service/daemon is vulnerable to a denial of service attack. Solution This QID can be posted for a number of reasons (e.g., service crash, bandwidth utilization, or a device with IPS-like behavior). If the service has crashed, report the incident to Customer Support or your QualysGuard re-seller, and stop scanning the service's listening port until the issue is resolved. If the issue is bandwidth related, modify the Qualys performance settings to lower the scan impact. If you do not find any service/daemon listening on this port, it may be a dynamic port and you may ignore this report. This is posted as a PCI fail since the service stopped responding. Further checks were not launched for that service and therefore the PCI assessment was incomplete. 4. Server Not Responding Port 443 The Web server stopped responding to 3 consecutive connection attempts and/or more than 3 consecutive HTTP / HTTPS requests. Consequently, the service aborted testing for HTTP / HTTPS vulnerabilities. The vulnerabilities already detected are still posted. For more details about this QID, please review the following Qualys KB article: Impact The service was unable to complete testing for HTTP / HTTPS vulnerabilities since the Web server stopped responding. Solution Check the Web server status. If the Web server was crashed during the scan, please restart the server, report the incident to Customer Support and stop scanning the Web server until the issue is resolved. If the Web server is unable to process multiple concurrent HTTP / HTTPS requests, please lower the scan harshness level and launch another scan. If this vulnerability continues to be reported, please contact Customer Support. Any ideas how to make these four issues PCI Compliant for my PCI+ scan?

• 

  ffeingol

  • March 12, 2023 02:34

  Are you running CPHULK or CSF/LFD? It looks like the scan was blocked after it started. If so, you'll prob. need to whitelist/ignore the scan IP's so they can do a full scan without being blocked.

  0
• 

  cPRex Jurassic Moderator

  • March 13, 2023 07:34

  I agree with @ffeingol - it looks like your server is more secure than the scanning tool wants, which, in my opinion, should just let you pass :D Whitelisting their IPs would help with issues 2-4. For issue 1, I'm not completely sure how they are testing, so it might be good to ask them for more details on that. They could just be saying "plain FTP is inherently insecure and we'd like to see that turned off," but I can't tell from that particular wording.

  0
• 

  Jason Lee Hayes

  • March 18, 2023 01:46

  I'm not using CPHULK, but I am using CSF/LFD. I'll try to find out how to whitelist them. Not sure if the scanner their using has an IP in the documentation. It certainly didn't ask to whitelist an IP before running the scan. That's what i was thinking about plain ftp, too. What sucks is they'll charge an extra $50/month for being non-compliant. I'm just designing the website. Didn't realize it would be this much work.

  0
• 

  Jason Lee Hayes

  • March 18, 2023 01:54

  I found the IP's to whitelist. I quick allowed them and am re-running the scan. Hopefully on the ftp issue will fail.

  0
• 

  ffeingol

  • March 18, 2023 02:23

  Don't allow them. You want to put them into /etc/csf/csf.ignore (which will ignore and not block them). If you put them into the allow list they can see everything on the server (even stuff you have firewalled off).

  0

Please sign in to leave a comment.