The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Irresolvable PCI scan failure???

Discussion in 'General Discussion' started by jols, Oct 6, 2010.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    One of our hosted members just approached us with this failure. I am working with a tech at ThePlanet to come up with a response for this one, but it seams that every server that is on a public network is going to get this failure:

    --------------------------------
    Description: TCP reset using approximate sequence number Severity: Potential Problem CVE: CVE-2004-0230 Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections. Background: The Transmission Control Protocol (TCP) is the protocol used by services such as telnet, ftp, and smtp to establish a connection between a client and a server. Every TCP packet includes a sequence number in the header to ensure that all packets are received at the destination and re-assembled in the correct order. The sequence numbering begins with an initial sequence number which is chosen by the server and sent to the client when the connection is established. Thus, sequence numbers also help to verify the identity of the client, since only the intended client has knowledge of the initial sequence number. The Border Gateway Protocol (BGP) is a TCP protocol used by routers to exchange routing information. It is primarily used by Internet service providers. Resolution To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/ci sco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/ci sco-sa-20040420-tcp-nonios.shtml] non-IOS operating systems. Refer to [US-CERT Vulnerability Note VU#415294 ystems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re- 20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes. If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them. Vulnerability Details: Service: tcp sent spoofed RST packet, received RST packet
    --------------------------------

    So far, this is the only response I have received from our data center about this one:

    "his server is on a public network and not behind any dedicated router nor gateway. As it is a public network, it does have BGP traffic passing across the links. Feel free to update if you have other questions."

    So, what now? No way to ever get past a PCI scan ever again or what?
     
  2. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    I just discussed this with security metrics and they are aware of this and describe it as a problem but yet a false positive. Here is the letter they sent me concerning the failure.

    The vulnerability that you are currently failing for is being researched
    by our devlopment team. There is a possibility that it is a false
    positive. We will have results to you regarding the vulnerability by
    next week. We will be creating a list of email addresses for the
    accounts that are failing and sending out a mass email when there is
    more information.

    In the meantime, thank you for your patience and feel free to forward
    this correspondence to your merchant bank. You will need to speak with
    them regarding any possible penalties or deadlines for non-compliance.

    Regards,

    --
    Isaac P
    SecurityMetrics
    Technical Support
     
  3. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    So long story short if you are using security metrics and you havent already failed a scan DONT manually start a scan - wait till a resolution is in place and you would do well to call them and get on that mailing list if you have already failed so you get the info asap.
     
  4. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page