PCI scan failed due to Beast exploit on port 443 and 10442
We had a PCI scan done and they checked the IP of the firewall and comes back with problems with port 443 and 10443 (SSL VPN) and the remidition is:
Affected users should disable all block-based cipher
suites in the server's SSL configuration and only support
RC4 ciphers, which are not vulnerable to fully address
this vulnerability. This vulnerability was addressed in
TLS version 1.1/1.2, however, support for these newer
TLS versions is not widely supported at the time of this
writing, making it difficult to disable earlier versions.
Additionally, affected users can also configure SSL to
prefer RC4 ciphers over block-based ciphers to limit, but
not eliminate, exposure. Affected users that implement
prioritization techniques for mitigation as described
above should appeal this vulnerability and include
details of the SSL configuration.
I have Fortigate 80CM and don't see where I can change that. I have disabled HTTPS mgmt on the interface and disabled SSL VPN so that should take care of this. However if I NMAP on those two ports it still shows as filtered unknown or udp open
PORT STATE SERVICE VERSION
10443/tcp filtered unknown
10443/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
I also created a firewall rule to block traffic from any to that WAN IP on port 10443 and 443 and still shows as filtered
Or is there a way to change to RC4 encryption so Trustwave's PCI scan doesn't find that vulnerability?
Affected users should disable all block-based cipher
suites in the server's SSL configuration and only support
RC4 ciphers, which are not vulnerable to fully address
this vulnerability. This vulnerability was addressed in
TLS version 1.1/1.2, however, support for these newer
TLS versions is not widely supported at the time of this
writing, making it difficult to disable earlier versions.
Additionally, affected users can also configure SSL to
prefer RC4 ciphers over block-based ciphers to limit, but
not eliminate, exposure. Affected users that implement
prioritization techniques for mitigation as described
above should appeal this vulnerability and include
details of the SSL configuration.
I have Fortigate 80CM and don't see where I can change that. I have disabled HTTPS mgmt on the interface and disabled SSL VPN so that should take care of this. However if I NMAP on those two ports it still shows as filtered unknown or udp open
PORT STATE SERVICE VERSION
10443/tcp filtered unknown
10443/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
I also created a firewall rule to block traffic from any to that WAN IP on port 10443 and 443 and still shows as filtered
Or is there a way to change to RC4 encryption so Trustwave's PCI scan doesn't find that vulnerability?
Have you tried filing an exception showing screenshots of the service disabled and FW rule denying traffic to those ports?
ASKER
I will do that after running a new scan, should be done soon
I've come to learn that I can't make EVERY vulnerability disappear from scan reports. So if I've exhausted all my resources, I file an exception with supporting documentation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
new scan PASSSed, looks like what I did prevents the exploits