Solved

Trustwave PCI scan failed on a Sonicwall TZ200 with the latest firmware

Posted on 2015-01-05
14
1,880 Views
Last Modified: 2015-01-13
We have a client that has a third party (Trustwave PCI) run a vulnerability scan on their WAN address. The router / firewall device is a Sonicwall TZ200 with the latest firmware (SonicOS Enhanced 5.9.0.7-17o). According to the report from Trustwave, the device has an OpenSSL version that is vulnerable to a man in the middle attack. This was "detected" on ports TCP/443 and TCP/9999. The SSL Certificate Public Key is too small as well. The report goes on to further state that the device hosts a web application that transmits login credentials without encryption (TCP/80). I have since disabled the remote management as well as logging in with just HTTP credentials. Please see attached redacted images for details of the failures.

P.S. - The client uses only one outside IP address. They also do not have a web server, email server or ftp server onsite.
trustwave-asv-report-12-18-14---P4.png
trustwave-asv-report-12-18-14---P12.png
trustwave-asv-report-12-18-14---P13.png
trustwave-asv-report-12-18-14---P14.png
trustwave-asv-report-12-18-14---P15.png
0
Comment
Question by:mednet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40533460
Have you checked with Sonicwall as to their status on the OpenSSL vulnerability?

Is the SSL key the one that came with the device?  If so, then again check with Sonicwall.

If the SSL key is something you purchased, then you need to look at when you can upgrade the key to 2048bit.
0
 

Author Comment

by:mednet
ID: 40533549
According to this site, I have the required firmware version. I will however check with Sonicwall to verify the status of the OpenSSL vulnerability.

Where would I find the SSL key? Is this the same as the SSL VPN Server settings?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40533551
It is strange that CVE 2014-0224 is flagged for TZ as Dell declared otherwise and they have stated this
Dell SonicWALL firewalls (TZ, NSA, E-Class NSA, SuperMassive) and Global Management System (GMS) are NOT affected by the vulnerabilities.
Note: If you are planning to run a PCI Audit test, you'd better to upgrade the firmware to these latest versions (5.9.0.6, 6.1.1.9 and 6.2.0.0) before running the test. If you are running firmware version 5.8.1.15 or any of the lower versions of 5.8, please call technical support to obtain a build which has this change.
https://support.software.dell.com/kb/sw11605

Likwise also for the short key length. It should be supporting 2048 bits above instead of 1024 which has since newer firmware should be already doing that as stated in https://support.software.dell.com/kb/sw10667

For sending in login info in clear instead of encrypted is suspicious but it is better to capture from your browser (like Chrome developer mode or FFF developer panel) on the access to the login page to see if HTTPS is established even before the login keyed...there are also symptoms pertaining to PCI scan on certificate issue that will be handy if encountered..https://support.software.dell.com/kb/sw10322
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 
LVL 63

Expert Comment

by:btan
ID: 40533559
if TZ is doing SSL termination fronting the website then likely it is serving the SSL server cert on behalf of the web server, else it should be transparent passthru to web server. I doubt the PCI is via SSL VPN channel unless that is really being done https://support.software.dell.com/kb/sw9053
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 167 total points
ID: 40533574
I would verify that you are running at the level you think.

Is the SSL failure on the TZ200's managment interface?

Or, as btan is asking, s it on another host that the TZ200 is performing NAT for.  If it is a host that the TZ200 is NAT'ing for, then you need to get a new/upgraded SSL cert for that host.
0
 

Author Comment

by:mednet
ID: 40533657
I reviewed the link provided by btan and have included the firmware version of the Sonicwall. It appears that the version is up to par with the article. Also since the client is not running a website I would think SSL termination should not be an issue.

However while typing this response, I failed to mention that the firewall has a rule that allows remote access to the ESXi server (this is to allow us to monitor the server). Thanks to giltjr's and btan's post I realized this may be the reason behind the PCI Scan issue. Reviewed the firewall rules and found that TCP/9999 is pointing to the ESXi server which is running ESXi version 5.1. This needs to be upgraded to the latest version of ESX. This is possibly the cause for the scanning failure. I'll update this thread accordingly.
0
 
LVL 63

Expert Comment

by:btan
ID: 40534717
thanks keep us posted and with regards to the CVE 2014-0224, you can find more the VMWare patch info for 5.1 is ESXi510-201406401-SG
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
@ http://www.vmware.com/security/advisories/VMSA-2014-0006.html
0
 

Author Comment

by:mednet
ID: 40536809
OK so here's an update. I used GRC Shield's Up to test the following:

1. Disabled any RDP access to anything internally.
2. Reconfigured web access to the Sonicwall. (Disabled WAN access - Remote Management, Changed the port from 80 / 443 to port 8080 / 4443)

As a result, GRC, reported that ports 80 and 443 were now in "stealth" mode. Port 3389 (RDP Sessions) was also in "stealth" mode.

Resubmitted a Trustwave PCI scan and the results were still failing. It still claims that ports 80 and 443 are still passing login information. Not sure where to go from here. We are in the process of quoting the client a replacement device (Watchguard XTM33) so maybe this will no longer be an issue. I'll update the thread as soon as I find out something.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40537003
from the Internet try accessing:

http://x.x.x.x/auth1.html
http://x.x.x.x/auth.cgi

Where x.x.x.x is any and all public IP addresses within your public IP address range.

If the only thing you have listening on port 80 is the management interface for the firewall, I would suggest you disable http for management.
0
 
LVL 63

Expert Comment

by:btan
ID: 40537098
agree port 80 is in clear traffic and not recommended for management, in fact by default the sonicwall should not have it as default configuration if it is hardened state (below is one pdf on configurations based on PCI requirements). Minimally, it is https or even via RADIUS for user authentication prior to management portal access. There is past PCI compliance paper in Requirement  2.3 (below) for sonicwall and it stated one for compliance
Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access
http://www.sonicwall.com/us/shared/download/SonicWALL-PCI-Implementation-Guide-for-SonicOS-Enhanced.pdf

Also I understand that Sonicwall has the "Detection Prevention" configuration like "Enable Stealth Mode" and "Randomize IP ID" which we can enabled (if not done so). It may not directly be for the management
http://help.mysonicwall.com/sw/eng/281/ui1/6600/Access/Services.htm
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 40539074
To further emphasis the point @btan made; setting up a SonicWALL with Enable Stealth Mode & Randomize IP ID are a must. In fact I'm not sure why they don't come straight from the factory like this.

All of our firewalls (all SonicWALLs TZs to NSAs) are currently passing the same tests. Have you given a call to SonicWALL yet?
0
 

Author Comment

by:mednet
ID: 40544348
Update:
I was not able to access the firewall using the addresses that were provided by giltjr. So that lets me know that the remote management feature is turned off. I did enable Randomize IP ID as well as Stealth Mode within the firewall.

Diverseit - I have not called Sonicwall due to the fact that the unit is out of warranty. The client is willing to consider upgrading to the Watchguard unit.

Btan - we are still needing to do the patch to ESXi 5.5 but since we have disabled the remote access this is no longer an issue at the moment.

Not real sure if I need to keep this thread open until after we have installed the Watchguard or not. Please advise.
0
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 40544368
Even if remote admin is disabled per se. The vulnerability still exist and it is always (if possible w/o impact) upgrade to patch the "holes" when the Principal declared it is affected. We cannot live in false sense of security - not seeing make it tougher but not impossible to exploit. Balance the risk of exposure and businesses...minimally the harden state must stand fortified

If you see your queries are addressed at least in the Sonicwall context, you can close as deemed fit. Subsequent new question can be created on the new environment or issues faced. I respect your decision.
0
 

Author Closing Comment

by:mednet
ID: 40547767
Closing the thread because the issue was partially resolved. Trustwave PCI was still detecting ports TCP/80 and TCP/443 being open even after having the remote management services disabled. The client has agreed to replace the Sonicwall with a new Watchguard firewall appliance.

Splitting the points between btan and giltjr.

Thanks for your assistance on this issue.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question