OpenBSD httpd: PCI - DSS Compliance

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD httpd: PCI - DSS Compliance

Kihaguru Gathura-2
Hi,

The message below refers. Has httpd met the particular requirement
6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.

"Requirement 6.5
Fingerprinted versions of web software used on the website may contain
publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
as soon as possible.
Misconfiguration or weakness"

actual report here:

https://www.htbridge.com/websec/?id=cGZfIatq

Thanks,

Kihaguru.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD httpd: PCI - DSS Compliance

Janne Johansson-3
I think that point was badly made by the site, they don't list what they
did look at or how they deduced it, only that "it may" even though that
same report later says no version string was sent as if that was a good
thing. I guess this means "because you did as expected and did not send a
version, we think it may be super old and could be bad but we can't tell".

I did not sign up to get a more detailed report, but from what I could see
it was kind of a blunt report sweeping in broad terms, as presented.

I'm sure PCI auditors would be glad to spend a lot of your money to look at
the version and file a report taking days to write about how it actually
seems ok, for now. 8-(


Den ons 10 apr. 2019 kl 09:20 skrev Kihaguru Gathura <[hidden email]>:

> Hi,
>
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
>
> actual report here:
>
> https://www.htbridge.com/websec/?id=cGZfIatq
>
> Thanks,
>
> Kihaguru.
>
>

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD httpd: PCI - DSS Compliance

Chris Cappuccio
In reply to this post by Kihaguru Gathura-2
Kihaguru Gathura [[hidden email]] wrote:

> Hi,
>
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
>

I have no idea what 6.5.1 - 6.5.10 of PCI DSS means because I don't even know
where to find what is says.

Your message suggests that there may or may not be a vulnerability, based on
version numbers or other information obtained by this compliance scanner.

Since nobody except you knows what software is running here, I'm not sure what
to tell you. I don't think httpd itself has any known vulnerabilities,
especially in a mostly default configuration. It's easy to introduce
vulnerabilities.

Chris

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD httpd: PCI - DSS Compliance

Bob-3
On 04/10/2019 20:22, Chris Cappuccio wrote:

> Kihaguru Gathura [[hidden email]] wrote:
>> Hi,
>>
>> The message below refers. Has httpd met the particular requirement
>> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>>
>> "Requirement 6.5
>> Fingerprinted versions of web software used on the website may contain
>> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
>> as soon as possible.
>> Misconfiguration or weakness"
>>
>
> I have no idea what 6.5.1 - 6.5.10 of PCI DSS means because I don't even know
> where to find what is says.
I am not a QSA, and I'm certainly not your QSA. That said:

PCI-DSS 3.2.1 Requirement 6 is headed "Develop and maintain secure systems and applications". That's the right ballpark, but 6.5 is about coding vulnerabilities in the software development process. A web server isn't your software development process and can't meet those requirements for you. Whoever wrote this scanner likely means that the applications/sites you are running *on* that server should be developed in accordance with those requirements.

The requirements that more directly impact the web server process include: 6.1 (vulnerability management), 6.2 (patch management), and any other specific system configuration requirements. Nothing in those requirements will exclude httpd from being used. An up-to-date httpd with a simple configuration and the right TLS ciphers should work in a PCI cardholder data environment just fine. The issue is going to be everything else that you're doing.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD httpd: PCI - DSS Compliance

Kihaguru Gathura-2
In reply to this post by Kihaguru Gathura-2
The issue is now resolved. The alert message no longer appears.

Thank you.

Kihaguru.

On 4/10/19, Kihaguru Gathura <[hidden email]> wrote:

> Hi,
>
> The message below refers. Has httpd met the particular requirement
> 6.5.1 - 6.5.10 as shown? or is it a matter of further configuration.
>
> "Requirement 6.5
> Fingerprinted versions of web software used on the website may contain
> publicly known vulnerabilities (cf. PCI DSS 6.5.1-6.5.10). Investigate
> as soon as possible.
> Misconfiguration or weakness"
>
> actual report here:
>
> https://www.htbridge.com/websec/?id=cGZfIatq
>
> Thanks,
>
> Kihaguru.
>