Issuu on Google+

(PCI SSC ASV No: 5040-01-01)

LE Global Services ASV Scan Report – PCI Host Details for ( CUSTOMER)

Audited on September 24 2011


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details

1. Scan Information Scan Customer Company:

ASV Company:

Date scan was completed: September 24, 2011

Scan expiration date: December 23, 2011

2. Asset and Vulnerabilities Compliance Overview

* An exploit is regarded as "published" if it is available from Metasploit or listed in the Exploit Database. Actual remediation times may differ based on organizational workflows.

Page 3  


Note: Partial of the content have been removed in order to make this sample file smaller...


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details Remediation Step Upgrade to the latest version of OpenSSL

Disable web directory browsing for all directories and subdirectories

Estimated Time 2 hours 30 minutes

Apache In your httpd.conf file, disable the "Indexes" option for the appropriate <Directory> tag by removing it from the Options line. In addition, you should always make sure that proper permissions are set on all files and directories within the web root (including CGI scripts and backup files). Do not copy files in the web root unless you want these files to be available over the web. Periodically go through your web directories and clean out any unused, obsolete, or unknown files and directories.

Fix Cross Site Scripting Vulnerability

2 hours

Audit the affected url and other similar dynamic pages or scripts that could be relaying untrusted malicious data from the user input. In general, the following practices should be followed while developing dynamic web content: • Explicitly set the character set encoding for each page generated by the web server • Identify special characters • Encode dynamic output elements • Filter specific characters in dynamic elements Examine cookies For more information on the above practices, read the following CERT advisory: CERT Advisory CA-2000-02 • For ASP.NET applications, the validateRequest attribute can be added to the page or the web.config. For example: <%@ Page ... validateRequest="true" %> OR <system.web> <pages validateRequest="true" /> </system.web> In addition, all dynamic content should be HTML encoded using HTTPUtility.HTMLEncode. • For PHP applications, input data should be validated using functions such as strip_tags and utf8_decode. Dynamic content should be HTML encoded using htmlentities. For Perl applications, input data should be validated whenever possible using regular expressions. Dynamic content should be HTML encoded using HTML::Entities::encode or Apache::Util::html_encode (when using mod_perl).

Upgrade to to the latest version of Apache 1.3

Add the HttpOnly to all cookies

2 hours 1 hour

For each cookie generated by your web-site, add the "HttpOnly" flag to the cookie. For example: Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] Page 26  


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details Remediation Step

Estimated Time

[; path=<some_path>][; secure][; HttpOnly]

Disable SSL support for weak ciphers

1 hour

Configure the server to disable support for weak ciphers. For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers. For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read: SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For other servers, refer to the respective vendor documentation to disable the weak ciphers

Disable HTTP TRACE Method for Apache

4 hours

Apache Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable. To deny TRACE requests, add the following line to the server configuration: TraceEnable off For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

Add the Secure flag to cookies sent over SSL

30 minutes

For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie. For example: Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

Disable WebDAV for Apache

30 minutes

Apache Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.

For BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 These vulnerabilities can be resolved by performing the following 2 steps. The total estimated time to perform all of these steps is 8 hours. Remediation Step

Estimated Time

Upgrade to the latest version of ISC BIND

6 hours Page 27  


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details Remediation Step

Estimated Time

• As of January 2010 there are four major versions that are still supported: BIND 9.3.6-P1 • BIND 9.4.3-P5 • BIND 9.5.2-P2 BIND 9.6.1-P3 Upgrade to ISC BIND 9.5.1p3

2 hours

General These vulnerabilities can be resolved by performing the following 3 steps. The total estimated time to perform all of these steps is 16 hours 30 minutes. Remediation Step

Estimated Time

Enable TCP MD5 Signatures

4 hours

Enable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security attacks on BGP, such as TCP resets.

Locate and fix vulnerable traffic inspection devices along the route to the target

12 hours

In many situations, target systems are, by themselves, patched or otherwise unaffected by this vulnerability. In certain configurations, however, unaffected systems can be made vulnerable if the path between an attacker and the target system contains an affected and unpatched network device such as a firewall or router and that device is responsible for handling TCP connections for the target. In this case, locate and apply remediation steps for network devices along the route that are affected.

Disable ICMP timestamp responses

30 minutes

Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response).

For OpenSSH 4.3 These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 2 hours 30 minutes. Remediation Step

Estimated Time

Upgrade to the latest version of OpenSSH

2 hours 30 minutes

The latest version of OpenSSH is 5.2 (OpenBSD source) and 5.2p1 (portable source), both released on February 22, 2009. While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These prebuilt packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

For Dovecot These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 3 hours. Remediation Step

Estimated Time Page 28  


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details Remediation Step

Estimated Time

Replace TLS/SSL self-signed certificate

3 hours

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte or Verisign.

For exim 4.69 These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 3 hours. Remediation Step

Estimated Time

Replace TLS/SSL self-signed certificate

3 hours

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte or Verisign.

For Linux 2.6.13 These vulnerabilities can be resolved by performing the following 2 steps. The total estimated time to perform all of these steps is 35 minutes. Remediation Step

Estimated Time

Disable ICMP timestamp responses on Linux

30 minutes

Linux Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to disable ICMP timestamp responses. Therefore, you should block ICMP on the affected host using iptables, and/or block it at the firewall. For example: ipchains -A input -p icmp --icmp-type timestamp-request -j DROP ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response).

Disable TCP timestamp responses on Linux

5 minutes

Linux Set the value of net.ipv4.tcp_timestamps to 0 by running the following command: sysctl -w net.ipv4.tcp_timestamps=0 Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf: net.ipv4.tcp_timestamps=0

Page 29  


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details

For MySQL 5.1.56 These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 30 minutes. Remediation Step

Estimated Time

Restrict database access

30 minutes

Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ

Page 30  


LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details

[End of Report]

Page 31  


LGMS "Step by Step" Fixing Report