Hi,
We have problems becoming PCI Compliant again.
Last year, the PCI Compliance Manager told that there was an issue with a tcp port firewall. We contacted Shopify and they told mark this as a false positive as they are PCI Compliant. So we did and it seems to have work because we were PCI Compliant for a year.
We now have to re-do the scan and it makes the same error : Your firewall policy seems to let TCP packets with a specific source port pass through.
I have try to mark this as a false positive like last year but it does not work this time.
I dont know what to do at this point and we dont want to have problem with PCI.
anyone had this problem before ? or any ideas would be appreciated.
I'll write all the info i have, thanks in advance for your help!
| Category | Firewall |
| CVE | - |
| CVSS base score | 5.0 |
| Description | TCP Source Port Pass Firewall |
| Host | 23.227.38.36 |
| Threat | - |
| Impact | - |
| Solution | - |
| PCI compliant | No |
| PCI details | - |
| Reason | The vulnerability is not included in the NVD. |
| PCI severity | medium |
| Port | - |
| Host name | No registered hostname |
| Host OS | Debian 12 |
Result The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port. |
| CVSS Base Score | 5- AV:N/AC:L/Au:N/C:P/I:N/A:N |
| CVSS Temporal Score | 3.6- E:U/RL:W/RC:UC |
| Severity | 3 |
| Category | Firewall |
| CVE ID | |
| Vendor Reference | |
| Bugtraq ID | |
| Date Updated | Jul 10, 2017 |
| Threat | Your firewall policy seems to let TCP packets with a specific source port pass through. |
| Impact | Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall. |
| Solution | Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port. |
