TCP Source Port Pass Firewall, again

Technical Q&A

Topic summary

A merchant is struggling to achieve PCI compliance due to a recurring firewall vulnerability: “TCP Source Port Pass Firewall.” The scan flags that their firewall allows TCP packets with specific source ports to bypass security rules, with a CVSS score of 5.0.

Background:

  • Last year, the same issue was resolved by marking it as a false positive after Shopify confirmed their PCI compliance
  • This year, the same error appears but marking it as false positive no longer works

Current situation:

  • The merchant is caught in a blame loop between parties:
    • Shopify claims they are PCI compliant and suggests the issue is with Bankful
    • Bankful redirects responsibility back to Shopify
    • PCI compliance manager points to Shopify as the likely source
  • The merchant notes they don’t control Shopify’s infrastructure (including Cloudflare instances or firewalls)

Status: The issue remains unresolved and ongoing. Multiple other merchants have encountered the identical problem, but no solution has been shared. The merchant expresses frustration about prolonged non-compliance despite efforts to maintain security.

Summarized with AI on October 28. AI used: claude-sonnet-4-5-20250929.
1

Hi,

We have problems becoming PCI Compliant again.

Last year, the PCI Compliance Manager told that there was an issue with a tcp port firewall. We contacted Shopify and they told mark this as a false positive as they are PCI Compliant. So we did and it seems to have work because we were PCI Compliant for a year.

We now have to re-do the scan and it makes the same error : Your firewall policy seems to let TCP packets with a specific source port pass through.

I have try to mark this as a false positive like last year but it does not work this time.

I dont know what to do at this point and we dont want to have problem with PCI.

anyone had this problem before ? or any ideas would be appreciated.

I’ll write all the info i have, thanks in advance for your help!

Category

Firewall

CVE

CVSS base score

5.0

Description

TCP Source Port Pass Firewall

Host

23.227.38.36

Threat

Impact

Solution

PCI compliant

No

PCI details

Reason

The vulnerability is not included in the NVD.

PCI severity

medium

Port

Host name

No registered hostname

Host OS

Debian 12

Result
The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

CVSS Base Score

5- AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Temporal Score

3.6- E:U/RL:W/RC:UC

Severity

3

Category

Firewall

CVE ID

Vendor Reference

Bugtraq ID

Date Updated

Jul 10, 2017

Threat

Your firewall policy seems to let TCP packets with a specific source port pass through.

Impact

Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall.

Solution

Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.
2

still on going.

I’ve talked to Shopify and they told that they were good and the problem may be from Bankful.

I’ve talked to Bankful and they told that they were good and the problem may be from Shopify.

I’ve read somewhere that i should claim a false positive and i did. no results so far.

I’ve talked to my pci compliance manager and they say that the problem may be from Shopify.

I’ve talked to my guru and he says that the problem may be from Shopify.

I’m lost af, we are not compliant since a long time and we are trying to be secure.

3

Any update? Came across the same situation!

4

I am also curious if you were ever able to get resolution here. We are now getting the same results on our external scans as well. Not sure what else I can tell them. We don’t control the Cloudflare instance in front of Shopify and we certainly don’t control Shopify’s firewalls!