PCI scanners and false positives

This article describes how to deal with some vulnerabilities reports generated by automated scanner tools.

Who is this article for?

This article is for MiaRec customers who use automated scanners to test MiaRec server(s) against know security vulnerabilities. The scanners may report false positive vulnerabilities.

What is a false positive?

Some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes. Old version may not have the reported vulnerability if the fix is already applied to it.

What is a Security Backporting?

Note, this article applies to MiaRec installations on Linux OS only. On Windows version, we use a different approach to deal with security vulnerabilities reports.

The term "backporting" describes the action of taking a fix of a security flow out of the most recent version of an upstream package and applying that fix to an older version of the package.

MiaRec software is deployed on Centos or RedHat operating system (FYI, Centos is based on RedHat Enterprise Linux distributive). RedHat (a company) uses Security Backporting Practice to apply the most recent fixes to older versions of the software packages.

To keep the server secure and patched, it is enough to run the command:

yum update

To see a list of all patches/fixes applied to the system, install yum-changelog package with:

sudo yum install yum-changelog

For example, to check all the backported patches to "httpd" (Apache) package, run:

yum changelog all httpd

This command will show all currently installed patches as well as all available patches, that may be installed with yum update <package> command.

Example of output:

==================== Installed Packages ====================
httpd-2.4.6-80.el7.centos.1.x86_64       installed
* Tue Sep 19 05:00:00 2017 Lubo? Uhliarik <luhliari@redhat.com> - 2.4.6-69
- Resolves: #1493065 - CVE-2017-9798 httpd: Use-after-free by limiting
  unregistered HTTP method

* Tue Jul 25 05:00:00 2017 Lubo? Uhliarik <luhliari@redhat.com> - 2.4.6-68
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
  authentication bypass

...

==================== Available Packages ====================
httpd-2.4.6-93.el7.centos.x86_64         base
* Tue Oct  8 05:00:00 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-93
- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect
  expiry time

* Thu Aug 22 05:00:00 2019 Joe Orton <jorton@redhat.com> - 2.4.6-92
- htpasswd: add SHA-2 crypt() support (#1486889)

...

As you can see, the yum changelog output includes information about what CVE- vulnerabilities have been fixed with each update. You can save this output into a file for later review, or use grep command to check if a certain vulnerability is already fixed:

yum changelog all httpd > httpd_patches.txt

yum changelog all httpd | grep "CVE-2019-0220"

Why not simply upgrade the vulnerable software to the most recent version?

None of software exists in isolation. Any individual software component usually needs to integrate with other software components. All these components work together as a tightly integrated, complex solution.

An update of a single component to the latest version may cause compatibility issues to other components. To keep a software solution reliable and stable, we recommend to use security backporting rather than version upgrades as a solution to security issues.

We still use version upgrades for MiaRec solution from time to time, when it makes sense. Anyway, we perform a thorough testing of the new package version(s) to guarantee compatibility and stability of a whole solution.

How to treat reports from PCI scanner vulnerabilities?

Any report should be reviewed by the qualified personnel to determine if it contains false positives.

Vulnarebilties are usually named with "CVE-" prefix. If a report complaints that version of a system package is old, execute yum changelog <package> command and search for the corresponding CVE issue number. There are high chances that this issue has been already fixed/backported.

To keep system secure and updated, run periodically the system update command:

yum update

Note, the yum update command my require a server reboot. It is highly recommended to do it during maintenance window and begin with a secondary MiaRec server first. When a stability of the secondary server is confirmed, continue to the primary MiaRec server (in a few days).

Submit to PCI scanner vendor the print of yum changelog command. They can review it and mark your server as non-vulnerable to that particular issue.

Contact MiaRec team if you have any questions.