PCI scanners and false positives

This article describes how to deal with some vulnerabilities reports generated by automated scanner tools.

Who is this article for?

This article is for MiaRec customers who use automated scanners to test MiaRec server(s) against know security vulnerabilities. The scanners may report false positive vulnerabilities.

What is a false positive?

Some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes. Old version may not have the reported vulnerability if the fix is already applied to it.

What is a Security Backporting?

Note, this article applies to MiaRec installations on Linux OS only. On Windows version, we use a different approach to deal with security vulnerabilities reports.

The term "backporting" describes the action of taking a fix of a security flow out of the most recent version of an upstream package and applying that fix to an older version of the package.

MiaRec software is deployed on Centos or RedHat operating system (FYI, Centos is based on RedHat Enterprise Linux distributive). RedHat (a company) uses Security Backporting Practice to apply the most recent fixes to older versions of the software packages.

To keep the server secure and patched, it is enough to run the command:

yum update

To see a list of all patches/fixes applied to the system, install yum-changelog package with:

sudo yum install yum-changelog

For example, to check all the backported patches to "httpd" (Apache) package, run:

yum changelog httpd

Why not simply upgrade the vulnerable software to the most recent version?

None of software exists in isolation. Any individual software component usually needs to integrate with other software components. All these components work together as a tightly integrated, complex solution.

An update of a single component to the latest version may cause compatibility issues to other components. To keep a software solution reliable and stable, we recommend to use security backporting rather than version upgrades as a solution to security issues.

We still use version upgrades for MiaRec solution from time to time, when it makes sense. Anyway, we perform a thorough testing of the new package version(s) to guarantee compatibility and stability of a whole solution.

How to treat reports from PCI scanner vulnerabilities?

Any report should be reviewed by the qualified personnel to determine if it contains false positives.

Vulnarebilties are usually named with "CVE-" prefix. If a report complaints that version of a system package is old, execute yum changelog <package> command and search for the corresponding CVE issue number. There are high chances that this issue has been already fixed/backported.

To keep system secure and updated, run periodically the system update command:

yum update

Note, the yum update command my require a server reboot. It is highly recommended to do it during maintenance window and begin with a secondary MiaRec server first. When a stability of the secondary server is confirmed, continue to the primary MiaRec server (in a few days).

Submit to PCI scanner vendor the print of yum changelog command. They can review it and mark your server as non-vulnerable to that particular issue.

Contact MiaRec team if you have any questions.