Fight PCI trolls by trolling them back
I recently had to go in to bat for a client who was told by their PCI auditor that they would fail PCI and as a result have to notify all their clients that they were not PCI compliant. The reason they failed was because the ASV scanner picked up an F5 internal IP address disclosure vulnerability that their scanning engine Nessus picked up.
Here are the details of this vulnerability taken from http://www.tenable.com/plugins/index.php?view=single&id=20089
F5 BIG-IP Cookie Remote Information Disclosure
The remote load balancer suffers from an information disclosure vulnerability.
The remote host appears to be an F5 BIG-IP load balancer. The load balancer encodes the IP address of the actual web server that it is acting on behalf of within a cookie. Additionally, information after 'BIGipServer' is configured by the user and may be the logical name of the device. These values may disclose sensitive information, such as internal IP addresses and names.
See also :
Contact the vendor for a fix.
Risk factor :
Medium / CVSS Base Score : 5.0
The problem was that the CVSS score was 5.0 and anything above 4.0 is an automatic failure. As a professional hacker I recognise that knowing an internal IP is pretty much useless. They are non-routable from the Internet and you have to compromise a host first before it is useful and even then, if you have compromised a host why not just look at the IP addressing of the compromised host? Never the less our client was being told they were not PCI compliant and had to notify their clients.
So I sent the email below to the ASV:
Common Sense Email 1:
“We would like to get the CVSS score of this pluggin http://www.tenable.com/plugins/index.php?view=single&id=20089 lowered. We feel that the CVSS score is extremely overrated. The outcome of this vulnerability is an internal IP address disclosure by looking at the F5 cookie. There are numerous other ways to get the internal IP address such as looking at mail headers and none of those will make you fail PCI. In short we find this an incredibly poor vulnerability that has very low value to an attacker and people should not fail PCI compliance because of it.”
That was my common sense should prevail email and everything will be fixed. However that didn’t work, so I decided to look at why the risk was so exaggerated. I found that same outcome of the vulnerability i.e. you can find out the private IP address, had much lower scores for other vulnerabilities. Here is an IIS internal IP disclosure vulnerability with a CVSS score of 2.6
I also found out that depending on what scanner the ASV was using the same vulnerability had different scores. Isn’t this supposed to be a “standard”? So I sent the following email:
Common Sense Email 2:
"In regards to our support case: Nessus is the only scanner that ranks this as 5.0. Qualys gives it a 2.6. So one ASV will pass you and another ASV will fail you. We are not the only people noticing this disparity. see https://discussions.nessus.org/thread/4769 Even OpenVas that is a fork of Nessus has it as a 2.6.
We feel extremely strongly about this and we feel that if this causes our customers to fail PCI we will have to change to any of the other numerous ASVs that don’t fail people for that dismal vulnerability."
After getting some communication back from the ASV, I noticed something. In emails from the ASV they themselves were disclosing their internal mail server IP addresses in their mail headers because they were not stripping them at their email gateway.
Troll Email 1:
"If you look at the email headers of emails being sent from you, you can see that you yourselves are disclosing your internal IP addresses. Does this mean you are also not PCI compliant?"
Success!!! I received the following email response back from them:
Response to Troll Email 1:
Thank you for contacting XXXXXXXXX Support.
The CVSS2 score rating for the vulnerability 'F5 Big IP Information Disclosure' has been adjusted to 2.6 after reviewing the information.
Please feel free to contact us if you have any additional questions."
So, basically our client did the right thing by contacting us to help them fight it. If you ever find yourself in a similar unreasonable situation, do the security equivalent of ‘lawyer up’ and get your pen testing company in to bat for you.