Scan Report Executive Summary

Transcription

1 Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component Summary Component (IP Address, domain, etc.): Component (IP Address, domain, etc.): Part 3a. Vulnerabilities Noted for each Component ASV may choose to omit vulnerabilities that do not impact compliance from this section, however, failing vulnerabilities that have been changed to "pass" via exceptions or after remediation / rescan must always be listed Component SSL Cipher Suites Supported 443 / Device Type 0 / tcp / SSL Root Certification Authority Certificate Information 443 / Web Server No 404 Error Code Check 80 / TCP/IP Timestamps Supported 0 / tcp / Web Server Directory Enumeration 80 / Web Server Directory Enumeration 443 / Strict Transport Security (STS) Detection 80 / tcp / Strict Transport Security (STS) Detection 443 / tcp / SSL / TLS Versions Supported 443 / Non-compliant Strict Transport Security (STS) 80 / Service Detection 443 / Service Detection 443 /

2 Component Service Detection 80 / Web Application Cookies Not Marked HttpOnly 80 / Web Application Cookies Not Marked HttpOnly 443 / SSL Perfect Forward Secrecy Cipher Suites Supported 443 / Nessus SYN scanner 443 / Nessus SYN scanner 80 / OpenSSL Detection 443 / Common Platform Enumeration (CPE) 0 / tcp / HTTP Server Type and Version 80 / HTTP Server Type and Version 443 / HyperText Transfer Protocol (HTTP) Information 443 / HyperText Transfer Protocol (HTTP) Information 80 / OS Identification 0 / tcp / Web Application Cookies Not Marked Secure 80 / tcp / Web Application Cookies Not Marked Secure 443 / SSL Session Resume Supported 443 / SSL Cipher Block Chaining Cipher Suites Supported 443 / HTTP Methods Allowed (per directory) 80 / HTTP Methods Allowed (per directory) 443 / tcp / HyperText Transfer Protocol (HTTP) Redirect Information 80 / SSL Certificate Information 443 /

3 Consolidated Solution/Correction Plan for above IP address: Ensure that use of this root Certification Authority certificate complies with your organization's acceptable use and security policies. If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data. Protect your target with an IP filter. If possible, ensure all communication occurs over an encrypted channel and add the 'secure' attribute to all session cookies or any cookies containing sensitive data. Analyze the redirect(s) to verify that this is valid operation for your web server and/or application. Component CGI Generic SQL Injection (HTTP Headers) 80 / tcp / High 7.5 The vulnerability is not present after inspection and testing CGI Generic SQL Injection (blind) 443 / High 7.5 The vulnerability is not present after inspection and testing CGI Generic SQL Injection (HTTP Headers) 443 / tcphigh 7.5 The vulnerability is not present after / inspection and testing Web Server Uses Plain Text Authentication Forms 80 / Low 2.6 The vulnerability is not included in the CGI Generic Tests Load Estimation (all tests) 443 / CGI Generic Tests Load Estimation (all tests) 80 / tcp / CGI Generic Injectable Parameter 443 / CGI Generic Injectable Parameter 80 / Web Server Harvested Addresses 443 / tcp / Web Server Harvested Addresses 80 / tcp / Web Server Office File Inventory 443 / HSTS Missing From HTTPS Server 443 / OpenSSL Detection 443 / Web Server No 404 Error Code Check 80 / Web Application Sitemap 443 /

4 Component Web Application Sitemap 80 / Web Application Cookies Not Marked HttpOnly 80 / Web Application Cookies Not Marked HttpOnly 443 / SSL Cipher Block Chaining Cipher Suites Supported 443 / OS Identification 0 / tcp / SSL / TLS Versions Supported 443 / SSL Session Resume Supported 443 / SSL Cipher Suites Supported 443 / Web Application Cookies Not Marked Secure 80 / tcp / Web Application Cookies Not Marked Secure 443 / TCP/IP Timestamps Supported 0 / tcp / Web Server Directory Enumeration 80 / Web Server Directory Enumeration 443 / Device Type 0 / tcp / HTTP Methods Allowed (per directory) 443 / tcp / HTTP Methods Allowed (per directory) 80 / HyperText Transfer Protocol (HTTP) Redirect Information 80 / Service Detection 443 / Service Detection 443 / Service Detection 80 / Web Application Cookies Are Expired 80 /

5 Component Web Application Cookies Are Expired 443 / tcp / SSL Root Certification Authority Certificate Information 443 / Web Server robots.txt Information Disclosure 80 / tcp / Web Server robots.txt Information Disclosure 443 / SSL Perfect Forward Secrecy Cipher Suites Supported 443 / Web Server Allows word Auto-Completion 80 / Web Server Allows word Auto-Completion 443 / Nessus SYN scanner 443 / Nessus SYN scanner 80 / SSL Certificate Information 443 / HTTP Server Type and Version 80 / HTTP Server Type and Version 443 / HyperText Transfer Protocol (HTTP) Information 443 / Common Platform Enumeration (CPE) 0 / tcp / HyperText Transfer Protocol (HTTP) Information 80 / HTTP X-Content-Security-Policy Response Header Usage 443 / HTTP X-Content-Security-Policy Response Header Usage 80 / Consolidated Solution/Correction Plan for above IP address: Modify the affected CGI scripts so that they properly escape arguments. Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials. Configure the remote web server to use HSTS. If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data.

6 Consolidated Solution/Correction Plan for above IP address: If possible, ensure all communication occurs over an encrypted channel and add the 'secure' attribute to all session cookies or any cookies containing sensitive data. Make sure that every sensitive form transmits content over HTTPS. Analyze the redirect(s) to verify that this is valid operation for your web server and/or application. If needed, set an expiration date in the future so the cookie will persist or remove the Expires cookie attribute altogether to convert the cookie to a session cookie. Ensure that use of this root Certification Authority certificate complies with your organization's acceptable use and security policies. Review the contents of the site's robots.txt file, use Robots META tags instead of entries in the robots.txt file, and/or adjust the web server's access controls to limit access to sensitive material. Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials. Protect your target with an IP filter. Set a properly configured Content-Security-Policy header for all requested resources. Part 3b. Special notes by IP Address Component Special Note Item Noted Scan customer`s description of action taken and declaration that software is either implemented securely or removed Part 3c. Special notes -- Full Text Note Load Balancing As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS. Directory Browsing Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note. Remote Access Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your ASV if you have questions about this Special Note. Pos Software detected Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, please 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Please consult your ASV if you have questions about this Special Note. Embedded links or code from out-of-scope domains Note to scan customer: Due to increased risk to the cardholder data environment when embedded links redirect traffic to domains outside the merchant's CDE scope, 1) confirm that this code is obtained from a

7 trusted source, that the embedded links redirect to a trusted source, and that the code is implemented securely, or 2) confirm that the code has been removed. Consult your ASV if you have questions about this Special Note. Insecure Services / industry-deprecated protocols Note to scan customer: Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note. Unknown services Note to scan customer: Unidentified services have been detected. Due to increased risk to the cardholder data environment, identify the service, then either 1) justify the business need for this service and confirm it is securely implemented, or 2) identify the service and confirm that it is disabled. Consult your ASV if you have questions about this Special Note. Part 4a. Scope Submitted by Scan Customer for Discovery IP Addresses/ranges/subnets, domains, URLs, etc. DOMAIN: DOMAIN: Part 4b. Scan Customer Designated In-Scope Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. Part 4c. Scan Customer Designated Out-of-Scope Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL :No connectivity to CDE :No connectivity to CDE :No connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE :No connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE :No connectivity to CDE. intranet.vin65.com:no connectivity to CDE :No connectivity to CDE. test.vin65.com:no connectivity to CDE. evineage.vin65.com:no connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE.

8 ec us-west-2.compute.amazonaws.com:no connectivity to CDE :No connectivity to CDE. exchange.vin65.com:no connectivity to CDE :No connectivity to CDE. siteadmin2.k1technology.com:no connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE :No connectivity to CDE :No connectivity to CDE. ec us-west-2.compute.amazonaws.com:no connectivity to CDE.