- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2015 01:34 AM
Dear Friends, panos, panagent HULK hshah Steven Puluka hyadavalli mmmccorkle
I have a doubt regarding PCI vulnerabilities scan and enable the signature for the same. when security team scan our WAN interface. he found below
1. SSL Certificate - Self-Signed Certificate
VULNERABILITY DETAILS
CVSS Base Score: 9.4
CVSS Temporal Score: 6.9
Severity: 2
QID: 38169
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 05/25/2009
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote
server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Selfsigned
certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or
critical servers.By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server.
IMPACT:By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.
SOLUTION:Please install a server certificate signed by a trusted third-party Certificate Authority.
RESULT: Certificate #0 emailAddress=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo_Alto_Networks,L=Sunnyvale,ST=CA,C=US is a self signed certificate.
2. SSL Certificate - Signature Verification Failed Vulnerability port 443/tcp over SSL
VULNERABILITY DETAILS
CVSS Base Score: 9.4
CVSS Temporal Score: 6.9
Severity: 2
QID: 38173
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 05/23/2009
3. SSL Certificate - Self-Signed Certificate port 4443/tcp over SSL
VULNERABILITY DETAILS
CVSS Base Score: 9.4
CVSS Temporal Score: 6.9
Severity: 2
QID: 38169
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 05/25/2009
4. OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,Vmware-9986131-Patch)
VULNERABILITY DETAILS
CVSS Base Score: 4.6
CVSS Temporal Score: 3.5
Severity: 3
QID: 115317
Category: Local
CVE ID: CVE-2006-0225
Vendor Reference: OpenSSH, FEDORA-2006-056, Vmware-3069097-Patch, Vmware-9986131-Patch
Bugtraq ID: 16369
Last Update: 06/17/2010
i have checked below reference I Need help for SSLV3 disable but not yet answered. please suggest me for the same. i am using PAN OS 6.1.2
Thanks in advance.
Regards
Satish
10-26-2015 02:56 AM
Dear Team,
How to close below PCI point. Pls help and suggest.
OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,
Vmware-9986131-Patch)
10-26-2015 03:28 PM
To reliably find this patch in PanOS you really need to get the CVE number from the scanning company. With this information we can see if it is publicly noted as patched in PanOS. And if not public you can open a ticket and get engineering to determine which version includes the patch.
Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!