cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PCI Vulnerabilities Report

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Satish
L4 Transporter
‎03-27-2015 01:34 AM
‎03-27-2015 01:34 AM

PCI Vulnerabilities Report

Dear Friends, panos, panagent HULK hshah Steven Puluka hyadavalli mmmccorkle

I have a doubt regarding PCI vulnerabilities scan and enable the signature for the same. when security team scan our WAN interface. he found below

1. SSL Certificate - Self-Signed Certificate

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38169

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/25/2009

THREAT:

An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote

server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.

The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Selfsigned

certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or

critical servers.By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server.

IMPACT:By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack.

SOLUTION:Please install a server certificate signed by a trusted third-party Certificate Authority.

RESULT: Certificate #0 emailAddress=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo_Alto_Networks,L=Sunnyvale,ST=CA,C=US is a self signed certificate.

2. SSL Certificate - Signature Verification Failed Vulnerability   port 443/tcp over SSL

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38173

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/23/2009

3. SSL Certificate - Self-Signed Certificate  port 4443/tcp over SSL

VULNERABILITY DETAILS

CVSS Base Score: 9.4

CVSS Temporal Score: 6.9

Severity: 2

QID: 38169

Category: General remote services

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 05/25/2009

4. OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056, Vmware-3069097-Patch,Vmware-9986131-Patch)

VULNERABILITY DETAILS

CVSS Base Score: 4.6

CVSS Temporal Score: 3.5

Severity: 3

QID: 115317

Category: Local

CVE ID: CVE-2006-0225

Vendor Reference: OpenSSH, FEDORA-2006-056, Vmware-3069097-Patch, Vmware-9986131-Patch

Bugtraq ID: 16369

Last Update: 06/17/2010

i have checked below reference I Need help for SSLV3 disable but not yet answered. please suggest me for the same. i am using PAN OS 6.1.2

Thanks in advance.

Regards

Satish

0 Likes
Reply
pulukas
L7 Applicator
‎03-27-2015 05:14 AM
‎03-27-2015 05:14 AM

For the certificate, they are asking you to purchase a certificate for the PA from a recognized CA instead of using the device generated certificate.

How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate

For the CVE coverage, you will need to wait for PA to update the PanOS to pass.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Reply
mmmccorkle
L4 Transporter
‎03-27-2015 07:10 AM
‎03-27-2015 07:10 AM

Satish,

The SSLv3 is not disabled for you although you are running 6.1.2?

Thanks

0 Likes
Reply
Satish
L4 Transporter
‎03-27-2015 09:19 AM
‎03-27-2015 09:19 AM

Hi mmm,

After upgrading the PAN OS ssl v3 is disabled but i am facing below issue mention earlier.

Thanks

0 Likes
Reply
Satish
L4 Transporter
‎03-27-2015 09:19 AM
‎03-27-2015 09:19 AM

Thanks Steven for reply let me check.

0 Likes
Reply
NickySorot
L2 Linker
‎04-06-2015 03:58 AM
‎04-06-2015 03:58 AM

how to disable ssl on paloalto for management console permanently and how to enable firewall management console on TSL.

0 Likes
Reply
NickySorot
L2 Linker
‎04-06-2015 04:03 AM
‎04-06-2015 04:03 AM

pls help us to close above point. its urgent.

0 Likes
Reply
NickySorot
L2 Linker
‎04-06-2015 05:24 AM
‎04-06-2015 05:24 AM

Team,  pls answer

0 Likes
Reply
jdelio
Community Team Member
‎04-06-2015 12:18 PM
‎04-06-2015 12:18 PM

OK, I was able to research this further, and SSL V3 option has been removed from the PAN OS 6.0.8 and 6.1.2 onward. Prior to these version, you do not have any option to disable SSL V3 on the firewall, rather, you may disable SSL-V3 on your web browser. Accordingly, the client will not send SSL-v3 during the handshake.

Please let me know if this answers your question or not.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Reply
NickySorot
L2 Linker
‎04-07-2015 04:23 AM
‎04-07-2015 04:23 AM

what about TSL?

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks