Azure PCI Compliance CPE Based Vulnerabilities for Microsoft IIS httpd 10.0

2
votes

Hi my azure web application (dotnet core 3.1) was giving a green flag for PCI Compliance until couple of days. However I received an email from the certification providing stating that the application is no longer PCI compatible, with following two messages.

Title: CPE Based Vulnerabilities for Microsoft IIS httpd 10.0 Impact: One or more vulnerabilities have been found that affect this service. Please see the relevant CVEs for more details.

Resolution: Apply the latest vendor patches to the Microsoft IIS httpd 10.0 service running on port 80 & port 443

CVE ----------------| Score

CVE-2008-4301 10.0

CVE-2008-4300 5.0

CVE-2013-2566 4.3

CVE-2015-2808 4.3

This is confusing as no changes were made either to web application or azure settings. The resolution they suggested is to apply latest vendor patches to the Microsoft IIS, which I think is possible only when the application is running on a VM, whereas my application is a simple Azure App service.

1
azureiistcpportpci-compliance
Which PCI Compliance vendor are you using? Tell them they're fired and find someone else to certify your project. I'll bet that they're basing their decision entirely on the Server: HTTP response header.Dai
@Dai I am using securitymetrics.comMax
Looking at the first "vulnerability", CVE-2008-4301: nvd.nist.gov/vuln/detail/CVE-2008-4301 - it's an unverified reported vulnerability in ActiveX from 2008 that certainly does not apply today - even if there was a vulnerability, ActiveX is dead in all major and modern web-browsers.Dai
@Dai, yes I saw that CVE-2008-4301 a disputed "vulnerability", I was thinking of writing to security metrics, wanted to confirm if they have wrongfully flagged my app. Its a 12 year old vulnerability & does not seems to make any sense.Max
@Max we are having the same issue with the same ASV (Security Metrics) who is telling me that it is up to Microsoft to patch IIS, and that they aren't in control of what passes or fails (this is false), and that they won't submit a false positive without a remediation plan from Microsoft (good luck getting that). I have a ticket in with Azure. SM also mentioned that the other 3 CVEs will fail your scan regardless of if CVE-2008-4301 is unverified (their minimum pass is > 4.2).Scott Lance

1 Answers

2
votes

We also use Security Metrics for scanning our websites. We called them this afternoon about this same issue. They requested that we send them a screenshot of our IIS Manager version page so that they can verify we are running current for our version. They will add this to the "False Positives" tab on the Vulnerability Scanning section of our account.

You will have to call their assistance line at 801-705-5700 for them to work with you on setting up False Positives (exceptions). They will ask several questions regarding your account to verify that you are with the company plus a call back number, name, title.