Results 1 to 5 of 5
  1. #1
    CDS
    CDS is offline
    Newbie
    Join Date
    Dec 2019
    Posts
    2

    Default OpenVPN port 1194 listed as a vulnerability on PCI scan from trustwave.

    I have a client that is failing a PCI scan due to OpenVPN.

    Details
    1 Remote Access Service

    Detected

    6.00 Medium Fail Port: udp/1194

    One or more remote access services were detected on the remote
    host. As defined by the PCI ASV Program Guide: "remote access
    software includes, but is not limited to: VPN (IPSec, PPTP, SSL),
    pcAnywhere, VNC, Microsoft Terminal Server, remote web-based
    administration, ssh, Telnet."
    CVSSv2: AV:N/AC:M/Au:S/C:P/I:P/A:P
    Service: openvpn
    Application: openvpnpenvpn
    Reference:
    Remediation:
    Due to increased risk to the cardholder data environment when remote
    access software is present, please 1) justify the business need for this
    software to the ASV and 2) confirm it is either implemented securely
    per PCI DSS requirement 8 or disabled/ removed.

    With that being said the only way to get it to pass so far is to turn off the OpenVPN on the device and rerun the scan but this isn't really acceptable for my client since their VPN connection is a must-have. I tried a filter rule to block the port temporarily but that did not work either. There was no port forward or filter rules active on this device at the point of the scan. Any advice would be appreciated.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,111

    Default

    The error contains the process you need to follow...

    Due to increased risk to the cardholder data environment when remote
    access software is present, please 1) justify the business need for this
    software to the ASV
    Log into your scanner's portal, say yes we use OpenVPN, and it uses certificate based authentication, and it's not going away because we use it.

    It's called an exception, and yes you have to file them with your scanner from time to time.

    That hit is just there because way too many people have networks with this stuff on it, and they don't know it's on it. These scans aren't some sort of magic authority, they're just a tool to force network operators to understand their networks. Work with your scanner vendor's support, trust me they've heard it all before, and they'll just be happy to know there's a brain behind this network.

    P.S. You could also ignore it, because a medium fail isn't a scan fail.
    Last edited by sky-knight; 12-17-2019 at 08:45 AM.
    Kyawa likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    CDS
    CDS is offline
    Newbie
    Join Date
    Dec 2019
    Posts
    2

    Default

    Will do I will contact trustwave and get that sorted. Thank you for the quick response.

  4. #4
    Master Untangler Kyawa's Avatar
    Join Date
    Dec 2016
    Location
    Maryland
    Posts
    455

    Default

    sky-night is spot on. Also, PCI has turned out to be somewhat of a scam. I got PCI certified just prior to the new guidelines. Hardware and software inadequacies have prevented them from fully enforcing the new guidelines. What processors have done is simply added a "PCI Compliance" fee. Check with your client. I bet it's there. It's not a big charge-like $20/month.

    So if you're a merchant, would you rather pay a$20 a month for "insurance" or probably hundreds or thousands to legitimately fix the issues? Why have certifications?

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,111

    Default

    Yep, pay the "fine" and ignore the problem. Just like how it's technically impossible for any tablet based merchant system to be PCI compliant... but I defy you to find a place that's set itself up anytime in the last five years that isn't living on iPads or GalaxyTabs.
    Kyawa likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2