Payment Card Industry (PCI) Executive Report page 1 Payment Card Industry (PCI) Executive Report 02/20/2012 ASV Scan Report Attestation of Scan Compliance Scan Customer Information Approved Scanning Vendor Information Scan Status * Compliance Status : * Number of unique components scanned: 16 * Number of identified failing vulnerabilities: 291 * Number of components found by ASV but not scanned because scan customer confirmed components were out of scope: 8 * Date scan completed: 02/18/2012 * Scan expiration date (90 days from date scan completed): 05/18/2012 Scan Customer Attestation attests on 2012-02-20 06:01:32 that this scan includes all components* which should be in scope for PCI DSS, any component considered out-of-scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan exceptions is accurate and complete.also acknowledges the following: 1) proper scoping of this external scan is my responsibility, and 2) this scan result only indicated whether or not my scanned systems are compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status with PCI DSS or provide any indication of compliance with other PCI DSS requirements. ASV Attestation This scan and report was prepared and conducted by atsec information security under certificate number 4266-01-03, according to internal processes that meet PCI DSS requirement 11.2 and the PCI DSS ASV Program Guide. atsec information security attests that the PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, and 3) active Company: Contact: Title: Telephone: Email: Business Address: City: State/Province: ZIP: URL: Company: atsec information security Contact: Jinyun Chen Title: Senior Consultant Telephone: +86 10 82893001 Email: jinyun@atsec. com Business Address: City: State/Province: ZIP: URL: http://atsec.com Room119 - 121, Building2, No.1, Street7, Shangdi, Haidian, District, Beijing, P.R.China Beijing 100085 None This report and any exceptions were reviewed by atsec ASV tester(s). scan interference.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Payment Card Industry (PCI) Executive Report page 1
Payment Card Industry (PCI) Executive Report02/20/2012
ASV Scan Report Attestation of Scan Compliance
Scan Customer Information Approved Scanning Vendor Information
Scan Status
* Compliance Status :
* Number of unique components scanned: 16
* Number of identified failing vulnerabilities: 291
* Number of components found by ASV but not scanned because scan customer confirmed components were out of scope: 8
* Date scan completed: 02/18/2012
* Scan expiration date (90 days from date scan completed): 05/18/2012
Scan Customer Attestation
�attests�on�2012-02-20�06:01:32�that�this�scan�includes�all�components*�which�should�be�in�scope�for�PCI�DSS,�any�component�consideredout-of-scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan exceptions isaccurate�and�complete.also�acknowledges�the�following:�1)�proper�scoping�of�this�external�scan�is�my�responsibility,�and�2)�this�scan�resultonly indicated whether or not my scanned systems are compliant with the external vulnerability scan requirement of PCI DSS; this scan result does notrepresent my overall compliance status with PCI DSS or provide any indication of compliance with other PCI DSS requirements.
ASV Attestation
This scan and report was prepared and conducted by atsec information security under certificate number 4266-01-03, according to internal processes thatmeet PCI DSS requirement 11.2 and the PCI DSS ASV Program Guide.
atsec information security attests that the PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customerboarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, and 3) active
ASV Comment:Complete vendor solutions and configuration changes compliant with the PCI DSS are available to address these issues. No fix is available atthis time for some issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specificinformation on how to remediate these issues please consult the technical report below.
Merchant Comment:
IP�Address:�15 86873 - Apache HTTP Server Prior to 2.2.15 Multiple VulnerabilitiesCVE-2010-0408,CVE-2010-0425,CVE-2010-0434 10
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
IP�Address:�14port 6789/tcp 150081 - Possible Clickjacking vulnerability 10
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
Payment Card Industry (PCI) Executive Report page 7
IP�Address:�1390527 - Microsoft Server Message Block (SMBv2) Remote CodeExecution Vulnerability (MS09-050) CVE-2009-2526,CVE-2009-2532,CVE-2009-3103
10
IP�Address:�13port 25/tcp
74037 - Possible Mail Relay CVE-1999-0512,CVE-2002-1278,CVE-2003-0285 10
ASV Comment:There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please considerimplementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issuesplease consult the technical report below.
Merchant Comment:
IP�Address:�12 74167 - Microsoft Windows SMTP Component Remote CodeExecution (MS04-035) CVE-2004-0840 10
IP�Address:�12port 25/tcp
74037 - Possible Mail Relay CVE-1999-0512,CVE-2002-1278,CVE-2003-0285 10
IP�Address:�12 90500 - Microsoft Outlook Web Access Redirection WeaknessesCVE-2005-0420,CVE-2008-1547 7.5
IP�Address:�1290244 - Windows TCP/IP Remote Code Execution and Denial ofService Vulnerabilities (MS05-019) CVE-2005-0048,CVE-2004-0790,CVE-2004-1060,CVE-2004-0230,CVE-2005-0688,CVE-2004-0791
7.5
IP�Address:�1290598 - Microsoft Exchange and Windows SMTP Service Denial ofService and Information Disclosure Vulnerabilities (MS10-024)CVE-2010-0024,CVE-2010-0025,CVE-2010-1689,CVE-2010-1690
6.4
IP�Address:�12port 443/tcp
86729 - AutoComplete Attribute Not Disabled for Password in FormBased Authentication 6.4
port 80/tcp86729 - AutoComplete Attribute Not Disabled for Password in FormBased Authentication 6.4
port 443/tcp-SSL 38167 - SSL Certificate - Expired 6.4
port 80/tcp 86763 - Web Server Uses Plain Text Basic Authentication 5
82058 - ICMP Based TCP Reset Denial of Service VulnerabilityCVE-2004-0790,CAN-2004-0791,CAN-2004-1060 5
port 21/tcp 27356 - FTP Server Does Not Support AUTH Command 4.8
port 443/tcp-SSL38170 - SSL Certificate - Subject Common Name Does Not MatchServer FQDN 2.6
82003 - ICMP Timestamp Request CVE-1999-0524 0
IP�Address:�12
IP�Address:�12
IP�Address:�12
IP�Address:�12
IP�Address:�12
IP�Address:�12
Payment Card Industry (PCI) Executive Report page 8
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
IP�Address:�11port 8080/tcp 150081 - Possible Clickjacking vulnerability 10
IP�Address:�11 1004 - Potential TCP Backdoor 10
IP�Address:�11 90475 - Microsoft SQL Server Remote Memory CorruptionVulnerability (MS09-004) CVE-2008-5416 9
ASV Comment:Complete vendor solutions and configuration changes compliant with the PCI DSS are available to address these issues. No fix is available atthis time for some issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specificinformation on how to remediate these issues please consult the technical report below.
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
ASV Comment:Complete vendor solutions are available to address some issues. No fix is available at this time for some issues; please considerimplementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issuesplease consult the technical report below.
Merchant Comment:
IP�Address:�8port 5560/tcp 150081 - Possible Clickjacking vulnerability 10
IP�Address:�8port 1158/tcp 150081 - Possible Clickjacking vulnerability 10
ASV Comment:Complete vendor solutions, non-vendor workarounds, upgrades to supported versions of the software, and configuration changes compliantwith the PCI DSS are available to address these issues. No fix is available at this time for some issues; please consider implementingmitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues please consultthe technical report below.
Merchant Comment:
IP�Address:�7port 10000/tcp 150081 - Possible Clickjacking vulnerability 10
IP�Address:�7 86873 - Apache HTTP Server Prior to 2.2.15 Multiple VulnerabilitiesCVE-2010-0408,CVE-2010-0425,CVE-2010-0434 10
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
IP�Address:�6port 1158/tcp 150081 - Possible Clickjacking vulnerability 10
ASV Comment:Complete vendor solutions, non-vendor workarounds and configuration changes compliant with the PCI DSS are available to address theseissues. No fix is available at this time for some issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) toaddress these. For specific information on how to remediate these issues please consult the technical report below.
Merchant Comment:
IP�Address:�5port 443/tcp 150081 - Possible Clickjacking vulnerability 10
IP�Address:�5port 161/udp
78030 - Readable SNMP Information CVE-1999-0517,CVE-1999-0186,CVE-1999-0254,CVE-1999-0516,CVE-1999-0472,CVE-2001-0514,CVE-2002-0109
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
IP�Address:�3port 6789/tcp 150081 - Possible Clickjacking vulnerability 10
ASV Comment:There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please considerimplementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issuesplease consult the technical report below.
ASV Comment:There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please considerimplementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issuesplease consult the technical report below.
ASV Comment:Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues;please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Merchant Comment:
Part 3b. Special Notes by IP Address
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
IP�Address:�1
Payment Card Industry (PCI) Executive Report page 19
IP Address NoteItem Noted (remote accesssoftware, POS software,etc.)
Scan customer'sdeclaration that software isimplemented securely (seenext column if notimplemented securely)
Scan customer's description ofactions taken to either: 1) removethe software or 2) implementsecurity controls to secure thesoftware
IP�Address:�15
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes SSH is secure remote accessmanagement protocol
IP�Address:�14
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
38019 - Remote LoginService Open No
disable the rlogin service only use asecure protocol such as SSH for theremote management
IP�Address:�14
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
No disable the telnet service only useSSH for the remote management
IP�Address:�11
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes PCAnwhere is use for remote accessor management
IP�Address:�10
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes SSH is secure remote accessmanagement protocol
IP�Address:�9
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Nouse a secure remote access ormanagement service or protocol(such as ssh) to replace telnet service
IP�Address:�7
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes The VNC service is use for remoteaccess or management
IP�Address:�6
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes The RDP service is use for windowsremote management
IP�Address:�5
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
No disable the telnet service only useSSH for the remote management
IP�Address:�2
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Yes SSH is secure remote accessmanagement protocol
Payment Card Industry (PCI) Executive Report page 20
IP�Address:�1
Due to increased risk to thecardholder data environment whenremote access software is present,please 1) justify the business need forthis software to the ASV and 2)confirm it is either implementedsecurely or disabled/removed.
Payment Card Industry (PCI) Executive Report page 22
Vulnerabilities by PCI Severity
Potential Vulnerabilities by PCI Severity
Payment Card Industry (PCI) Executive Report page 23
Vulnerabilities by Severity
Potential Vulnerabilities by Severity
Payment Card Industry (PCI) Executive Report page 24
Appendices
Host Comments
IP�Address:�1Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�2There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please consider implementing mitigatingcontrols (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues please consult the technical reportbelow.
IP�Address:�3There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please consider implementing mitigatingcontrols (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues please consult the technical reportbelow.
IP�Address:�5Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�6Complete vendor solutions, non-vendor workarounds and configuration changes compliant with the PCI DSS are available to address these issues. No fix isavailable at this time for some issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specificinformation on how to remediate these issues please consult the technical report below.
IP�Address:�7Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�8Complete vendor solutions, non-vendor workarounds, upgrades to supported versions of the software, and configuration changes compliant with the PCIDSS are available to address these issues. No fix is available at this time for some issues; please consider implementing mitigating controls (firewalls, trafficfiltering, etc.) to address these. For specific information on how to remediate these issues please consult the technical report below.
Payment Card Industry (PCI) Executive Report page 25
IP�Address:�9Complete vendor solutions are available to address some issues. No fix is available at this time for some issues; please consider implementing mitigatingcontrols (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues please consult the technical reportbelow.
IP�Address:�10Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�11Complete vendor solutions and configuration changes compliant with the PCI DSS are available to address these issues. No fix is available at this time forsome issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
IP�Address:�12Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�13There are non-vendor provided solutions to address these issues. No fix is available at this time for some issues; please consider implementing mitigatingcontrols (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues please consult the technical reportbelow.
IP�Address:�14Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
IP�Address:�15Complete vendor solutions and non-vendor workarounds are available to address these issues. No fix is available at this time for some issues; pleaseconsider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediate these issues pleaseconsult the technical report below.
Payment Card Industry (PCI) Executive Report page 26
IP�Address:�16Complete vendor solutions and configuration changes compliant with the PCI DSS are available to address these issues. No fix is available at this time forsome issues; please consider implementing mitigating controls (firewalls, traffic filtering, etc.) to address these. For specific information on how to remediatethese issues please consult the technical report below.
Hosts ScannedIP�Address:�1-IP�Address:�16
Option Profile
ScanScanned TCP Ports: FullScanned UDP Ports: Standard ScanScan Dead Hosts: OffLoad Balancer Detection: OffPassword Brute Forcing: StandardVulnerability Detection: CompleteWindows Authentication: DisabledSSH Authentication: DisabledOracle Authentication: DisabledSNMP Authentication: DisabledPerform 3-way Handshake: Off
AdvancedHosts Discovery: TCP Standard Scan, UDP Standard Scan, ICMP OnIgnore RST packets: OffIgnore firewall-generated SYN-ACK packets: OffDo not send ACK or SYN-ACK packets during host discovery: Off
Payment Card Industry (PCI) Executive Report page 27
Report Legend
Payment Card Industry (PCI) StatusAn overall PCI compliance status of PASSED indicates that all hosts in the report passed the PCI compliance standards. A PCI compliance status ofPASSED for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCICouncil, were detected on the host.
An overall PCI compliance status of FAILED indicates that at least one host in the report failed to meet the PCI compliance standards. A PCI compliancestatus of FAILED for a single host/IP indicates that at least one vulnerability or potential vulnerability, as defined by the PCI DSS compliance standards setby the PCI Council, was detected on the host.
Vulnerability LevelsA Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local orremote users. Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins.Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to acomplete compromise of the host.
Severity Level Description
1 Minimal Intruders can collect information about the host (open ports, services, etc.) and may beable to use this information to find othervulnerabilities.
2 Medium Intruders may be able to collect sensitive information from the host, such as the preciseversion of software installed. With this information, intruders can easily exploit knownvulnerabilities specific to softwareversions.
3 Serious Intruders may be able to gain access to specific information stored on the host, includingsecurity settings. This could result in potential misuse of the host by intruders. Forexample, vulnerabilities at this level may include partial disclosure of file contents,access to certain files on the host, directory browsing, disclosure of filtering rules andsecurity mechanisms, denial of service attacks, and unauthorized use of services, such asmail-relaying.
4 Critical Intruders can possibly gain control of the host, or there may be potential leakage ofhighly sensitive information. For example, vulnerabilities at this level may include fullread access to files, potential backdoors, or a listing of all the users on the host.
5 Urgent Intruders can easily gain control of the host, which can lead to the compromise of yourentire network security. For example, vulnerabilities at this level may include full readand write access to files, remote execution of commands, and the presence of backdoors.
Severity Level Description
Low A vulnerability with a CVSS base score of 0.0 through 3.9. These vulnerabilities are not required to be fixed to pass PCI compliance.
Medium A vulnerability with a CVSS base score of 4.0 through 6.9. These vulnerabilities must be fixed to pass PCI compliance.
High A vulnerability with a CVSS base score of 7.0 through 10.0. These vulnerabilities must be fixed to pass PCI compliance.
Potential Vulnerability LevelsA potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be toperform an intrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potentialvulnerabilities further.
Severity Level Description
1 Minimal If this vulnerability exists on your system, intruders can collect information about thehost (open ports, services, etc.) and may be able to use this information to find othervulnerabilities.
2 Medium If this vulnerability exists on your system, intruders may be able to collect sensitiveinformation from the host, such as the precise version of software installed. With thisinformation, intruders can easily exploit known vulnerabilities specific to softwareversions.
3 Serious If this vulnerability exists on your system, intruders may be able to gain access tospecific information stored on the host, including security settings. This could result inpotential misuse of the host by intruders. For example, vulnerabilities at this level mayinclude partial disclosure of file contents, access to certain files on the host,directory browsing, disclosure of filtering rules and security mechanisms, denial ofservice attacks, and unauthorized use of services, such asmail-relaying.
Payment Card Industry (PCI) Executive Report page 28
4 Critical If this vulnerability exists on your system, intruders can possibly gain control of thehost, or there may be potential leakage of highly sensitive information. For example,vulnerabilities at this level may include full read access to files, potential backdoors,or a listing of all the users on thehost.
5 Urgent If this vulnerability exists on your system, intruders can easily gain control of the host,which can lead to the compromise of your entire network security. For example, vulnerabilites at this level may include full read and write access to files, remote execution of commads, and the presence ofbackdoors.
Severity Level Description
Low A potential vulnerability with a CVSS base score of 0.0 through 3.9. These vulnerabilities arenot required to be fixed to pass PCI compliance.
Medium A potential vulnerability with a CVSS base score of 4.0 through 6.9. These vulnerabilities must be fixed to pass PCI compliance.
High A potential vulnerability with a CVSS base score of 7.0 through 10.0. These vulnerabilities must be fixed to pass PCI compliance.
Information GatheredInformation Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or alist of reachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of openTCP services.
Severity Level Description
1 Minimal Intruders may be able to retrieve sensitive information related to the host, such as openUDP and TCP services lists, and detection of firewalls.
2 Medium Intruders may be able to determine the operating system running on the host, and view banner versions.
3 Serious Intruders may be able to detect highly sensitive data, such as global system user lists.
Payment Card Industry (PCI) Executive Report page 29