My colleagues and I must deal with what appears to be “shifting sand” every time we prepare to run the quarterly PCI vulnerability scans for our clients.
I have not reported a PCI FAIL for quite some time. Last month a scan was run as scheduled on 3 March 2012 to determine how much more effort was needed (if any) to ensure compliance. At the time the reports for our clients did not show a vulnerability for ASP.NET. Having completed all of the scheduled work by the revised deadline of 3 April 2012, the reports were run again and this time I found that 2 clients failed PCI compliance with a number of servers showing an ASP.NET vulnerability:
90780 - Microsoft ASP.NETValidateRequest Filters Bypass Cross-Site Scripting VulnerabilityCVE-2008-3842,CVE-2008-3843
No fix is available at this time; please consider implementingmitigating controls (firewalls, traffic filtering, etc.) to address theseissues. For
specific information on how to remediate these issues pleaseconsult the technical report below.
As I was due to report to the acquiring bank by 11 April 2012 and as the Easter break (peak trading for those clients) fell just 2 days after the scans, there was little opportunity to investigate the problems other than to try to determine what had changed in the infrastructure in both companies to cause this problem to occur. The answer to that was ultimately nothing but with the amount of change that had been taking place in the last 3 months this took a good deal of effort to satisfy me that the changes that we had implemented had not caused the problem to arise.
Further investigation of the alerts that I receive via subscription from Qualys (the ASV for both clients) identified a change in the status of the ASP.NET vulnerability that was announced in the weekly bulletin received on 19 March 2012. The bulletin is presented in list form and a quick glance at that list could result in something being missed (as on this occasion). The attachment is not much better as it needs to be reformatted in order to view all of the information before a search can begin.
This vulnerability has been in existence since 2008. Why has it suddenly been upgraded ? Without warning ? Why did it not appear simply as awarning on previous reports ? What impact has this had on other retailers? Are my clients alone in reporting this issue ?
As you can imagine there is a great deal of frustration at the moment about this failure especially as it was outside of our control, was not immediately obvious, and will probably result in a great deal of time and effort to investigate, possibly mitigate and may have a potential impact upon the operating companies’ plans for PCI Audit.
I have written to Jeremy King at the PCI SSC and to the acquiring banks to ask about this vulnerability and the process for notification to ASVs to see if there is a better way of delivering the information to all retailers without the need for the retailer having to subscribe to a mailing list to receive the notification, search through lists of vulnerabilities, decide if the listed vulnerabilities are applicable to its environment and determine what action has to be taken to prevent a PCI failure if at all possible. We already subscribe to the Qualys mailing list and have implemented a process forscanning the “PCI” devices on a monthly basis for our clients and still I find myself in the position of having to report a PCI failure. I have not yet received a reply to my email to Jeremy.
I will appreciate any advice and help that anyone can give to try to improve the situation and to make it easier for retailers to identify and mitigate potential problems whilst striving to achieve and maintain compliance and to prevent a repeat occurence.