azureweb-applicationspci

PCI vulnerability discovered during scan. How to prevent disclosing Web Server software version sent in HTTP response header. port 8172


We scanned our website for vulnerabilities and received the message shown below. We used Clover Security to scan the Azure Web App site. We have already implemented the solution in web.config shared on the Internet and by Microsoft on these websites:

https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/

https://learn.microsoft.com/en-us/answers/questions/28434/azure-app-service-how-to-block-msdeployaxd-on-port.html

As discussed in the last url, I have also re-created a new resource group, app service plan and app services and redeployed on in a different US location but the error still shows on re-scan. Any suggestion on how to fix this would be greatly appreciated? Thank you in advance.

------------------------------ Error Message Provided ( our ip has been x'd out) --------------------------------

Category Web Application

CVE -

CVSS base score 5.0

Description Web Server Information Disclosure

Host xx.xx.xxx.xx

Threat -

Impact -

Solution -

PCI compliant No

PCI details -

Reason The vulnerability is not included in the NVD.

PCI details medium

Port 8172 / tcp

Host name No registered hostname

Host OS Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows Vista / Windows 2008 / Windows 7 / Windows 2012

Result

url: https://xx.xx.xxx.xx:8172/

comment: Web Server Information Disclosure detected at PORT : 8172

matched: HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/10.0

Date: Thu, 23 Jun 2022 08:20:52 GMT

Connection: close

Content-Length: 103

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

CVSS Base Score 5.0 - - AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Temporal Score 4.3 - E:POC/RL:W/RC:C

Severity 2

Category Web Application

CVE ID

Vendor Reference

Bugtraq ID

Date Updated Jun 1, 2022

Threat The target application discloses the Web Server software version via the "Server:" token sent in HTTP response header.

QID Detection Logic: This QID sends a GET request to the target application and determines the Web Server version disclosed in the "Server:" token.

Impact Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.

Solution Customers are advised to modify the HTTP response header of the target application to not disclose detailed information about the underlying web server. Server implementers are encouraged to make this field a configurable option.


Solution

  • You need to raise this as a false positive, as the failing scan is for port 8172. This is part of Azure's services infrastructure and isn't removable or editable. You might also get false positives for ports 455 and 454 on the same IP address. When you create the false positive claim, you need to let your PCI scan provider that these ports are not accessible nor for use by the general public. You will also need to "confirm" that there is no CHD (Cardholder data) being transmitted through those ports/services.