We scanned our website for vulnerabilities and received the message shown below. We used Clover Security to scan the Azure Web App site. We have already implemented the solution in web.config shared on the Internet and by Microsoft on these websites:
https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/
As discussed in the last url, I have also re-created a new resource group, app service plan and app services and redeployed on in a different US location but the error still shows on re-scan. Any suggestion on how to fix this would be greatly appreciated? Thank you in advance.
------------------------------ Error Message Provided ( our ip has been x'd out) --------------------------------
Category Web Application
CVE -
CVSS base score 5.0
Description Web Server Information Disclosure
Host xx.xx.xxx.xx
Threat -
Impact -
Solution -
PCI compliant No
PCI details -
Reason The vulnerability is not included in the NVD.
PCI details medium
Port 8172 / tcp
Host name No registered hostname
Host OS Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows Vista / Windows 2008 / Windows 7 / Windows 2012
Result
url: https://xx.xx.xxx.xx:8172/
comment: Web Server Information Disclosure detected at PORT : 8172
matched: HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Thu, 23 Jun 2022 08:20:52 GMT
Connection: close
Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
CVSS Base Score 5.0 - - AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Score 4.3 - E:POC/RL:W/RC:C
Severity 2
Category Web Application
CVE ID
Vendor Reference
Bugtraq ID
Date Updated Jun 1, 2022
Threat The target application discloses the Web Server software version via the "Server:" token sent in HTTP response header.
QID Detection Logic: This QID sends a GET request to the target application and determines the Web Server version disclosed in the "Server:" token.
Impact Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.
Solution Customers are advised to modify the HTTP response header of the target application to not disclose detailed information about the underlying web server. Server implementers are encouraged to make this field a configurable option.
You need to raise this as a false positive, as the failing scan is for port 8172. This is part of Azure's services infrastructure and isn't removable or editable. You might also get false positives for ports 455 and 454 on the same IP address. When you create the false positive claim, you need to let your PCI scan provider that these ports are not accessible nor for use by the general public. You will also need to "confirm" that there is no CHD (Cardholder data) being transmitted through those ports/services.