Troubleshooting vulnerability scans and PCI Compliance with the Cloud Services Appliance (Management Gateway)

Version 1

    Overview: In some organizations it is required for the Cloud Services Appliance to pass a vulnerability scan or PCI Compliance Test. Listed below are some of the vulnerabilities that may result from such a test and what needs to be done to resolve those vulnerabilities.

     

    Note: PCI Compliance does require a 3rd party certificate to be posted to the Management Gateway. Instructions on how to request and post a 3rd party certificate can be found here: http://community.landesk.com/support/docs/DOC-24323

     

    Vulnerability: TCP Source Port Pass Firewall

    Threat: Your firewall policy seems to let TCP packets with a specific source port pass through.

    Solution: Disable the protocol using the port on the Firewall.

    Example1: "The host responded 4 times to 4 TCP SYN probes sent to destination port 1027 using source port 25. In this case the SMTP port on the firewall was disabled.

    Example2: "The host responded 4 times to 4 TCP SYN probes sent to destination port 1027 using source port 53. In this case DNS was disabled on the firewall. Manual host entries can be added for patch.landesk.com, patchec.landesk.com, patchemea.landesk.com, and license.landesk.com. The previous 4 URL's are the only URL's the Gateway should ever need to contact.

     

    Vulnerability: LANDesk Management Gateway OS Command Injection Vulnerability

    CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2892

    Threat: A security vulnerability was discovered in LANDesk Management Suite because the LANDesk Web application does not sufficiently verify if a well-formed request was provided by the user who submitted the request.

    Affected Versions: 4.0-1.48 and 4.2-1.8.

    Solution: Apply patch GSBWEB-62. Also, a special request to pass the vulnerability with the scanner application manufacturer (Example: QualysGuard) will be needed. The scan looks for the version of the Gateway and not if it's been patched or not. The GSBWEB-62 patch will remove the affected file "Drivers.php". The special request should be submitted from the person running the security scan and include the vulnerability information along with a statement that the patch has been applied to the Gateway.

     

    Vulnerability: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability

    CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389

    Threat: In SSLv3.0 and TLSv1.0 implementation the choice CBC mode usage was poor because the entire traffic shares one CBC session with single set of initial IVs.

    Solution: Update OpenSSH to version 5.8 or higher. A patch should be available for the 4.2 version of the Management Gateway.

     

    Vulnerability: TLS Protocol Session Renegotiation Security Vulnerability

    Solution: The Cloud Services Appliance isn't affected by this vulnerability. Statement: "The Gateway uses SSL renegotiation but due to the way we implement the negotiation we are not vulnerable to this vulnerability".