cancel
Showing results for 
Search instead for 
Did you mean: 

WAN Failing PCI compliance - http on MX100

SOLVED
Highlighted
Here to help

WAN Failing PCI compliance - http on MX100

I ran a PCI scan and the WAN interfaces are both coming up as failed with the following:

 

 
1. CGI abuses : XSS
JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS
ReasonThe remote web server is affected by a cross site scripting vulnerability.
PCI detailsmedium
Port80 / tcp / www
Host name-
Host OS-
Result

URL : http: x . x . x . x .hfc.comcastbusiness.net/third_party/jquery/jquery-1.10.1.min.js
Installed version : 1.10.1
Fixed version : 1.12.0

 

2. Web Server HTTP Header Information Disclosure

80 / tcp / www

Host OS-
Result

Server type : lighttpd
Server version : 1.4.39
Source : lighttpd/1.4.39
SolutionModify the HTTP headers of the web server to not disclose detailed information about the underlying web server.

 

 

 

Anyone know how to resolve these two issues??

I've searched with no answers.

 

Thanks

Doug

1 ACCEPTED SOLUTION

Accepted Solutions
Here to help

Re: WAN Failing PCI compliance - http on MX100

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png

6 REPLIES
Kind of a big deal

Re: WAN Failing PCI compliance - http on MX100

This means you are NAT'ing port 80 on the WAN IP through to an internal server - and that server has the vulnerabilities.

Here to help

Re: WAN Failing PCI compliance - http on MX100

Hello Phillip, thanks for taking time to respond.

 

When I put in the WAN IP's that are failing... the Meraki web interface comes up.

 

I have no NAT's no VPN .. it's a new install. I'm testing the PCI scans before I switch over to the new Meraki firewalls.

 

Is there a place to disable that somewhere??

 

Please advise/

 

Thanks

Dougmeraki WAN.jpg

Kind of a big deal

Re: WAN Failing PCI compliance - http on MX100

How could the Meraki web interface come up if you haven't switched over to them?

 

Is this some kind of internal scan you are running?

Here to help

Re: WAN Failing PCI compliance - http on MX100

my sonicwalls are running production; I have setup all the new Meraki gear along side the current infrastructure, and configured the Meraki MX100 WAN ports using additional IP's we have.

 

I can hit that Meraki MX100 config webpages from the outside using the WAN IP and teamviewer from my home

 

no the PCI scan is from pcicompliancemanager . com

Here to help

Re: WAN Failing PCI compliance - http on MX100

**MORE INFO**
I reviewed my MX100s and note: I have 2 MX100s in passive HA mode..

Here to help

Re: WAN Failing PCI compliance - http on MX100

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png