WAN Failing PCI compliance - http on MX100

Solved
DouggieFresh
Here to help

WAN Failing PCI compliance - http on MX100

I ran a PCI scan and the WAN interfaces are both coming up as failed with the following:

 

 
1. CGI abuses : XSS
JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS
ReasonThe remote web server is affected by a cross site scripting vulnerability.
PCI detailsmedium
Port80 / tcp / www
Host name-
Host OS-
Result

URL : http: x . x . x . x .hfc.comcastbusiness.net/third_party/jquery/jquery-1.10.1.min.js
Installed version : 1.10.1
Fixed version : 1.12.0

 

2. Web Server HTTP Header Information Disclosure

80 / tcp / www

Host OS-
Result

Server type : lighttpd
Server version : 1.4.39
Source : lighttpd/1.4.39
SolutionModify the HTTP headers of the web server to not disclose detailed information about the underlying web server.

 

 

 

Anyone know how to resolve these two issues??

I've searched with no answers.

 

Thanks

Doug

1 Accepted Solution
DouggieFresh
Here to help

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

This means you are NAT'ing port 80 on the WAN IP through to an internal server - and that server has the vulnerabilities.

DouggieFresh
Here to help

Hello Phillip, thanks for taking time to respond.

 

When I put in the WAN IP's that are failing... the Meraki web interface comes up.

 

I have no NAT's no VPN .. it's a new install. I'm testing the PCI scans before I switch over to the new Meraki firewalls.

 

Is there a place to disable that somewhere??

 

Please advise/

 

Thanks

Dougmeraki WAN.jpg

PhilipDAth
Kind of a big deal
Kind of a big deal

How could the Meraki web interface come up if you haven't switched over to them?

 

Is this some kind of internal scan you are running?

DouggieFresh
Here to help

my sonicwalls are running production; I have setup all the new Meraki gear along side the current infrastructure, and configured the Meraki MX100 WAN ports using additional IP's we have.

 

I can hit that Meraki MX100 config webpages from the outside using the WAN IP and teamviewer from my home

 

no the PCI scan is from pcicompliancemanager . com

DouggieFresh
Here to help

**MORE INFO**
I reviewed my MX100s and note: I have 2 MX100s in passive HA mode..

DouggieFresh
Here to help

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png

Laukik
Here to help

Hi Philip,

 

Even i'm facing the same issue as @DouggieFresh. I'm connected to my home broadband and when I try to http://<Meraki_Public_IP>/#connection , I can retrieve Hostname, Network Name, Hardware address(MAC), model, etc

 

 

Any help to overcome this vulnerability will be really helpful.

 

Thanks,

L

Laukik
Here to help

Hi @DouggieFresh ;

 

How were you able to resolve this issue ?

 

Thanks,

L

PhilipDAth
Kind of a big deal
Kind of a big deal

You do exactly what @DouggieFresh did, and go to  Firewall configuration/Security Services and either disable the local status page or limit the IP addresses further than it can be accessed from.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels