Meraki

Community

WAN Failing PCI compliance - http on MX100

Solved
DouggieFresh
Here to help
‎Dec 5 2018 3:17 PM
‎Dec 5 2018 3:17 PM

WAN Failing PCI compliance - http on MX100

I ran a PCI scan and the WAN interfaces are both coming up as failed with the following:

 

 
1. CGI abuses : XSS
JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS
ReasonThe remote web server is affected by a cross site scripting vulnerability.
PCI detailsmedium
Port80 / tcp / www
Host name-
Host OS-
Result

URL : http: x . x . x . x .hfc.comcastbusiness.net/third_party/jquery/jquery-1.10.1.min.js
Installed version : 1.10.1
Fixed version : 1.12.0

 

2. Web Server HTTP Header Information Disclosure

80 / tcp / www

Host OS-
Result

Server type : lighttpd
Server version : 1.4.39
Source : lighttpd/1.4.39
SolutionModify the HTTP headers of the web server to not disclose detailed information about the underlying web server.

 

 

 

Anyone know how to resolve these two issues??

I've searched with no answers.

 

Thanks

Doug

0 Kudos
1 Accepted Solution
In response to PhilipDAth
DouggieFresh
Here to help
‎Dec 6 2018 1:20 PM
‎Dec 6 2018 1:20 PM

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 5 2018 4:04 PM
‎Dec 5 2018 4:04 PM

This means you are NAT'ing port 80 on the WAN IP through to an internal server - and that server has the vulnerabilities.

0 Kudos
In response to PhilipDAth
DouggieFresh
Here to help
‎Dec 6 2018 6:58 AM
‎Dec 6 2018 6:58 AM

Hello Phillip, thanks for taking time to respond.

 

When I put in the WAN IP's that are failing... the Meraki web interface comes up.

 

I have no NAT's no VPN .. it's a new install. I'm testing the PCI scans before I switch over to the new Meraki firewalls.

 

Is there a place to disable that somewhere??

 

Please advise/

 

Thanks

Dougmeraki WAN.jpg

0 Kudos
In response to DouggieFresh
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 6 2018 10:55 AM
‎Dec 6 2018 10:55 AM

How could the Meraki web interface come up if you haven't switched over to them?

 

Is this some kind of internal scan you are running?

0 Kudos
In response to PhilipDAth
DouggieFresh
Here to help
‎Dec 6 2018 12:16 PM
‎Dec 6 2018 12:16 PM

my sonicwalls are running production; I have setup all the new Meraki gear along side the current infrastructure, and configured the Meraki MX100 WAN ports using additional IP's we have.

 

I can hit that Meraki MX100 config webpages from the outside using the WAN IP and teamviewer from my home

 

no the PCI scan is from pcicompliancemanager . com

0 Kudos
In response to DouggieFresh
DouggieFresh
Here to help
‎Dec 6 2018 1:04 PM
‎Dec 6 2018 1:04 PM

**MORE INFO**
I reviewed my MX100s and note: I have 2 MX100s in passive HA mode..

0 Kudos
In response to PhilipDAth
DouggieFresh
Here to help
‎Dec 6 2018 1:20 PM
‎Dec 6 2018 1:20 PM

AHHH HA...

 

I figured it out. (like I said this, is a completely new setup)

SO I went to the Firewall configuration page in my Meraki mgmt console / and I found under

Security appliance services: Web (local status & configuration) ANY  / see screenshot

I changed it to None.. waited a minute and tested again...

 

BOOM! No More WAN Meraki web config page!!!

 

I hope this helps someone else in the future.

 

Thanks

Doug2018-12-06 15_09_54-.png

In response to PhilipDAth
Laukik
Here to help
‎Feb 17 2021 5:44 AM
‎Feb 17 2021 5:44 AM

Hi Philip,

 

Even i'm facing the same issue as @DouggieFresh. I'm connected to my home broadband and when I try to http://<Meraki_Public_IP>/#connection , I can retrieve Hostname, Network Name, Hardware address(MAC), model, etc

 

 

Any help to overcome this vulnerability will be really helpful.

 

Thanks,

L

0 Kudos
In response to DouggieFresh
Laukik
Here to help
‎Feb 17 2021 5:45 AM
‎Feb 17 2021 5:45 AM

Hi @DouggieFresh ;

 

How were you able to resolve this issue ?

 

Thanks,

L

0 Kudos
In response to Laukik
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 10:26 AM
‎Feb 17 2021 10:26 AM

You do exactly what @DouggieFresh did, and go to  Firewall configuration/Security Services and either disable the local status page or limit the IP addresses further than it can be accessed from.

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.