PCI Scan error



  • I am getting errors on the PCI Scan such as listed below along with a few others. Has anyone seen this, we are using a SG-2440 on firmware version
    2.3.2-RELEASE (amd64)
    built on Wed Jul 20 10:29:55 CDT 2016
    FreeBSD 10.3-RELEASE-p5

    Lighttpd Remote Privilege
    Escalation Vulnerability, CVE-
    2013-4559

    Lighttpd SQL Injection
    Vulnerability in
    mod_mysql_vhost.c, CVE-2014-
    2323

    Lighttpd SNI Weak Cipher
    Configuration Vulnerability, CVE-
    2013-4508

    Lighttpd Multiple Directory
    Traversal Vulnerabilities, CVE-
    2014-2324



  • @bwelch said in PCI Scan error:

    2.3.2-RELEASE (amd64)

    Your first action should be to update to the current version.



  • @dotdash

    Thanks for the quick response.

    That is on my list to do this weekend, do you know if that corrects this error? It looks like I have to go to 2.3.3_1 first which is listed on the Dashboard, then I would assume it will notify me of the update to 2.3.3_2.

    Just trying to find out if that will fix it or if the issue is related to something else.

    In any case I will be upgrading this weekend.



  • Current version is 2.4.3-p1 I would save the config, install 2.4.3, restore and update to p1.
    I haven't gone over all the release notes, but there's a good chance those have been fixed.
    Edit- Just saw those are lighttpd hits- the web gui now uses nginx, so those are definitely fixed.


  • Netgate

    The webgui and captive portal were switched to nginx in pfSense 2.3.0 so if the scanner is seeing lighttpd on 2.3.2 it is from something else.

    Could be pfBlocker+DNSBL or Lightsquid I think. Maybe others.


  • Rebel Alliance Global Moderator

    Why would your admin gui be open to the public net anyway. There is ZERO reason for the firewall to open up those ports to pass a pci compliance scan.

    The only thing that should be open on your box during the scan is actual services NEEDED to be open for you to do your business. That is not the gui, that is not anything else. If your forwarding traffic into 80 for some webserver your running behind pfsense, then what is running that needs to meet compliance.



  • I wonder if that is the security camera that has remote viewing causing the issue. It is in a different port and different ip scheme with no access to the LAN network but I guess the pci scan would look at all ports and scan the camera as well.


  • Netgate

    Port forwarding in to a security camera and PCI compliance are pretty much mutually-exclusive. Set up a VPN if you need to access the camera from the outside.