Page 1 of 1

TCP Source Port Pass Firewall

Posted: 04 Jun 2024, 17:59
by MH-Stefan
Hello,

For some reason on one of our servers the following test of a PCI scan fails:
TCP Source Port Pass Firewall

PCI Severity Level: The vulnerability is not included in the NVD.

VULNERABILITY DETAILS
CVSS Base Score: 5
CVSS Temporal Score: 3.6
Severity: 3
QID:34000
Category: Firewall
Last Update: 2017-07-10 17:52:41.0

THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.

IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall.

SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.

RESULT:
The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.
I was unable to find out which CSF options might be related to this. I've found a thread that this vulnerability was addressed in CSF v3.01, but that is quite old and the changelog doesn't give me any ideas.

Thanks in advance for any suggestions!

Re: TCP Source Port Pass Firewall

Posted: 12 Jun 2024, 11:16
by MH-Stefan
This can be closed, as we've found out eventually that part of the scan (including this check) was performed on a CloudFlare IP address instead of our server.