1

One of our web servers just failed PCI-DSS compliance because the vulnerability scan detected the OS was Windows Server 2003 Service Pack 1 (obviously very outdated!).

My question is how did the vuln scan detect this as I can't seem to find a way to source the same information without having AD access to that box (it's on a service providers network). Even with nmap, it only provides guesses to the OS version:

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%)

So how do I verify this before sending a very, very angry email to our provider? If this is accurate, then I'd say this is negligence and my email tone to them won't be very good.

I have no login access to this box.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
SnakeDoc
  • 570
  • 7
  • 24
  • 2
    If it is a web server, it could be leaking information about the version of IIS in an HTTP request. It could be that there is some bug or vulnerability that was detected that would have been handled by SP2. – Zoredache May 08 '13 at 21:17
  • Detected version of IIS by nmap is 6.0 (as expected for a 2003 box). The Vuln report simply lists all of the CVE's that SP2 patched... a couple hundred. Is there a way for me to discover the "leaked info" from IIS if there is any? I've thrown just about every nmap flag at it I could think of... – SnakeDoc May 08 '13 at 21:22
  • 2
    Why not ask the company that performed the audit? Or check the docs related to that tool? – Zoredache May 08 '13 at 21:23
  • Unfortunately the vuln scanner (TrustWave) doesn't really have any person I could call. The PCI scans are required for our industry, so we just chose one that seemed reputable years ago. I think our provider did a reinstall on a fresh box and moved our stuff to it and then never patched/updated that box. Asking our provider outright won't get me anywhere because they will just say "oh ya, it's mis-reported", or "it's patched now". I want to come at them hard because this is serious. We deal with credit card data on that box. – SnakeDoc May 08 '13 at 21:25
  • 1
    I kinda wonder if this would get better results over on the security.stackexchange.com. It seems like they might know what magical methods are commonly being used in VULN scanners these days. – Zoredache May 08 '13 at 21:32
  • 1
    Does your contract with the provider include them keeping the server up to date with patches? If not, then patching it is your responsibility, not theirs. – joeqwerty May 08 '13 at 21:35
  • @joeqwerty as mentioned in my OP, I (we) have no login access to the box. It's a service providers responsibility to maintain that box, and they claim their network is 100% PCI-DSS compliant (which we now know it is not). – SnakeDoc May 08 '13 at 22:07
  • @Zoredache thanks for the advice. I got so steamed over this issue I just fired off my extremely angry email. – SnakeDoc May 08 '13 at 22:12
  • 1
    @Zoredache I had no idea there was now a security.stackexchange.com... geeze... there are FAR too many stackexchanges now... each with almost no userbase and end up not being helpful in the slightest. ... I digress... – SnakeDoc May 08 '13 at 22:13

1 Answers1

2

That Aggressive OS guesses line is based on what nmap (or nmap-like scanner) was able to match against its fingerprint database. While it claims that it is "99%" confident, that claim means it's confident based on what it knows about other OS' fingerprints. It is possible that Win2k3 SP3 and higher have identical fingerprints because those hotfixes did not touch tcp/ip or udp/ip stack or server signature in any way.

The only sure way to know if a server is vulnerable to all the claimed CVEs is to actually try to exploit them. But doing that will probably get you into hot water :)

Since you also don't have direct access to the server itself, your best bet is to request(or even demand) that they provide you with a list of all installed hotfixes on the server. It can be easily accomplished with C:\>wmic qfe list command.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
Mxx
  • 2,362
  • 2
  • 28
  • 40
  • Better late then never? lol. I actually forgot about this post. I think the problem at the time was a 3rd party vuln scanner was flagging the box as being SP1 (it correctly identifies other SP levels on other boxes and includes them in the report). The nmap portion was just me seeing if I could glean the same information. I imagine they do some analysis of packet headers and server responses to determine a "profile" for certain versions of certain software. – SnakeDoc Jan 24 '14 at 22:47
  • @SnakeDoc this question floated up in the queue..didn't look at the date asked. :) – Mxx Jan 24 '14 at 22:49