DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

PCI Compliance - TCP reset using approximate sequence number

  • digitalquill
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Aug 2013 11:42 #77301 by digitalquill
Hi all

I am currently working on getting our systems PCI complaint (credit card security), we currently pass the external scans, but it has highlighted the following issue at level 5. Can any one interpret this and give me an indication as to what I need to do on the router to fix, it talks about filtering incoming TCP connections, however, I block everything apart from connections from specific IP addresses.

I have a Draytek 2860n

See below

Thanks

Matt


Title: TCP reset using approximate sequence number

Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections.

Resolution: To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp- nonios.shtml] non-IOS operating systems. Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes.

If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them.

Risk Factor: Medium/ CVSS2 Base Score: 5.0

Please Log in or Create an account to join the conversation.

More
08 Aug 2013 12:02 #77303 by dave32
Hi,

I assume you are using Security Metrics (www.securitymetrics.com) ?

We noticed this last night aswell on our reports. however looking back at previous reports, the issue is not there. Only thing we have done is upgrade the firmware to latest release.

As you, we also set the firewall default policy to block all and only allow in for ports we need.

Please Log in or Create an account to join the conversation.

  • digitalquill
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Aug 2013 12:09 #77304 by digitalquill
Thanks Dave32

Yes SecurityMatrix

We do not fail due to this but it is 5 on their risk scale and I am told 6 is a fail so I would like to get the risk lowered.

Did upgrading the firmware fix yours? Ours is new and on the latest firmware.

I assume there must be a firewall rule I can setup but not sure what it is actually telling me.

Matt

Please Log in or Create an account to join the conversation.

More
08 Aug 2013 18:50 #77308 by dave32
no. running the latest firmware may have caused this alert on the report.

Please Log in or Create an account to join the conversation.

  • digitalquill
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
12 Aug 2013 09:57 #77363 by digitalquill
ah I see, do we know how we can sort it? Ironically the obvious solution is to downgrade to an older firware but that also breaks PCI 'all updates and patches are installed within xxx... etc'

Anyone from Draytek here that can give any clarity on what needs to be done? Is it a firmware issue or something we need to configure a firewall rule for?

Thanks

Matt

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami