Vulnerability Scans Remote Support 15.1

Transcription

1 Vulnerability Scans Remote Support Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:4/23/215

2 VULNERABILITY SCANS REMOTE SUPPORT 15.1 Table of Contents About Vulnerability Scanning 3 IBM Security AppScan Report 4 Nexpose Scan Report 15 QualysGuard PCI Scan Results 29 CONTACT BOMGAR info@bomgar.com (US) +44 () (UK/EMEA) BOMGAR.COM Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC: 4/23/215

3 VULNERABILITY SCANS REMOTE SUPPORT 15.1 About Vulnerability Scanning To ensure the security and value of our product, Bomgar incorporates vulnerability scanning in our software testing process. We eagerly commit to addressing, with the utmost urgency, security vulnerabilities as they are detected by industry security professionals. We track the results of vulnerability scans performed prior to a software release and prioritize resolution based on severity and criticality of any issues uncovered. Should a critical or high-risk vulnerability surface after a software release, a subsequent maintenance version release addresses the vulnerability. Updated maintenance versions are distributed to our customers via the update manager interface within the Bomgar administrative interface. Where necessary, Bomgar Technical Support will contact customers directly, describing special procedures to follow to obtain an updated maintenance version. Our customers can rely on our commitment to address security issues at our earliest opportunity. Note: The contents of this document comprise the latest scan results from IBM Security AppScan, Nexpose, and QualysGuard. All scans were performed against an installation of Bomgar CONTACT BOMGAR info@bomgar.com (US) +44 () (UK/EMEA) BOMGAR.COM Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC: 4/23/215

4 Web Application Report Thisreportincludesimportantsecurityinformationaboutyourweb application. The Payment Card Industry Data Security Standard (PCI DSS) Compliance Report ThisreportwascreatedbyIBMSecurityAppScanStandard9...1,Rules:1718 Scanstarted:4/2/2159::24AM

5 Regulations The Payment Card Industry Data Security Standard (PCI) Version 3. Summary ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholder datasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.pcidssprovidesa baselineoftechnicalandoperationalrequirementsdesignedtoprotectcardholderdata. PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedby additionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations. Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonallyidentifiable informationorotherdataelements(forexample,cardholdername).pcidssdoesnotsupersedelocalorregional laws,governmentregulations,orotherlegalrequirements. ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdata environment.thecardholderdataenvironment(cde)iscomprisedofpeople,processesandtechnologiesthatstore, process,ortransmitcardholderdataorsensitiveauthenticationdata. Systemcomponents includenetworkdevices,servers,computingdevices,andapplications.examplesofsystem componentsincludebutarenotlimitedtothefollowing:systemsthatprovidesecurityservices(forexample, authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(for example,nameresolutionorwebredirectionservers)thecde. Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtual applications/desktops,andhypervisors. Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,network appliances,andothersecurityappliances. Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTime Protocol(NTP),andDomainNameSystem(DNS). Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet) applications.anyothercomponentordevicelocatedwithinorconnectedtothecde. CoveredEntities 4/2/215 1

6 PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing includingmerchants,processors,acquirers, issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(chd) and/orsensitiveauthenticationdata(sad). PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/or sensitiveauthenticationdata)isstored,processedortransmitted.somepcidssrequirementsmayalsobe applicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheircde1. Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsiblefor ensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablepcidssrequirements. CompliancePenalties Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,the cardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent. ComplianceRequiredBy PCIDSSversion3.hasreplacedPCIDSSv.2andiseffectiveasofJanuary1st214.ThePCIDSSv.2maybe usedforpcidsscomplianceuntildecember31,214. Regulators ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancial Services,JCB,MasterCardWorldwideandVisaInternational. FormoreinformationonthePCIDataSecurityStandard,pleasevisit: Formoreinformationonsecuringwebapplications,pleasevisithttp://www- 1.ibm.com/software/rational/offerings/websecurity/ Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.Any useofthismaterialissubjecttothepcisecuritystandardscouncil,llclicenseagreementthatcan befoundat: The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstrate potential vulnerabilities in your application that should be corrected in order to reduce the likelihood that your information will be compromised. As legal advice must be tailored to the specific application of each law, and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/2/215 2

7 Violated Section Issuesdetectedacross32sectionsoftheregulation: Sections Number of Issues Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparamete rs. Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaulta ccountsbeforeinstallingasystemonthenetwork.thisappliestoalldefaultpasswords,includingbutn otlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationands ystemaccounts,point-of-sale(pos)terminals,simplenetworkmanagementprotocol(snmp)communi tystrings,etc.) Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefuncti onofthesystem. Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography.Usetechnol ogiessuchasssh,vpn,orssl/tlsforwebbasedmanagementandothernonconsoleadministrative access. Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhosting purposes Hostingprovidersmustprotecteachentity shostedenvironmentanddata. Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. Requirement4.1-Usestrongcryptographyandsecurityprotocols(forexample,SSL/TLS,IPSEC,SSH, etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingth efollowing: Onlytrustedkeysandcertificatesareaccepted. Theprotocolinuseonlysupportssecure versionsorconfigurations. Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto: TheInternet Wirelesstechnologies, including82.11andbluetooth Cellulartechnologies,forexample,GlobalSystemforMobilecommunic ations(gsm),codedivisionmultipleaccess(cdma) GeneralPacketRadioService(GPRS). Satellite communications. Requirement6-Developandmaintainsecuresystemsandapplications. Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesources forsecurityvulnerabilityinformation,andassignariskranking(forexample,as high, medium, or low )tonewlydiscoveredsecurityvulnerabilities. Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabili tiesbyinstallingapplicablevendor-suppliedsecuritypatches.installcriticalsecuritypatcheswithinone monthofrelease. Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrati veaccesstoapplications)securely,asfollows: InaccordancewithPCIDSS(forexample,secureauthe nticationandlogging) Basedonindustrystandardsand/orbestpractices. Incorporatinginformationse curitythroughoutthesoftware-developmentlifecyclenote:thisappliestoallsoftwaredevelopedinternall yaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpass wordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. Requirement6.4.4-Removaloftestdataandaccountsbeforeproductionsystemsbecomeactive. Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollo ws: Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilitie s,andunderstandinghowsensitivedataishandledinmemory. Developapplicationsbasedonsecure codingguidelines.note:thevulnerabilitieslistedat6.5.1through6.5.1werecurrentwithindustrybest practiceswhenthisversionofpcidsswaspublished.however,asindustrybestpracticesforvulnerabil itymanagementareupdated(forexample,theowaspguide,sanscwetop25,certsecurecodin 4/2/215 3

8 g,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LD APandXPathinjectionflawsaswellasotherinjectionflaws. Requirement6.5.2-Bufferoverflow Requirement6.5.3-Insecurecryptographicstorage Requirement6.5.4-Insecurecommunications Requirement6.5.5-Impropererrorhandling Requirement6.5.7-Crosssitescripting(XSS) Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrict URLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). Requirement6.5.9-Crosssiterequestforgery(CSRF) Requirement6.5.1-BrokenauthenticationandsessionmanagementNote:Requirement6.5.1isabe stpracticeuntiljune3,215,afterwhichitbecomesarequirement Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanong oingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowing methods: Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilityse curityassessmenttoolsormethods,atleastannuallyandafteranychangesnote:thisassessmentisn otthesameasthevulnerabilityscansperformedforrequirement11.2. Installinganautomatedtechnic alsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infront ofpublic-facingwebapplications,tocontinuallycheckalltraffic. Requirement7-Restrictaccesstodatabybusinessneed-to-know Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswho sejobrequiressuchaccess. Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobre sponsibilities. Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementf ornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefol lowingmethodstoauthenticateallusers: Somethingyouknow,suchasapasswordorpassphrase So methingyouhave,suchasatokendeviceorsmartcard Somethingyouare,suchasabiometric. Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords /phrases)unreadableduringtransmissionandstorageonallsystemcomponents. Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplicatio ns,administrators,andallotherusers)isrestrictedasfollows: Alluseraccessto,userqueriesof,andu seractionsondatabasesarethroughprogrammaticmethods. Onlydatabaseadministratorshavethea bilitytodirectlyaccessorquerydatabases. ApplicationIDsfordatabaseapplicationscanonlybeused bytheapplications(andnotbyindividualusersorothernon-applicationprocesses). Section Violation By Issue Uniqueissuesdetectedacross32sectionsoftheregulation: URL Entity Issue Type Sections Detailed Security Issues by Sections 4/2/215 4

9 Requirement2-Donotusevendor-supplieddefaultsforsystempasswords andothersecurityparameters. Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveor disableunnecessarydefaultaccountsbeforeinstallingasystemonthe network.thisappliestoalldefaultpasswords,includingbutnotlimitedto thoseusedbyoperatingsystems,softwarethatprovidessecurityservices, applicationandsystemaccounts,point-of-sale(pos)terminals,simple NetworkManagementProtocol(SNMP)communitystrings,etc.) Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons, etc.,asrequiredforthefunctionofthesystem. Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts, drivers,features,subsystems,filesystems. Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrong cryptography.usetechnologiessuchasssh,vpn,orssl/tlsforweb basedmanagementandothernonconsoleadministrativeaccess. 4/2/215 5

10 Requirement2.6-Thissectionappliestowebapplicationsthatareusedby hostingprovidersforhostingpurposes Hostingprovidersmustprotecteach entity shostedenvironmentanddata. Requirement4-Encrypttransmissionofcardholderdataacrossopen,public networks. Requirement4.1-Usestrongcryptographyandsecurityprotocols(for example,ssl/tls,ipsec,ssh,etc.)tosafeguardsensitivecardholderdata duringtransmissionoveropen,publicnetworks,includingthefollowing: Only trustedkeysandcertificatesareaccepted. Theprotocolinuseonlysupports secureversionsorconfigurations. Theencryptionstrengthisappropriatefor theencryptionmethodologyinuse.examplesofopen,publicnetworks includebutarenotlimitedto: TheInternet Wirelesstechnologies,including 82.11andBluetooth Cellulartechnologies,forexample,GlobalSystemfor Mobilecommunications(GSM),Codedivisionmultipleaccess(CDMA) GeneralPacketRadioService(GPRS). Satellitecommunications. Requirement6-Developandmaintainsecuresystemsandapplications. Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities, usingreputableoutsidesourcesforsecurityvulnerabilityinformation,and assignariskranking(forexample,as high, medium, or low )tonewly discoveredsecurityvulnerabilities. Requirement6.2-Ensurethatallsystemcomponentsandsoftwareare protectedfromknownvulnerabilitiesbyinstallingapplicablevendor-supplied securitypatches.installcriticalsecuritypatcheswithinonemonthofrelease. 4/2/215 6

11 Requirement6.3-Developinternalandexternalsoftwareapplications (includingweb-basedadministrativeaccesstoapplications)securely,as follows: InaccordancewithPCIDSS(forexample,secureauthentication andlogging) Basedonindustrystandardsand/orbestpractices. Incorporatinginformationsecuritythroughoutthesoftware-developmentlife cyclenote:thisappliestoallsoftwaredevelopedinternallyaswellas bespokeorcustomsoftwaredevelopedbyathirdparty. Requirement6.3.1-Removedevelopment,testand/orcustomapplication accounts,userids,andpasswordsbeforeapplicationsbecomeactiveorare releasedtocustomers. Requirement6.4.4-Removaloftestdataandaccountsbeforeproduction systemsbecomeactive. Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftwaredevelopmentprocessesasfollows: Traindevelopersinsecurecoding techniques,includinghowtoavoidcommoncodingvulnerabilities,and understandinghowsensitivedataishandledinmemory. Develop applicationsbasedonsecurecodingguidelines.note:thevulnerabilities listedat6.5.1through6.5.1werecurrentwithindustrybestpracticeswhen thisversionofpcidsswaspublished.however,asindustrybestpractices forvulnerabilitymanagementareupdated(forexample,theowaspguide, SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpractices mustbeusedfortheserequirements. 4/2/215 7

12 Requirement6.5.1-Injectionflaws,particularlySQLinjection.Alsoconsider OSCommandInjection,LDAPandXPathinjectionflawsaswellasother injectionflaws. Requirement6.5.2-Bufferoverflow Requirement6.5.3-Insecurecryptographicstorage Requirement6.5.4-Insecurecommunications Requirement6.5.5-Impropererrorhandling Requirement6.5.7-Crosssitescripting(XSS) Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobject references,failuretorestricturlaccess,directorytraversal,andfailureto restrictuseraccesstofunctions). Requirement6.5.9-Crosssiterequestforgery(CSRF) 4/2/215 8

13 Requirement6.5.1-BrokenauthenticationandsessionmanagementNote: Requirement6.5.1isabestpracticeuntilJune3,215,afterwhichit becomesarequirement Requirement6.6-Forpublic-facingwebapplications,addressnewthreats andvulnerabilitiesonanongoingbasisandensuretheseapplicationsare protectedagainstknownattacksbyeitherofthefollowingmethods: Reviewingpublic-facingwebapplicationsviamanualorautomated applicationvulnerabilitysecurityassessmenttoolsormethods,atleast annuallyandafteranychangesnote:thisassessmentisnotthesameasthe vulnerabilityscansperformedforrequirement11.2. Installinganautomated technicalsolutionthatdetectsandpreventsweb-basedattacks(forexample, aweb-applicationfirewall)infrontofpublic-facingwebapplications,to continuallycheckalltraffic. Requirement7-Restrictaccesstodatabybusinessneed-to-know Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatato onlythoseindividualswhosejobrequiressuchaccess. Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivileges necessarytoperformjobresponsibilities. 4/2/215 9

14 Requirement8.2-InadditiontoassigningauniqueID,ensureproperuserauthenticationmanagementfornon-consumerusersandadministratorsonall systemcomponentsbyemployingatleastoneofthefollowingmethodsto authenticateallusers: Somethingyouknow,suchasapasswordor passphrase Somethingyouhave,suchasatokendeviceorsmartcard Somethingyouare,suchasabiometric. Requirement8.2.1-Usingstrongcryptography,renderallauthentication credentials(suchaspasswords/phrases)unreadableduringtransmissionand storageonallsystemcomponents. Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata (includingaccessbyapplications,administrators,andallotherusers)is restrictedasfollows: Alluseraccessto,userqueriesof,anduseractionson databasesarethroughprogrammaticmethods. Onlydatabase administratorshavetheabilitytodirectlyaccessorquerydatabases. ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications (andnotbyindividualusersorothernon-applicationprocesses). 4/2/215 1

15 Scan Report Executive Summary ERS Scan Report - Executive Summary for Bomgar QA Audited on April 2, 215 Page 1

16 Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: ASV Company: Date scan was completed: April 2, 215 Scan expiration date: July 19, 215 Part 2a. Asset and Vulnerabilities Compliance Overview * An exploit is regarded as "published" if it is available from Metasploit or listed in the Exploit Database. Actual remediation times may differ based on organizational workflows. Part 2b. Component Compliance Summary Part 3a. Vulnerabilities Noted for each IP Address IP Address Vulnerabilities Noted per IP address Severity Level Undefined CVE, Failure to Restrict URL Access CVSS Score Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability high 1. False Positive noted by Jonathan: Page 2

17 Scan Report Executive Summary instance: /login/session_policy/:id/import instance: /login/login instance: /login/group_policy/:id/import instance: /app/js/util/loginautofocus.js instance: /app/js/util/language_selector.js instance: /app/js/util/ie_tags.js instance: /app/js/util/es5_support.js instance: /app/js/lib/split.js instance: /app/js/lib/require.js instance: /app/js/lib/es5-shim.js instance: /app/js/admin/main.js Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: Page 3

18 Scan Report Executive Summary instance: /app/img/loading-spinner.svg instance: /app/img/globe.svg instance: /app/img/bomgar_logo.svg instance: /login/status instance: /login/customer_notice/send/:id instance: /login/status instance: /portal/instructions/customer instance: /portal/instructions/clickonce instance: /portal/instructions/applet instance: /portal/instructions/ Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Failure to Restrict URL Access Undefined CVE, Missing HttpOnly Flag From Cookie Undefined CVE, Missing Secure Flag From SSL Cookie Undefined CVE, Missing Secure Flag From SSL Cookie high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: high 1. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: medium 5. False Positive noted by Jonathan: Page 4

19 Scan Report Executive Summary instance: /portal/check-rep/ instance: /portal/access-keyconfirmation/web.config instance: /portal/access-keyconfirmation/web-inf/ instance: /portal/access-keyconfirmation/servlet/ instance: /portal/access-keyconfirmation/readme.txt instance: /portal/access-keyconfirmation/index.swf instance: /portal/access-keyconfirmation/index.shtml instance: /portal/access-keyconfirmation/index.php3 instance: /portal/access-keyconfirmation/index.old Page 5

20 Scan Report Executive Summary instance: /portal/access-keyconfirmation/index.jsp instance: /portal/access-keyconfirmation/index.html instance: /portal/access-keyconfirmation/index.htm instance: /portal/access-keyconfirmation/index.chtml instance: /portal/access-keyconfirmation/index.cgi instance: /portal/access-keyconfirmation/index.cfm instance: /portal/access-keyconfirmation/index.bak instance: /portal/access-keyconfirmation/index.aspx Page 6

21 Scan Report Executive Summary instance: /portal/access-keyconfirmation/index.asp instance: /portal/access-keyconfirmation/default.wml instance: /portal/access-keyconfirmation/default.shtml instance: /portal/access-keyconfirmation/default.jsp instance: /portal/access-keyconfirmation/default.html instance: /portal/access-keyconfirmation/default.htm instance: /portal/access-keyconfirmation/default.aspx instance: /portal/access-keyconfirmation/default.asp instance: /portal/access-keyconfirmation/adovbs.inc Page 7

22 Scan Report Executive Summary instance: /portal/access-keyconfirmation/adojavas.inc instance: /portal/access-keyconfirmation/_vti_txt/ instance: /portal/access-keyconfirmation/_vti_shm/ instance: /portal/access-keyconfirmation/_vti_script/ instance: /portal/access-keyconfirmation/_vti_pvt/ instance: /portal/access-keyconfirmation/_vti_log/ instance: /portal/access-keyconfirmation/_vti_cnf/ instance: /portal/access-keyconfirmation/_vti_bot/ Page 8

23 Scan Report Executive Summary instance: /portal/access-keyconfirmation/_vti_bin/ instance: /portal/access-keyconfirmation/web.sitemap instance: /portal/access-keyconfirmation/ws_ftp.log instance: /portal/access-keyconfirmation/web-inf/ instance: /portal/access-keyconfirmation/trace.axd instance: /portal/access-keyconfirmation/readme.txt instance: /portal/access-keyconfirmation/readme instance: /portal/access-keyconfirmation/deadjoe instance: /portal/access-keyconfirmation/%3f.jsp Page 9

24 Scan Report Executive Summary instance: /portal/access-keyconfirmation/ instance: /help instance: /download_client_connector/ instance: /download_client_connector instance: /content/public.css instance: /content/portal.js instance: /content/mobile.css instance: /content/lib/jquery.js instance: /content/issue_form.js instance: /content/ie9_public.js Page 1

25 Scan Report Executive Summary instance: /content/common.css instance: /content/access_key_input.js instance: /check_access_key.ns instance: /check_access_key instance: /app/js/util/loginautofocus.js instance: /app/js/util/language_selector.js instance: /app/js/util/ie_tags.js instance: /app/js/util/es5_support.js instance: /app/js/lib/split.js instance: /app/js/lib/require.js Page 11

26 Scan Report Executive Summary instance: /app/js/lib/es5-shim.js instance: /app/js/lib/angular/angularcsp.css instance: /app/js/admin/misc/certificate_directive.c ss instance: /app/js/admin/main.js instance: /app/img/loading-spinner.svg instance: /app/img/globe.svg instance: /app/img/bomgar_logo.svg instance: /app/css/private.css instance: /app/css/login.css instance: /app/css/ie8.css Page 12

27 Scan Report Executive Summary instance: /app/css/common.css instance: /api/start_session.js instance: /api/start_session instance: /api/content/core.js instance: / port: 8 instance: HTTP instance: HTTPS Undefined CVE, SHA-1-based Signature in TLS/SSL Server X.59 Certificate Undefined CVE, A running service was discovered Undefined CVE, A running service was discovered low 2.6 False Positive noted by Jonathan: low. low. Part 3b. Special Notes by IP Address NOTE 1 - Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note. NOTE 2 - Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and confirm it is either implemented securely per Appendix D or disabled/removed. Please consult your ASV if you have questions about this Special Note. Page 13

28 Scan Report Executive Summary NOTE 3 - Note to scan customer: Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, please 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Please consult your ASV if you have questions about this Special Note. NOTE 4 - Note to customer: As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS. Page 14

29 Web Application Scan Results 4/2/215 Target Site: security2.bomgar.com Port: 443 Starting URI: /login Authentication: Not Attempted Report Summary Application Title: Bomgar Site: security2.bomgar.com Port: 443 Starting URI: /login Authentication Title: Login Company: Bomgar Corporation User: Jonathan Conerly Scan Type: On Demand Scan Status: Finished Scan Title: ERS Scan Date: 4/2/215 at 19:35:8 Reference: scan/ Scanner Appliance: (Scanner , Vulnerability Signatures ) Duration: :24:46 Detailed Results (bci bcims.net,-) Ubuntu / Linux 3.x Potential Vulnerabilities (2) X-Frame-Options header is not set port 443/tcp VULNERABILITY DETAILS CVSS Base Score: - CVSS Temporal Score: - Severity: 1 QID: 1581 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/12/214 THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed. Web Application Scan Results page 1

30 SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. RESULT: url: variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN X-Frame-Options header is not set security2.bomgar.com:443/tcp VULNERABILITY DETAILS CVSS Base Score: - CVSS Temporal Score: - Severity: 1 QID: 1581 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 4/12/214 THREAT: X-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. IMPACT: Attacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed. SOLUTION: Set the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. RESULT: url: variants: 2 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: Web Application Scan Results page 2

31 matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN url: matched: The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN Information Gathered (17) Operating System Detected VULNERABILITY DETAILS Severity: 2 QID: 4517 Category: Information gathering CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 2/9/25 THREAT: Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report. 1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below. Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned. 2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). 3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information. 4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system. sysdescr" for the operating system. IMPACT: Not applicable SOLUTION: Not applicable RESULT: Operating System Technique ID Ubuntu / Linux 3.x TCP/IP Fingerprint U5933:8 Connection Error Occurred During Web Application Scan port 443/tcp Web Application Scan Results page 3

32 VULNERABILITY DETAILS Severity: 2 QID: 1518 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 5/15/29 THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: e=john&customer_company=john&customer_desc=john&=&custom_attributes=&download=1 Connection Error Occurred During Web Application Scan security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 2 QID: 1518 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 5/15/29 THREAT: Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. IMPACT: Some of the links were not crawled or scanned. Results may be incomplete or incorrect. SOLUTION: Investigate the root cause of failure accessing the listed links. RESULT: Links that led to unexpected errors: e=john&customer_company=john&customer_desc=john&=&custom_attributes=&download=1 DNS Host Name VULNERABILITY DETAILS Severity: 1 QID: 6 Category: Information gathering Web Application Scan Results page 4

33 CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/1/2 THREAT: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. RESULT: IP address Host name bci bcims.net Host Scan Time VULNERABILITY DETAILS Severity: 1 QID: 4538 Category: Information gathering CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 11/19/24 THREAT: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. RESULT: Scan duration: 1481 seconds Start time: Mon, Apr 2 215, 19:36: GMT End time: Mon, Apr 2 215, 2::41 GMT Scan Diagnostics port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1521 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Web Application Scan Results page 5

34 SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 33 links overall. Batch # Path manipulation: estimated time < 1 minutes (115 tests, 22 inputs) Path manipulation: 115 vulnsigs tests, completed 938 requests, 18 seconds. Completed 938 requests of 253 estimated requests (37.751%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 7 seconds. Completed 92 requests of 92 estimated requests (1%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 seconds. Completed 18 requests of 54 estimated requests ( %). All tests completed. Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 22 estimated requests (1%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests ( %). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests ( %). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests ( %). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 45 seconds. Completed 81 requests of 81 estimated requests (1%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 33 estimated requests ( %). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 58 seconds. Completed 99 requests of 33 estimated requests (3%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 19 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed requests, seconds. Completed requests of 19 estimated requests (%). All tests completed. Batch #4 Cookie manipulation: estimated time < 1 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 18 requests, 21 seconds. Completed 18 requests of 99 estimated requests ( %). XSS optimization removed 36 links. All tests completed. Batch #4 Header manipulation: estimated time < 1 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 99 estimated requests ( %). XSS optimization removed 36 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 3 seconds. Completed 16 requests of 15 estimated requests (16.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 1 seconds. Completed 4 requests of 3 estimated requests ( %). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute ( tests, 1 inputs) Batch #5 HTTP Time Bandit: vulnsigs tests, completed requests, seconds. No tests to execute. Total requests made: 2665 Average server response time:.37 seconds Most recent links: FORMDATA- _token=icxuteo8ur1ocxseyoxnookg1hkk3oktovj21lap&fake_password=password&username=john&password=password 2 -FORMDATA- Web Application Scan Results page 6

35 issue_menu=1&customer_name=john&customer_company=john&customer_desc=john& 2 Scan launched using PCI WAS stand-alone mode. External Links Discovered port 443/tcp VULNERABILITY DETAILS Severity: 1 QID: 151 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/19/27 THREAT: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. RESULT: Number of links: Scan Diagnostics security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 1521 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/16/29 THREAT: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. IMPACT: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. SOLUTION: No action is required. RESULT: Ineffective Session Protection. no tests enabled. HSTS Analysis no tests enabled. Permanent Redirect HSTS Analysis no tests enabled. Collected 32 links overall. Batch # Path manipulation: estimated time < 1 minutes (115 tests, 21 inputs) Path manipulation: 115 vulnsigs tests, completed 913 requests, 18 seconds. Completed 913 requests of 2415 estimated requests (37.854%). All tests completed. WSEnumeration no tests enabled. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 2 inputs) Batch #1 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 92 estimated requests (1%). All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs) Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 3 seconds. Completed 18 requests of 54 estimated requests ( %). All tests completed. Web Application Scan Results page 7

36 Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs) Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 9 seconds. Completed 22 requests of 22 estimated requests (1%). All tests completed. Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 URI parameter manipulation (no auth): 46 vulnsigs tests, completed 92 requests, 8 seconds. Completed 92 requests of 138 estimated requests ( %). All tests completed. Batch #2 Form parameter manipulation (no auth): estimated time < 1 minute (46 tests, 3 inputs) Batch #2 Form parameter manipulation (no auth): 46 vulnsigs tests, completed 598 requests, 79 seconds. Completed 598 requests of 138 estimated requests ( %). All tests completed. Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 4 secon ds. Completed 18 requests of 81 estimated requests ( %). All tests completed. Batch #2 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 3 inputs) Batch #2 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 81 requests, 43 seconds. Completed 81 requests of 81 estimated requests (1%). All tests completed. Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 22 requests, 8 seconds. Completed 22 requests of 33 estimated requests ( %). All tests completed. Batch #2 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 3 inputs) Batch #2 Form field time-based tests (no auth): 11 vulnsigs tests, completed 99 requests, 59 seconds. Completed 99 requests of 33 estimated requests (3%). All tests completed. HTTP call manipulation no tests enabled. SSL Downgrade. no tests enabled. Open Redirect no tests enabled. CSRF no tests enabled. Static Session ID no tests enabled. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 18 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed requests, seconds. Completed requests of 18 estimated requests (%). All tests completed. Batch #4 Cookie manipulation: estimated time < 1 minutes (33 tests, 2 inputs) Batch #4 Cookie manipulation: 33 vulnsigs tests, completed 18 requests, 19 seconds. Completed 18 requests of 99 estimated requests ( %). XSS optimization removed 36 links. All tests completed. Batch #4 Header manipulation: estimated time < 1 minutes (33 tests, 15 inputs) Batch #4 Header manipulation: 33 vulnsigs tests, completed 272 requests, 27 seconds. Completed 272 requests of 99 estimated requests ( %). XSS optimization removed 36 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 15 inputs) Batch #4 shell shock detector: 1 vuln sigs tests, completed 16 requests, 2 seconds. Completed 16 requests of 15 estimated requests (16.667%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 3 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 4 requests, 2 seconds. Completed 4 requests of 3 estimated requests ( %). All tests completed. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute ( tests, 1 inputs) Batch #5 HTTP Time Bandit: vulnsigs tests, completed requests, seconds. No tests to execute. Total requests made: 264 Average server response time:.37 seconds Most recent links: FORMDATA- _token=xkgjwxlhve3ykrqzpfi4jptkorreebywzdkwhvh&fake_password=password&username=john&password=password 2 -FORMDATAissue_menu=1&customer_name=John&customer_company=John&customer_desc=John& 2 Scan launched using PCI WAS stand-alone mode. External Links Discovered security2.bomgar.com:443/tcp VULNERABILITY DETAILS Severity: 1 QID: 151 Category: Web Application CVE ID: - Vendor Reference: - Bugtraq ID: - Last Update: 1/19/27 THREAT: Web Application Scan Results page 8