none
Fully patched SBS failiing PCI scan for MS10-070 RRS feed

  • Question

  • I have a fully patched SBS 2011 server that is failing our PCI compliancy scan due to MS10-070. I am not sure how to clear this issue as it appears I have applied all patches to date. All help is appreciated.
    Tuesday, August 12, 2014 1:51 PM

Answers

  • I have upgraded .Net to version 4.5.2 (using the link provided by the ASoft .NET Version Detector 14.3 program mentioned above). Note that this update was NOT prompted by Windows Update.

    After this upgrade I then ran Windows Update and installed the following 7 updates :- (recent ones from this week)

    KB2943357 - (.Net 3.5.1)
    KB2937610 - (.Net 3.5.1)

    KB2976627
    KB2978668
    KB2976897
    KB2982791
    KB2918614

    After installation of these server was rebooted.

    Following rebooting a further PCI-DSS scan was successful and passed no longer flagging the CVE-2010-3332 error as previously.

    Although the top two of the seven updates relate to .Net 3.5.1 I am pretty certain that the update to .Net 4.5.2 fixed the issue.

    Ideally can someone who is currently failing scanning, ONLY upgrade to 4.5.2 (without any other changes) to confirm this resolves the problem.

    Good luck .. and post here if this works for you.

    Regards,

    Phil.


    Phil Ellett

    Friday, August 15, 2014 3:03 PM
  • Some SBS2011 users had issues with RWA after installing NET 4.5.1, hopefully 4.5.2 resolves these issues.  Are you seeing any issues?

    http://blogs.technet.com/b/sbs/archive/2014/01/13/troubleshooting-an-unexpected-error-occurred-message-when-using-remote-web-access-to-connect-to-computers.aspx


    -- Al

    Friday, August 15, 2014 4:08 PM

All replies

  • I have also done considerable head scratching over this issue and have managed to establish WHY my fully patched machine APPEARS vulnerable.

    I have not managed to establish however whether it is false positive OR why all Windows Updates checks and Windows Server Solutions Best Practices Analyzer show up NOTHING.

    I am scanned by Trustwave and they are showing failure with evidence of "/Remote/WebResource.axd" and "/Remote/ScriptResource.axd" URLs.

    I have managed to find a python script here:

    https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py

    (Did not work for my with Python 3.4.1 but works with Python 2.7.2)

    This script takes the "d" parameter from the querystring of the evidence URLs (in my case the string between "d=" and "&t=xxxxxxx".

    Given this parameter it then indicates you machine is Vulnerable to MS10-070 or it isn't.

    My fully patched SBS 2011 fails this test showing as vulnerable.

    My SBS server is a back office machine which handles no Cardholder data or operations and could be argued as "Out of Scope" for PCI-DSS but it is good practice and reassuring to be passing remote scanning of all infrastructure.

    Hope this sheds some light ... I fear this is a false positive and is probably causing lots of IT Admins to waste a lot of time.

    I have found this app - (ASoft .NET Version Detector 14.3)

    http://www.asoft.be/prod_netver.html

    Which displays the .Net versions installed on your machine and the full Framework versions.

    I am sending this information to Trustwave in the hope that it will show vulnerability to be a false positive.

    Interestingly however this app shows that I am running .Net Version 4.5.1 and that 4.5.2 is available.

    I am installing 4.5.2 and then going to run scans again ... it may be that this update may fix problem.

    I will post reply when I have tried it.

    Regards,

    Phil Ellett, Sheffield UK.

     


    Phil Ellett

    Wednesday, August 13, 2014 3:54 PM
  • Hi,

    Sorry for my interrupting. Would you please let us know Summary report of the failed PCI Compliance scan? If any update, please feel free to let us know.

    @Phil Ellett

    Thanks for sharing in the forum. Your time and efforts are highly appreciated.

    Best regards,

    Justin Gu

    Thursday, August 14, 2014 11:45 AM
    Moderator
  • I have upgraded .Net to version 4.5.2 (using the link provided by the ASoft .NET Version Detector 14.3 program mentioned above). Note that this update was NOT prompted by Windows Update.

    After this upgrade I then ran Windows Update and installed the following 7 updates :- (recent ones from this week)

    KB2943357 - (.Net 3.5.1)
    KB2937610 - (.Net 3.5.1)

    KB2976627
    KB2978668
    KB2976897
    KB2982791
    KB2918614

    After installation of these server was rebooted.

    Following rebooting a further PCI-DSS scan was successful and passed no longer flagging the CVE-2010-3332 error as previously.

    Although the top two of the seven updates relate to .Net 3.5.1 I am pretty certain that the update to .Net 4.5.2 fixed the issue.

    Ideally can someone who is currently failing scanning, ONLY upgrade to 4.5.2 (without any other changes) to confirm this resolves the problem.

    Good luck .. and post here if this works for you.

    Regards,

    Phil.


    Phil Ellett

    Friday, August 15, 2014 3:03 PM
  • Some SBS2011 users had issues with RWA after installing NET 4.5.1, hopefully 4.5.2 resolves these issues.  Are you seeing any issues?

    http://blogs.technet.com/b/sbs/archive/2014/01/13/troubleshooting-an-unexpected-error-occurred-message-when-using-remote-web-access-to-connect-to-computers.aspx


    -- Al

    Friday, August 15, 2014 4:08 PM
  • Hi Folks,

    Server was patched and PCI-DSS scan completed successfully on 15th August following an "On-Demand" scan.

    The following day (16th August) the scheduled monthly scan ran and get what .... It failed again with the same issue Vulnerability in ASP.NET Could Allow Information Disclosure (MS10-070).

    This problem has now been going on too long has cost too much time and money to try and solve and is becoming beyond a joke. Can Microsoft and Trustwave please liase on this issue rather than it being resolved at great expense at customers expense!!.


    Phil Ellett

    Friday, August 29, 2014 12:13 PM
  • I have upgraded .Net to version 4.5.2 (using the link provided by the ASoft .NET Version Detector 14.3 program mentioned above). Note that this update was NOT prompted by Windows Update.

    After this upgrade I then ran Windows Update and installed the following 7 updates :- (recent ones from this week)

    KB2943357 - (.Net 3.5.1)
    KB2937610 - (.Net 3.5.1)

    KB2976627
    KB2978668
    KB2976897
    KB2982791
    KB2918614

    After installation of these server was rebooted.

    Following rebooting a further PCI-DSS scan was successful and passed no longer flagging the CVE-2010-3332 error as previously.

    Although the top two of the seven updates relate to .Net 3.5.1 I am pretty certain that the update to .Net 4.5.2 fixed the issue.

    Ideally can someone who is currently failing scanning, ONLY upgrade to 4.5.2 (without any other changes) to confirm this resolves the problem.

    Good luck .. and post here if this works for you.

    Regards,

    Phil.


    Phil Ellett


    I only upgraded to 4.5.2 but still failed the scan.  I then tried to install the other updates but found that they were already installed.  To Pass PCI compliance I had to use the .NET Framework Cleanup Tool to remove .NET Framework 1 and 1.1 then rebooted.   
    Monday, September 15, 2014 10:58 PM
  • I too am having this very same problem with an SBS 2011 and a Trustwave PCI Scan. Same scan failure, MS10-070.

    I do not have .NET 4.5 installed either.

    According to ASoft .NET Version Detector, I have the following:

    ----------------------------------------------------------------
    <32Bit>
    2.0.50727.5737
      ->C:\Windows\Microsoft.NET\Framework\v2.0.50727
    4.0.30319.296
      ->C:\Windows\Microsoft.NET\Framework\v4.0.30319

    <64Bit>
    2.0.50727.5737
      ->C:\Windows\Microsoft.NET\Framework64\v2.0.50727
    4.0.30319.296
      ->C:\Windows\Microsoft.NET\Framework64\v4.0.30319

    < Installed .NET Frameworks >
    .NET FW 2.0 SP 2 (CLR:2.0)
    .NET FW 3.0 SP 2 (CLR:2.0)
    .NET FW 3.5 SP 1 (CLR:2.0)
    .NET FW 4.0 Client (CLR:4.0)
    .NET FW 4.0 Full (CLR:4.0)

    ------------------------------------------------------------------

    The "evidence" listed by trust wave is as follows:

    ----------------------------------------------------------------

    https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=lXZlKIAaV2DQCh8KTxGhBga0MRSGLTRT9DSz8blSZp-D_-ZPudrzAKWqHdY35UWsutw3Ntl-4wvao6MPLFScquOdB1ltjYYHOqxwXXy4-cMH0botA64x54vVSrQvbWfqeeqj1b7G7AQhZLaT-GYmx1N5BV60glFQdELeLVBMDvHtrJqdKd8_uVn0Dbduk18U0&t=ffffffff940d030f

    https://xx.xx.xx.xxx/Remote/ScriptResource.axd?d=p6YZ1NuXPX8YwTxRRD40xEKpXBuPB3YUgQ3hjNGQxb_5tTy2dU9nG0cHEomkwkiNf4PP8G6eTLYZjXf70cl8npvIQIjbTj1Gi4nA5G5YYhpWctDt3JQRY9yZV6x9RNeD2_PoFyDJ8BBhYAlkHyfqLGzUUYBmdjuVdkzZFPoZMXQ1&t=ffffffff940d030f

    https://xx.xx.xx.xxx/Remote/WebResource.axd?d=exxOBoRssUcc64ztYfy_H0dLRaK691IwOZsT_ZgvH1h4puvZrQFRDaop4RO9S8crNjGUdI2DJaltVrI6S1kcTPACO-elHaY3hv-EIlFENLU1&t=634955083192463937
    -----------------------------------------------------------------

    When I click on the links of the evidence, I get a page returned full of text. The evidence seems like it is real and not a false positive being that I do get a return. All of my Windows Updates are current, so I really don't know where to go with this.

    Sunday, October 5, 2014 7:08 PM
  • Thanks Gemini :-)

    Same problem with Trustwave PCI scan failing an SBS 2011 on that one issue. Only had .NET 4.5.1 listed in Programs. Updated to 4.5.2 but still failed scan.

    I used .NET Framework Cleanup Tool (note, not the .NET repair tool) to remove 1.0 and 1.1, as suggested above.

    http://blogs.msdn.com/b/astebner/archive/2008/08/28/8904493.aspx

    Passed the scan ok.

    Thanks, Mike.

    Tuesday, October 21, 2014 8:33 AM
  • Thanks for the information! I'm glad we're not alone. My company is experiencing the same frustrating problem and keeps failing a Trustwave PCI scan. We are going to use the .NET Framework Cleanup Tool as well and wait to see what happens when the next scan runs.

    Has this solution worked for everyone on this thread?

    Thanks,

    Jonas

    Wednesday, November 5, 2014 6:29 PM
  • We've been going round-robin on this over and over again, and even paid MIcrosoft for an intervention and nobody can seem to solve this.

    I'm all patched up with Windows Update and have .NET versions 4.5 through 4.5.2 installed.

    My sites were previously at 4.0 but we've begun updating them to 4.5.2, but are still failing TrustWave PCI scans for MS10-070.

    I've also ran the .NET Cleanup tool and removed 1.0 and 1.1 (which said in the log that they were not installed, but it seemed to perform a lot of actions to cleanup and reported that parts of it were "found")

    No change.  We're running Windows Server 2008 R2 and no install of SBS.

    Has anybody fixed this? We're under EXTREME pressure from senior management and financial vendors to get this PCI compliance passed.  Any help would be beyond appreciated.

    Monday, November 10, 2014 8:17 PM
  • !. what vendor are you using - are you sure this isn't a false positive?  What exactly in the scan do they say it's failing on?  As if you have 2008R2 and no SBS, there's no .net 1 or 1.1 on there so per my gut feel of this, Trustwave and these vendor scans are bogus/false positives.

    I'd go back and push back on the vendor to ask what exactly they are reacting to.

    2.  any small business should not be running credit cards through your network.  You can't separate out the network enough to truly pass PCI

    Monday, November 10, 2014 9:25 PM
    Moderator
  • If you've installed the updates as noted in

    https://technet.microsoft.com/en-us/library/security/ms10-070.aspx

    Then this vendor is wrong.  Push back on them.  Per my read of the situation they are false detecting.

    Monday, November 10, 2014 9:28 PM
    Moderator
  • Jef-

    I'm experiencing the same issues that you have. Did you ever get it resolved? I'm running Windows Server 2008 R2 fully patched but TrustWave still responds with the MS10-070 vulnerability.

    Thanks for any feedback

    Jeff

    Friday, January 16, 2015 9:45 PM
  • I had run into this as well. Beyond standard SBS, I had installed .NET Framework 4 for an app. I checked IIS Application Pools and saw that RWA was using .NET 4. I removed .NET Framework 4 and installed .NET Framework 4.5.2 for the app to use and patched it. IIS now shows the application pool back to using .NET 2, which I had patched from the security bulletin KB at the first scan failure. PCI scan passed after that.

    No need to run the .NET cleanup that I was considering that others here had tried.

    Friday, January 30, 2015 1:49 PM