What is the name of the domain?
What is the error number?
QID: 34000, CVSS Base: 5, PCI Severity: MED
What is the error message?
“TCP Source Port Pass Firewall” (QID: 34000, CVSS Base: 5, PCI Severity: MED)
What is the issue you’re encountering
We are currently undergoing a PCI certification scan for our website, which is protected by Cloudflare (with proxy and WAF enabled). During the scan, a vulnerability was reported for the Cloudflare IP address 188.114.97.12. The vulnerability is identified as “TCP Source Port Pass Firewall” (QID: 34000, CVSS Base: 5, PCI Severity: MED). Scan Details: Observation: The scan sent four TCP SYN probes to destination port 24567 using source port 53, and the host responded to these probes. However, when the same port was probed using random source ports, there were no responses.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full
What are the steps to reproduce the issue?
Dear Cloudflare Support Team,
I hope you are doing well.
We are currently undergoing a PCI certification scan for our website, which is protected by Cloudflare (with proxy and WAF enabled). During the scan, a vulnerability was reported for the Cloudflare IP address 188.114.97.12. The vulnerability is identified as “TCP Source Port Pass Firewall” (QID: 34000, CVSS Base: 5, PCI Severity: MED).
Scan Details:
Observation: The scan sent four TCP SYN probes to destination port 24567 using source port 53, and the host responded to these probes. However, when the same port was probed using random source ports, there were no responses.
Implication: This behavior suggests that TCP packets with source port 53 are being allowed through by the firewall, which could potentially be exploited to bypass certain filtering rules.
For context, our origin server is hosted on DigitalOcean and is secured by a firewall that permits traffic only on ports 80 and 443. Given that the IP in question belongs to Cloudflare, we suspect that this behavior might be related to Cloudflare’s internal handling of certain types of traffic.
We kindly request clarification on the following points:
Intentional Behavior:
Is the observed response to TCP SYN probes with source port 53 an intentional aspect of Cloudflare’s security or traffic management policies?
Configuration Options:
Is it possible to modify or configure this behavior within Cloudflare to ensure that such probes are blocked, or is this behavior considered a normal and safe part of the Cloudflare network?
PCI Compliance:
Can you provide any guidance or official documentation regarding this behavior? We would like to understand whether this can be classified as a false positive in the context of PCI compliance, and if so, how we should document this for our audit.
Your insights on these questions would be greatly appreciated, as they will help us address the findings reported by our PCI certification scan and ensure that our security posture remains robust.
Thank you for your time and assistance.
Best regards