PCI Scan still finds multiple port vulnerabilities even with WAF rule 100015 set to Block

Our ASV for PCI compliance (Aperia) is finding vulnerabilities for ports:
2052
2053
2082
2083
2086
2087
2095
2096
8080
8443
We have the Cloudflare Pro Plan and in firewall WAF “Cloudflare Specials” set rule “100015 Block requests to all ports except 80 and 443” to “block” and rescanned a day later, but ASV Aperia is still flagging the same above ports as vulnerabilities. Is this a false positive, and if so can you please provide me some documentation so I can refute them?

Cloudflare can’t actually close those ports since the IP is shared between multiple tenants.

You can see that those ports are blocked because if you go to http://example.com:PORT In your browser You’ll be greeted to a message like so:

Those ports correspond with:

https://support.Cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-

Also: note that Cloudflare only guaranteed PCI DSS 3.2 compliance on the Business plan:

image

7 Likes

Thank you - this was helpful!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.