PCIDSS scan failed: ROBOT information disclosure

Hi,

I have similar issue like in this topic: PCI scan failed: ROBOT information disclosure

However in my case i need to provide explanation to securitymetrics scan team in order to get test marked as false/positive.

Can you provide a detailed explanation to following answer:


The Cloudflare statement shows that the vulnerability is indeed mitigated so that the RSA Key isn’t exploitable. However, our scanner found that the padding for the RSA ciphertext is incorrect.

“The test sent a crafted RSA ciphertext and then sent a TLS Finished message with incorrect padding. The following differences in behaviour were seen by SecurityMetrics : - As a baseline with correct formatting : server sent TCP RST - With incorrect leading bytes : server sent TLS alert 20, server sent TCP FIN - With the 0x00 byte in incorrect place : server sent TLS alert 20, server sent TCP FIN - With the 0x00 byte missing : server sent TLS alert 20, server sent TCP FIN - With an incorrect version number : server sent TLS alert 20, server sent TCP FIN”

Essentially what we need is a reason as to why, mostly because this goes against the mitigation that Cloudflare says is in place.


Regards

Hi @serghei, to login to Cloudflare and then contact Cloudflare Support and let them know you need a statement that you can forward to your scan team that explains why the vulnerability is a false positive.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.