Knowledge Base

Ask A Question



Nexpose: What is Vulnerability PCI Compliance Status?

Can anyone explain what determines the Pass/Fail status of the Vulnerability PCI Compliance Status? Specifically I'm talking about the "Vulnerability PCI Compliance Status" data field available within a CSV report template. The obvious answer is CVSS >= 4 = Fail but that is not a complete answer. DoS vulns and PCI deemed "automatic failure" vulnerabilities can affect the field. But I'm also finding that vulnerabilities with an approved exception will also cause a Fail to turn into a Pass. What other factors will alter this field? Is there any way to determine what caused the change in setting? For example, if I generate a CSV export report of devices in a particular asset group, how can I demonstrate to an auditor or a QSA WHY a particular vulnerability is set to "Pass"? Two examples of vulnerabilities that are unexplainably set to pass include VMSA-2012-0018: Update to ESX glibc package (CVE-2012-3405) (Vulnerability ID: 12966) and VMSA-2012-0013: VMSA-2012-0013 Update to ESX/ESXi userworld OpenSSL library (CVE-2011-4577) (Vulnerability ID: 13203). They have a Vulnerability Severity Level of 5 and 4 respectively. They have a Vulnerability CVSS score of 5 and 4.3 respectively. Neither have an exception. I would think they would be Fail. Yet they're both Vulnerability PCI Compliance Status = Pass. About the only thing I can find to justify the score is in the dim_vulnerability table there is pci_severity_score of 2 for both vulnerabilities. But I have no idea how pci_severity_score is calculated or why that is used instead of Vulnerability Severity Level or CVSS Score.

Posted by Thao Doan 2 years ago