Hi everyone,

I have an interesting issue on a 6.5 VCSA (build 15259038) in our stage payment processing environment that is being flagged by our security team from a Nessus vulnerability scan. Interestingly, we have an allegedly "identical" VCSA in our production payment processing environment that is not being flagged for the same vulnerability.

Most of the time when Nessus flags a vulnerability, it's clear enough what needs to be done on the system. This one however, has been so vague that no one on our systems team or our security team can really unpack what it's asking for. Here's the error:

Description:

The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src.

If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

Solution:

Set script integrity checking on target script or remove target script.

See Also:

http://www.nessus.org/u?c9e76c4f

https://www.w3.org/TR/SRI/

http://www.nessus.org/u?f39144f8

Output:

Path :

Attributes :

  - src :

Port

443/tcp/www

I'm all for removing whatever target script it is referring to, but as you can see the path is blank, so I'm not really sure where to go with that. The only script I can think of on the VCSA that would be non-standard was we used the TLS - reconfiguration script to disable TLS 1.0 and 1.1. I never removed the script off of the appliance, but that script's also present on the production appliance (again, no detected vulnerabilities on the production one), so that doesn't seem like the right path to follow.

At the moment, I've taken an 'ls' recursing in to the entire tree on both VCSA's and I'm using powershell to compare them, but I think that script is going to take a while (comparing two 70M text files takes some time), so I thought I'd throw it out to the community and see if anyone has any ideas.

Thanks for your time!