BIND PCI scan false positive

by InMotion Hosting Contributor

1 Minutes, 49 Seconds to Read

In this article we’ll discuss why a PCI scan could have possibly failed as a false positive, stating an outdated version of BIND (Berkeley Internet Name Domain) which is the service that handles DNS requests. If you have read our previous article on how to pass PCI compliance scans, the BIND service being outdated is a common false positive that we see.

The reason for this is because we run cPanel on our servers, and cPanel utilizes backporting for their software updates instead of simply installing the latest version of the service each time it’s updated. So to a PCI vendor it might seem that the version is outdated and subject to a known exploit, but in reality the service is secure because it has been patched against the exploit already.

If you failed a PCI scan and the reason stated was your server was running an old version of BIND that is exploitable, you can follow these steps to report the issue as a false positive back to your PCI vendor.

  1. Login to your server via SSH
  2. Run the following command: 
    rpm -q bind && rpm -q --changelog bind | head -10

    You should get back text similar to:

    bind-9.8.2-0.10.rc1.el6_3.5.x86_64
* Wed Oct 10 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1.5
- fix CVE-2012-5166

* Tue Sep 18 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1.4
- allow forward{,ers} statement in static-stub zones

* Thu Sep 13 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1.3
- fix CVE-2012-4244

* Wed Jul 25 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1.2

    You should notice the latest patch applied to BIND was on Wed Oct 10 2012. So if your PCI scanning vendor has failed your website due to the BIND version, provide them with this information so they can mark it as a false positive.

    In this example we used head -10 to only show 10 lines from the full changelog, you can adjust that number to see updates going further back in time.

You should now understand how to retrieve the changelog of the BIND service on your server, to show a PCI vendor that it should be reported as a false positive.

Share this Article
InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting
Related Articles
How To Open a Port in UFW
Resetting the cPanel Password in WHM
How to Change your root Password in WHM
How to Stop and Disable Firewalld
Content Security Policy (CSP) Headers – Complete Reference Guide
Why You Need To Keep Your Website’s PHP Version Up-to-Date
Learning About Mod_security and Disabling Mod_security
Close Open Ports for PCI Compliance
How to Pass PCI Compliance Scans
DDoS Protection Using Corero

Need More Help?

Current Customers

Chat: Chat with Sales
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.