PCI Scan False Positives Explained (Firstserv Guide)
When running PCI compliance scans, you may occasionally see reported vulnerabilities that do not actually impact your website or server security. These are known as false positives.
Why Do False Positives Occur?
Many scanning tools identify vulnerabilities by checking software version numbers only. However, this approach doesn’t always reflect the real security status of a system.
Backported Security Fixes
Firstserv servers (like most enterprise Linux systems) use backporting, where:
- Security patches are applied to software
- Version numbers do not change
✅ This means:
- A scan may flag an outdated version
- But the vulnerability has already been patched and mitigated
How to Handle False Positives
If your scan reports vulnerabilities:
- Review the findings carefully
- Compare them against known mitigations
- Submit them to your PCI provider as false positives where appropriate
Common False Positive Categories
Below are typical categories of false positives and why they can be safely disregarded when properly mitigated.
1. OpenSSH Vulnerabilities
Many OpenSSH CVEs flagged in scans:
- ✅ Are already patched via backporting
- ✅ Affect only client-side functionality, not servers
- ✅ Require unrealistic conditions (e.g. prior credential compromise)
In most cases:
- SSH access is restricted
- Key-based authentication is used
- No elevation of privilege is possible
2. Red Hat / AlmaLinux Specific Cases
Firstserv servers use enterprise distributions such as AlmaLinux.
- Some CVEs are marked as:
- Not applicable
- Not a bug
- Disputed by maintainers
✅ These are reviewed and assessed by Red Hat security teams and often deemed non-exploitable.
3. Backported Fixes
Many vulnerabilities are already patched without version changes.
✅ Example scenarios:
- OpenSSH vulnerabilities addressed in system packages
- OpenSSL issues fixed via updates in CloudLinux/AlmaLinux
- Exim vulnerabilities patched upstream
4. Features Not Enabled
Some flagged issues relate to features that are:
- Disabled in server configuration
- Not installed at all
✅ For example:
- Unused authentication methods
- Optional SSH features not enabled
- Deprecated libraries not present
5. Network & Port Scanning Warnings
Some warnings are expected behaviour:
Custom SMTP Ports
- Alternative ports (e.g. 525) may be open
- Used to bypass ISP restrictions
- Still require authentication and encryption (TLS)
Database Access (Port 3306)
- Port may respond, but:
- External connections are blocked
- Access is restricted by user permissions
✅ This does not expose the database publicly.
6. Missing Security Headers (e.g. HSTS)
Some scans flag missing headers like HSTS.
✅ These can be optionally added at the site level, for example:
7. Non-SSL Port Warnings
Ports such as:
- 2082 (cPanel)
- 2086 (WHM)
- 2095 (Webmail)
✅ These simply redirect to secure HTTPS ports:
- 2083, 2087, 2096
No sensitive data is processed insecurely.
8. Disabled Mail Commands (EXPN/VRFY)
- Commands like EXPN and VRFY are disabled
- These cannot be used to extract user information
✅ This is standard secure configuration.
Key Takeaway
A PCI scan result does not always mean there is an active vulnerability.
Many findings are:
- ✅ Already patched
- ✅ Not applicable to your setup
- ✅ Based on outdated detection methods
Recommended Actions
When you encounter flagged issues:
- ✅ Review the CVE details carefully
- ✅ Check vendor (e.g. Red Hat) security advisories
- ✅ Confirm whether fixes are already applied
- ✅ Submit the finding as a false positive if appropriate
Summary
- PCI scan false positives are common on managed hosting platforms
- Backported security patches often cause version-based misreporting
- Most flagged vulnerabilities are already mitigated, not exploitable
- Always validate findings before attempting changes
If you need help reviewing scan results or verifying a vulnerability, the Firstserv support team is available to assist.
WGS AI Assistant