PCI DSS v3.2 & Private IP Address Disclosure
Last updated on: September 6, 2020
Private IP addresses disclosure such as QID 86247 “Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability” will be marked as a Fail for PCI as of February 1, 2018 in accordance with PCI DSS v3.2.
QID 86247 is a PCI Fail according to PCI DSS v3.2 Requirement 1.3.7:
1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.
Note: Methods to obscure IP addressing may include, but are not limited to:
- Network Address Translation (NAT)
- Placing servers containing cardholder data behind proxy servers/firewalls,
- Removal or filtering of route advertisements for private networks that employ registered addressing,
- Internal use of RFC1918 address space instead of registered addresses.
Successful exploitation of this vulnerability results in the disclosure of the internal IP address or internal network name, which could then be used in further attacks against the target host.
For reference, please see the PCI-DSS v3.2 documentation in the PCI-DSS Documents Library.
