Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)

/0 Comments/in , , ,

📢Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV):

🌏Among the Few Compliance Firms in Asia-Pacific Holding Four PCI Certifications

Secure Vectors Technologies Inc. is now officially recognized by the PCI SSC as a PCI DSS Approved Scanning Vendor (ASV), offering trusted, industry-grade vulnerability scanning services.

Secure Vectors International now holds four globally recognized PCI certifications:

 

PCI DSS QSA(Qualified Security Assessor)

PCI 3DS Assessor

PCI PIN Security Assessor

PCI DSS ASV(Approved Scanning Vendor)

 

PCI DSS, 3DS, and PIN Security are three of the most critical standards in the payment card industry. With the addition of PCI ASV accreditation—representing advanced technical security expertise—Secure Vectors now offers comprehensive, end-to-end certification services for the financial and payment sectors. Our capabilities span governance, process management, and technical security, delivering a true one-stop PCI compliance solution for our clients.

🔍ASV: The Gold Standard in Vulnerability Scanning and Compliance

 

ASV is more than a standard vulnerability scan—it is a comprehensive assessment service validated by the PCI Security Standards Council (PCI SSC). Under PCI DSS requirements, all entities that store, process, or transmit cardholder data must submit quarterly vulnerability scan reports. PCI SSC mandates that all eligible financial and payment organizations use an Approved Scanning Vendor (ASV) to conduct these scans and provide official, validated reports.

 

Achieving ASV recognition involves three critical requirements:

 

1️⃣ Scanning Tools – The ASV service’s vulnerability detection methods (including manual procedures, workflows, and technical tools) must thoroughly identify all known vulnerabilities according to PCI SSC standards and complete the full Test Bed scan and analysis within 18 hours.

2️⃣ Execution Team – Engineers and service managers performing the scans must pass PCI SSC professional exams annually, ensuring their knowledge and service processes meet PCI SSC standards.

3️⃣ Reporting Process – Officially audited to ensure accurate interpretation of results, proper handling of false positives, and consistent, traceable reporting formats.

 

Only after final review and approval by PCI SSC can a company and its scanning solution obtain formal ASV status.

 

This process tests the ASV provider and solution in:

🔎 Detection Coverage – Ability to cover vulnerabilities across multiple protocol layers

🎯 Assessment Accuracy – Ability to distinguish false positives from real risks

📋 Reporting Rigor – Ability to provide audit-ready compliance evidence

 

ASV: Globally Trusted by the Payment Industry

 

📅 In October 2025, Secure Vectors Technologies Inc. officially passed the PCI SSC review and was listed as an Approved Scanning Vendor (ASV).

 

This recognition represents:

 

  • Industry Recognition – Only ASV scan reports are accepted as valid evidence for PCI DSS compliance audits in the financial payment sector.

  • Validated Technology, Team, and Processes – All aspects have been verified by PCI SSC.

  • Trusted Benchmark in Payments – As one of the few consulting firms in the Asia-Pacific region holding QSA × 3DS × PIN Security × ASV certifications, Secure Vectors International helps enterprises maintain ongoing compliance across multiple regulatory frameworks.

Looking ahead, we aim to use this achievement as a foundation to not only assist financial and payment organizations with ASV scans and compliance reporting but also to provide external domain vulnerability scanning, reporting, and related services across industries and regions — helping enterprises turn compliance into a business growth advantage.

 

Contact Us Today for Expert ASV Vulnerability Scan Support

👉 Contact Us

FAQ

Q1: What is PCI DSS ASV?

ASV (Approved Scanning Vendor) is an external vulnerability scanning service recognized by the PCI Security Standards Council (PCI SSC), whose scanning solution has been tested and approved. Under PCI DSS Requirement 11.3.2, organizations must have quarterly external scans performed by an ASV and receive passing reports to maintain nearly 12 months of compliance evidence.

Q2: How is ASV different from regular scanning tools?

ASV is more than just a scanning tool — it is a complete scanning solution validated by PCI SSC. Its tools, execution team, procedures, and reporting workflow must all pass official testing and audits. Only PCI-recognized ASV scan reports can serve as formal evidence for PCI DSS compliance audits and are widely trusted in the financial and payment industries.

🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

/in ,

🔒 Microsoft Releases July 2025 Patch Tuesday Update — Fixes 130 Security Vulnerabilities Including Critical SQL Server Flaw

On July 9, 2025, Microsoft released this month’s Patch Tuesday update, addressing a total of 130 security vulnerabilities, including 10 rated as “Critical.” The updates span multiple key Microsoft products such as SQL Server, Windows, and Office (Word, PowerPoint, Excel).

Among the vulnerabilities, one is particularly relevant to PCI DSS compliance: CVE-2025-49719 (CVSS score: 7.5), an information disclosure vulnerability in Microsoft SQL Server. The flaw could potentially allow unauthorized attackers to read uninitialized memory, exposing sensitive data such as passwords or encryption keys.

 

According to Adam Barnett, Principal Software Engineer at Rapid7, while attackers might not immediately retrieve meaningful data, with skilled manipulation, it may be possible to extract critical information such as encryption keys.

Mike Walters, President of Action1, noted that the vulnerability may stem from insufficient input validation in SQL Server’s memory management, which allows access to uninitialized memory. This could lead to leakage of credentials, connection strings, or other sensitive information. Affected components include the SQL Server engine and applications using OLE DB drivers.

⚠️ Security experts strongly urge:
System administrators and IT teams should immediately deploy this update, especially for organizations running Microsoft SQL Server, to prevent the risk of widespread exploitation.

Source:

https://thehackernews.com/2025/07/microsoft-patches-130-vulnerabilities.html

https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/

#Microsoft #CyberSecurity #PatchTuesday #InfoSec #VulnerabilityManagement #PCI #SQLServer #WindowsSecurity

 

【Secure Vectors's Security Classroom】

📌 What is CVSS?

CVSS stands for the Common Vulnerability Scoring System. It’s a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. This score helps organizations prioritize their response to different security risks.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability.
With 10 being the most critical, based on factors like how easily the vulnerability can be exploited, its potential impact on confidentiality, integrity, and availability, and the complexity of the attack.
PCI DSS v4.0

Who need PCI DSS Compliance?

/0 Comments/in

Service Provider & Merchant 

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

PCI DSS

Service Provider 

“Service Provider” as defined by PCI DSS is an organization providing services that involve transmitting, processing, or storing payment cardholder data on behalf of merchants or other service providers.

This includes entities offering payment processing services, wallet providers, platforms integrating various payment channels, online marketplaces, and others impact security of cardholder data.

Additionally, data centers providing virtual hosting services and cloud service providers are not directly involved in transaction services; maybe impact cardholder data security to some extent and are also classified as service providers.

Unlike merchants, service providers are categorized into two levels. Using VISA as an example, the classification and compliance requirements are detailed as follows:

Level 1:

  • ● Processes over 300,000 transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes less 300,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
PCI DSS Service Provider Level

Merchant

Level 1:

  • ● Processes over 6 million transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes between 1 million and 6 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 3:

  • ● Processes between 20,000 and 1 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 4:

  • ● Processes up to 20,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV) (optional).

For more details, refer to the VISA website
https://usa.visa.com/support/small-business/security-compliance.html
https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html

Mastercard Level 2 Merchant change

In addition, In addition, Mastercard has specific requirements for Level 2 merchants that differ significantly. If a Level 2 merchant is required to complete SAQ A, SAQ A-EP, or SAQ D for Merchant, the assessment and completion must be conducted by an approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This requirement has been effective since March 2021.

For more information, welcome to contact us.

first time PCI DSS Compliance

PCI DSS Compliance for dummies

/0 Comments/in ,

【PCI DSS Compliance for dummies】

Even Cybersecurity Beginners Can Achieve Compliance

Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.

As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.

To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.

The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.

When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):

Table of Contents

What is PCI DSS ?

PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.

PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.

PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.

Who needs PCI DSS Certification?

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

Step 1: To determine whether the entity is a Merchant or Service Provider.

Merchants

Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.

Service Providers

Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.

Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.

Level 1 Merchants and Service Providers

require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.

Level 2-4 Merchants and Level 2 Service Providers

can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.

Service Provider & Merchant

Who can assist PCI DSS Certification?

For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.

QSA (Qualified Security Assessor)

is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.

QSAC (Qualified Security Assessor Company)

employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.

How to choose QSA and QSAC?

  1. Visit [PCI Security Standards Council] to verify the certified QSA and QSAC.

  2. Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
  3. Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
  4. Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.

By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.

How to do?

PCI DSS Compliance Assessment normally consists of 4 main stages:

1. Preparation Stage

Scope Confirmation and Consulting phase.

**Scope Confirmation**

  • Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
  • Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.

**Consultation Phase**

  • Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
  • Security Training: Provide employees with relevant security training to enhance overall security awareness.

2. Data Preparation Phase

Preparation and Implementation of Necessary Controls

**Data Preparation**

● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance.
● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.

3. Assessment Phase

QSA Conducts On-Site Assessment.

**Audit Execution**

● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.

● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.

4. Report Phase

QSA Writes and Submits Compliance Reports and Certifications

● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).

● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.

● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.

How long does it take?

The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:

  1. Preparation Stage(1-2 months):Environment Verification and Consultation Phase.

  2. Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.

  3. Assessment Stage (5-7 days): On-site Assessment conducted by QSA.

  4. Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.

PCI DSS Certification timeline

Actual timelines may vary due to the following factors:

  • Preparedness: The extent of preparation before certification can expedite the process.
  • Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
  • Resources invested by the company (including manpower, time, and budget) and efficiency in project management.


To ensure an efficient process, it is recommended to:

  • Begin preparation: As early as possible, especially organizing documents and policies.
  • Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
  • Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.

How much does it cost?

Estimated Additional Costs for 1st-time PCI DSS Compliance

A. System

Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.

B. Security Equipment

Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).

C. Data Encryption Equipment

Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.

D. Personnel Training

PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.

E. Technical Test

PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.

F. Other

If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP (Service Provider Registration).

For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:

PCI DSS extra cost for first time

PCI DSS Certification Costs

In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.

The estimated assessment time depends on the following factors:

  1. System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.

  2. Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.

  3. Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.

  4. Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.

  5. Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.

Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.

However, an actual quotation depends on the complexity factors mentioned above.

Who needs PCI DSS Compliance?
Which SAQ Type?

Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.

PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?

It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.

After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.

*For more information about PCI Compliance Services, please feel free to contact us.

What is your SAQ Type?

/0 Comments/in ,

What is your SAQ Type?

PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.

SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.

Table of Contents

5 Steps for PCI DSS SAQ Self-Assessment:

  1. Select the SAQ type applicable to you.
  2. Verify that the scope of your PCI DSS environment is accurate.
  3. Self-assess if
    your environment is compliant with PCI DSS requirements.
  4. Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
  5. Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!

 

For e-commerce, these SAQ versions may apply:

  • Service Providers

SAQ D for Service Provider:

Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.

  • Merchants

SAQ A:

For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.

SAQ A-EP:

For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.

SAQ D for Merchant:

For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.

There are 10 different types of PCI DSS SAQs, each determined by the type of payment services you provide. The appropriate SAQ type is typically identified by your acquiring bank or with assistance from a Qualified Security Assessor (QSA), who can review your Cardholder Data Environment (CDE), cardholder data processes (such as card number handling), and data flow to accurately determine the applicable SAQ type. Alternatively, you can refer to the following PCI DSS SAQ type descriptions for a preliminary assessment. For your preliminary assessment, refer to PCI DSS SAQ types provided below.

If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.

How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?

/0 Comments/in ,
Read more

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

/0 Comments/in ,
Read more

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

/0 Comments/in ,

Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.

From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)

Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.

In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.

This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:

  1. Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
  2. Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
  3. Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.

Secure Vector consultant

Bryan Cheng

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

You might also like


Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)

🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.



Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/0 Comments/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)

🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.