0
Back to scan results
Check 8 of 24

Vulnerable Software (Banner Detection)

We read the version numbers your server volunteers in HTTP response headers and HTML generator tags, then compare them to known-vulnerable releases. A version banner with a CVE attached is the easiest possible exploitation target.

What this check probes

We extract version strings from:

  • Server response header — Apache/2.4.41, nginx/1.16.1, Microsoft-IIS/8.5, LiteSpeed.
  • X-Powered-By response header — PHP/7.2.10, ASP.NET, Express.
  • X-AspNet-Version, X-AspNetMvc-Version — ASP.NET-specific.
  • HTML <meta name="generator"> tag — WordPress 5.4.2, Drupal 9, Joomla! 3.9.20.
  • OpenSSL version exposed during the TLS handshake (when present).

Each version is compared to the maintainer's current stable release and to a list of headline CVEs (Heartbleed, Shellshock, Log4Shell, Drupalgeddon, ProxyLogon, etc.). If the banner version is older than the CVE fix version, it's flagged.

Why this matters for PCI DSS

PCI DSS 4.0 Requirement 6.3.3: "All system components are protected from known vulnerabilities by installing applicable security patches/updates" — critical patches within one month of release.

Requirement 11.3.1 requires internal vulnerability scans every three months. Requirement 11.3.2 requires external scans by an Approved Scanning Vendor (ASV) every three months. Both will fail you on a missed CVE patch.

A version banner is just the easy way to spot the problem from outside. The real issue is the unpatched code; hiding the banner without patching is security theatre.

How to fix it

Patch first. A current version is not vulnerable to the CVE we found, even if it still leaks the version.

  • Ubuntu / Debian — enable unattended-upgrades for security: sudo apt install unattended-upgrades, then sudo dpkg-reconfigure unattended-upgrades.
  • RHEL / CentOS / Rocky — install dnf-automatic, configure /etc/dnf/automatic.conf with upgrade_type = security and apply_updates = yes.
  • Windows Server — Windows Update for Business or WSUS, configured to install critical/security within the patch SLA.
  • WordPress / Drupal / Joomla — enable automatic minor-version core updates, and use a managed host (Pantheon, Kinsta, WP Engine) if patching is not your core competence.
  • PHP / Node / Python runtimes — pin to a still-supported major version and follow the upstream release schedule.

Then hide the version banner as a secondary measure (covered in Check 4):

# nginx
server_tokens off;

# Apache
ServerTokens Prod
ServerSignature Off

# PHP
expose_php = Off

# WordPress: install a security plugin or filter:
add_filter('the_generator', '__return_empty_string');

Fixed it? Re-run the scan to confirm.

Run scan again