I am getting a PCI compliance failure for PPTP VPN on port 1723
Scan is being performed by Sysnet who are failing due to CVE-2003-0123 exploit of TopPop VPN server.
Does anyone have current information to refute this finding / make a case for a false positive?
While that particular vulnerability was fixed, PPTP VPNs overall are considered less secure than alternatives.
I don’t foresee PCI Compliance wanting to make exceptions.
Even PopTop’s website recommends alternatives: http://poptop.sourceforge.net/dox/protocol-security.phtml
IPSec, OpenVPN and SSTP are alternatives. You will need to purchase a certificate as PCI Compliance fails on self-signed certificates.