A design flaw in the TCP protocol allows a simple DoS based on TCP RST. Virtually all systems are safe against this by default by purposefully violating the TCP RFC.

Simultaneously, it is impossible to check against the “real” existence of this CVE externally without carrying out the attack properly.

This means that some vulnerability scanners may report this vulnerability but in almost all cases this is a false positive (i.e., if your software stack is younger than 2004).

The issue QUA-00082054 relates to said design flaw. In almost all cases though this issue is a false positive since the underlying flaw is already well known (tracked as CVE-2004-0230 (TCP/RFC)) and virtually every system is safe against this by default.

However, it is also very hard to check against this vulnerability in a non-invasive way (i.e., without DoS-ing your assets!). Because of that Qualys errs on the side of caution. If you run a “common” setup (Linux, Windows, macOS, FreeBSD, Solaris) and the base system is not EOL, you will not be affected (without having explicitly configured the OS otherwise).

It is especially common to see this misdetection employing a Sophos UTM firewall, e.g., as a reverse-proxy before an Apache2 web server. See this Sophos support article for more information.

The issue can be mitigated by employing various standard TCP hardening steps, outlined in the Autobahn workout “Denial of service based on the TCP reset vulnerability”.