Go Back   cPanel Forums > cPanel® and WHM® (for Linux® and FreeBSD® Servers) > Mail

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-08-2008, 05:36 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Security Metrics PCI compliance - Exim fails test.

This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

-------
The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
-------

-- YES - We do indeed have the latest version of Exim installed (see the version readout below).

-- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

Here's the latest exim -bV readout:

---------------------------------------------
Exim version 4.69 #1 built 10-Jun-2008 11:34:56
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf
---------------------------------------------

Anyone know what could possibly be going on here?

Thanks very much!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 10-09-2008, 02:53 PM
SB-Nick's Avatar
Registered User
 
Join Date: Aug 2008
Posts: 90
SB-Nick is on a distinguished road
Hello,

It looks like a false positive from your PCI Compliance Company, i suggest you to contact them and request them to perform a manual PCI Compliance scan for that vulnerability in particular.
__________________
:: Server Buddies ::

Server Management & Monitoring

.Dedicated Server Solutions At Affordable Rates.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 10-30-2008, 08:20 PM
Registered User
 
Join Date: Nov 2003
Posts: 126
procam is on a distinguished road
Quote:
Originally Posted by jols View Post
This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

-------
The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
-------

-- YES - We do indeed have the latest version of Exim installed (see the version readout below).

-- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

Here's the latest exim -bV readout:

---------------------------------------------
Exim version 4.69 #1 built 10-Jun-2008 11:34:56
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf
---------------------------------------------

Anyone know what could possibly be going on here?

Thanks very much!
For those rushing to comply before the deadline if this is your only issue the exim false poz most likely you will not be able to get a reply from security metrics by email or phone as I was unable to the past few weeks~ simply shutdown exim and rerun the test after you are cleared print test and fax it in restart exim easier than spending days trying to reach these fools that wont answer the phone or email for manual approval.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 10-31-2008, 12:34 AM
Registered User
 
Join Date: Oct 2008
Posts: 1
jen@draknet is on a distinguished road
Weird - I had no problem getting them on the phone, and no problem passing the PCI compliance, either.

The only part I failed was that the VBulletin login on my forum wasn't encrypted which, in and of itself, appears to have bloody nothing to do with credit card security but, hey, whatever floats their boat.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-31-2008, 12:41 AM
cpanelnick's Avatar
cPanel Staff
 
Join Date: Feb 2003
Location: Houston, TX
Posts: 4,303
cpanelnick is on a distinguished road
The cPanel 11.24 release notes may be relevant to this discussion:

http://www.cpanel.net/products/cpwhm...html#id3334707
__________________
-Nick
cPanel Inc.

Need support? Submit a request here. These forums are not an official support channel.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 11-07-2008, 12:21 PM
Registered User
 
Join Date: Nov 2005
Posts: 51
innsites is on a distinguished road
PCI & Exim (securitymetrics)

My last holdup on being certified was the exim risk factor. If you are running 4.69 and do not have 'headers_check_syntax' or 'sender_verify = true' in exim.conf, the only way to get certified with SecurityMetrics was to call tech support and forward a copy of exim -bV results to the tech by email. THAT SAID, the tech I spoke with today said they would REDUCE the risk factor for this particular vulnerability so as it would not be a holdup to certification in the future.

ALL SET. PCI Certification on cPanel complete.

KTC
http://siteworks.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 12-12-2008, 12:55 AM
Registered User
 
Join Date: Apr 2005
Posts: 3
brejman is on a distinguished road
had the same problem, changed two things at the same time so not sure exactly which one fixed that issue, it worked so i didn't care to test individually... lol

1. whm >> security center >> smtp tweak: enable that

2. on the domain/host you gave to SM, make sure under cpanel >> default address, that all unrouted mail is set to fail with a message

i originally had mine set to black hole, what the pci scanner is looking for is the error message a mail server gives if there is no such user, if you have it set to black hole it assumes it is relaying mail but in fact it really isn't...

i actually had that error message plus a few more, i changed these two settings and all the exim mail server issues (i had) with the security metrics pci scanner were resolved
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 10:39 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc