Results 1 to 7 of 7

Thread: Security Metrics PCI compliance - Exim fails test.

  1. #1
    Registered Member
    Join Date
    Mar 2004
    Posts
    1,067

    Default Security Metrics PCI compliance - Exim fails test.

    This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

    -------
    The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
    -------

    -- YES - We do indeed have the latest version of Exim installed (see the version readout below).

    -- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

    Here's the latest exim -bV readout:

    ---------------------------------------------
    Exim version 4.69 #1 built 10-Jun-2008 11:34:56
    Copyright (c) University of Cambridge 2006
    Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
    Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
    Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
    Authenticators: cram_md5 plaintext spa
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile/maildir autoreply pipe smtp
    Size of off_t: 8
    Configuration file is /etc/exim.conf
    ---------------------------------------------

    Anyone know what could possibly be going on here?

    Thanks very much!

  2. #2
    Registered Member SB-Nick's Avatar
    Join Date
    Aug 2008
    Posts
    134
    cPanel/WHM Access Level

    Root Administrator

    Default

    Hello,

    It looks like a false positive from your PCI Compliance Company, i suggest you to contact them and request them to perform a manual PCI Compliance scan for that vulnerability in particular.
    :: Server Buddies ::

    Server Management & Monitoring

    .Dedicated Server Solutions At Affordable Rates.

  3. #3
    Registered Member
    Join Date
    Nov 2003
    Posts
    130

    Default

    Quote Originally Posted by jols View Post
    This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

    -------
    The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
    -------

    -- YES - We do indeed have the latest version of Exim installed (see the version readout below).

    -- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

    Here's the latest exim -bV readout:

    ---------------------------------------------
    Exim version 4.69 #1 built 10-Jun-2008 11:34:56
    Copyright (c) University of Cambridge 2006
    Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
    Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
    Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
    Authenticators: cram_md5 plaintext spa
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile/maildir autoreply pipe smtp
    Size of off_t: 8
    Configuration file is /etc/exim.conf
    ---------------------------------------------

    Anyone know what could possibly be going on here?

    Thanks very much!
    For those rushing to comply before the deadline if this is your only issue the exim false poz most likely you will not be able to get a reply from security metrics by email or phone as I was unable to the past few weeks~ simply shutdown exim and rerun the test after you are cleared print test and fax it in restart exim easier than spending days trying to reach these fools that wont answer the phone or email for manual approval.

  4. #4
    Registered User
    Join Date
    Oct 2008
    Posts
    1

    Default

    Weird - I had no problem getting them on the phone, and no problem passing the PCI compliance, either.

    The only part I failed was that the VBulletin login on my forum wasn't encrypted which, in and of itself, appears to have bloody nothing to do with credit card security but, hey, whatever floats their boat.

  5. #5
    cPanel Staff cPanelNick's Avatar
    Join Date
    Feb 2003
    Location
    Houston, TX
    Posts
    4,852

    Default

    The cPanel 11.24 release notes may be relevant to this discussion:

    http://www.cpanel.net/products/cpwhm...html#id3334707
    -Nick
    cPanel Inc.

    Need support? Submit a request here. Complimentary support is available to all license holders regardless of where you purchased your license.
    Need a complimentary support account? Create one here.

  6. #6
    Registered Member
    Join Date
    Nov 2005
    Posts
    57

    Default PCI & Exim (securitymetrics)

    My last holdup on being certified was the exim risk factor. If you are running 4.69 and do not have 'headers_check_syntax' or 'sender_verify = true' in exim.conf, the only way to get certified with SecurityMetrics was to call tech support and forward a copy of exim -bV results to the tech by email. THAT SAID, the tech I spoke with today said they would REDUCE the risk factor for this particular vulnerability so as it would not be a holdup to certification in the future.

    ALL SET. PCI Certification on cPanel complete.

    KTC
    http://siteworks.com

  7. #7
    Registered User
    Join Date
    Apr 2005
    Posts
    3

    Default

    had the same problem, changed two things at the same time so not sure exactly which one fixed that issue, it worked so i didn't care to test individually... lol

    1. whm >> security center >> smtp tweak: enable that

    2. on the domain/host you gave to SM, make sure under cpanel >> default address, that all unrouted mail is set to fail with a message

    i originally had mine set to black hole, what the pci scanner is looking for is the error message a mail server gives if there is no such user, if you have it set to black hole it assumes it is relaying mail but in fact it really isn't...

    i actually had that error message plus a few more, i changed these two settings and all the exim mail server issues (i had) with the security metrics pci scanner were resolved

Similar Threads

  1. Replies: 3
    Last Post: 05-02-2014, 09:14 AM
  2. Replies: 3
    Last Post: 08-30-2010, 02:02 PM
  3. PCI Compliance - Exim
    By tps in forum Security
    Replies: 3
    Last Post: 01-08-2010, 10:55 PM
  4. PCI Compliance - Exim
    By tps in forum General Discussion
    Replies: 1
    Last Post: 12-23-2009, 12:14 PM
bargain