cpanel software not up to date enough for Security Metric report

prodigious

Member
Feb 7, 2005
17
0
151
Hi everyone,

A client of mine is unable to use her SSL as her bank requires she pass this 3rd party Security Metrics test of her web server.

Among other things, here are the main issues:

*Removing mod_frontpage as it is vulnerable to buffer overflow

* Remote SSH is prone to x11 session hijacking. Upgrade to openSSH 5.0 or later

* Disable TRACE and TRACK methods - subject to cross site scripting attacks

* Apache can be used to guess presence of a given user name. Set UserDir to disabled.

* Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead

* Upgrade OpenSSL to 0.9.6m or 0.9.7d or newer


I contacted my hosting company and they said other than UserDir and TRACE/TRACK, the rest has to be done via cpanel when they push through a new update.

Has anyone dealt with these reports / issues before? I would hate to have to tell my client I can't get her to pass because cpanel doesn't have the updated software in place yet, but it's looking like I will have to wait for cpanel to update rather than do it myself.

Thanks in advance..
Mike
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
We won't update OpenSSH. That is software provided by the Operating System Vendor ( e.g. RedHat, CentOS, etc).

Much of your requirements are met by the interfaces in cPanel 11.24. Also, the following documents might assist you in your analysis:

http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#openssl
http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#frontpage

Further, reading and understanding the PCI Compliance specification, or hiring someone with that knowledge, will help you tremendously in providing answers to the Auditing companies.

Last, search the forum for PCI related posts as the matters you posted have been discussed many times.
 
Last edited:

prodigious

Member
Feb 7, 2005
17
0
151
Hi Kenneth,

Thank you for your help, it is much appreciated.

I checked that PCI page you linked to and it looks like my installation of OpenSSL is 0.9.7a and does not contain the bugfixes needed. They also say "legacy" at the end when I grep what versions I have.

I have now upgraded to cPanel 11.24.4-C32486 - WHM 11.24.2 - X 3.9, but the outdated version of openSSL remains. Do you have any tips on how to get a newer version installed easily?

I'm betting that if I change my OS from Redhat 9 to CentOS or another that is still being updated, it may fix the OpenSSH issue.

I will do searches on other PCI compliance threads - thanks for the tip.

-Mike
 

bvierra

Well-Known Member
Jul 28, 2006
55
1
158
Southern California
Hi Kenneth,

Thank you for your help, it is much appreciated.

I checked that PCI page you linked to and it looks like my installation of OpenSSL is 0.9.7a and does not contain the bugfixes needed. They also say "legacy" at the end when I grep what versions I have.

I have now upgraded to cPanel 11.24.4-C32486 - WHM 11.24.2 - X 3.9, but the outdated version of openSSL remains. Do you have any tips on how to get a newer version installed easily?

I'm betting that if I change my OS from Redhat 9 to CentOS or another that is still being updated, it may fix the OpenSSH issue.

I will do searches on other PCI compliance threads - thanks for the tip.

-Mike
RH9 is EOL by RedHat... That is why there is no update. You need to update your OS to one that is still supported.
 

StevenC

Well-Known Member
Jan 1, 2004
252
0
166
The openssh issue won't go away on centos as they still use backported patches. You can however manually compile openssh and openssl and get rid of the alert.

However if you are still running RH9 you are likely vulnerable to other exploits and I seriously recommend doing an upgrade via yum to at least rhel3 if not rhel4. The upgrade to rhel3 is quite easy, the upgrade to rhel4 takes a little more time and effort!

I hope this helped!