cpanel software not up to date enough for Security Metric report

[prodigious]

Hi everyone,

A client of mine is unable to use her SSL as her bank requires she pass this 3rd party Security Metrics test of her web server.

Among other things, here are the main issues:

*Removing mod_frontpage as it is vulnerable to buffer overflow

* Remote SSH is prone to x11 session hijacking. Upgrade to openSSH 5.0 or later

* Disable TRACE and TRACK methods - subject to cross site scripting attacks

* Apache can be used to guess presence of a given user name. Set UserDir to disabled.

* Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead

* Upgrade OpenSSL to 0.9.6m or 0.9.7d or newer


I contacted my hosting company and they said other than UserDir and TRACE/TRACK, the rest has to be done via cpanel when they push through a new update.

Has anyone dealt with these reports / issues before? I would hate to have to tell my client I can't get her to pass because cpanel doesn't have the updated software in place yet, but it's looking like I will have to wait for cpanel to update rather than do it myself.

Thanks in advance..
Mike

 

[cPanelKenneth]

We won't update OpenSSH. That is software provided by the Operating System Vendor ( e.g. RedHat, CentOS, etc).

Much of your requirements are met by the interfaces in cPanel 11.24. Also, the following documents might assist you in your analysis:

http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#openssl
http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#frontpage

Further, reading and understanding the PCI Compliance specification, or hiring someone with that knowledge, will help you tremendously in providing answers to the Auditing companies.

Last, search the forum for PCI related posts as the matters you posted have been discussed many times.

 

[prodigious]

Hi Kenneth,

Thank you for your help, it is much appreciated.

I checked that PCI page you linked to and it looks like my installation of OpenSSL is 0.9.7a and does not contain the bugfixes needed. They also say "legacy" at the end when I grep what versions I have.

I have now upgraded to cPanel 11.24.4-C32486 - WHM 11.24.2 - X 3.9, but the outdated version of openSSL remains. Do you have any tips on how to get a newer version installed easily?

I'm betting that if I change my OS from Redhat 9 to CentOS or another that is still being updated, it may fix the OpenSSH issue.

I will do searches on other PCI compliance threads - thanks for the tip.

-Mike

 

[bvierra]

Hi Kenneth,

Thank you for your help, it is much appreciated.

I checked that PCI page you linked to and it looks like my installation of OpenSSL is 0.9.7a and does not contain the bugfixes needed. They also say "legacy" at the end when I grep what versions I have.

I have now upgraded to cPanel 11.24.4-C32486 - WHM 11.24.2 - X 3.9, but the outdated version of openSSL remains. Do you have any tips on how to get a newer version installed easily?

I'm betting that if I change my OS from Redhat 9 to CentOS or another that is still being updated, it may fix the OpenSSH issue.

I will do searches on other PCI compliance threads - thanks for the tip.

-Mike

RH9 is EOL by RedHat... That is why there is no update. You need to update your OS to one that is still supported.

 

[StevenC]

The openssh issue won't go away on centos as they still use backported patches. You can however manually compile openssh and openssl and get rid of the alert.

However if you are still running RH9 you are likely vulnerable to other exploits and I seriously recommend doing an upgrade via yum to at least rhel3 if not rhel4. The upgrade to rhel3 is quite easy, the upgrade to rhel4 takes a little more time and effort!

I hope this helped!

 

[cPanelKenneth]

The openssh issue won't go away on centos as they still use backported patches.!

That's known as a false positive and should be reported as such to to the auditing company.