The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel software not up to date enough for Security Metric report

Discussion in 'Security' started by prodigious, Dec 16, 2008.

  1. prodigious

    prodigious Member

    Joined:
    Feb 7, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi everyone,

    A client of mine is unable to use her SSL as her bank requires she pass this 3rd party Security Metrics test of her web server.

    Among other things, here are the main issues:

    *Removing mod_frontpage as it is vulnerable to buffer overflow

    * Remote SSH is prone to x11 session hijacking. Upgrade to openSSH 5.0 or later

    * Disable TRACE and TRACK methods - subject to cross site scripting attacks

    * Apache can be used to guess presence of a given user name. Set UserDir to disabled.

    * Disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead

    * Upgrade OpenSSL to 0.9.6m or 0.9.7d or newer


    I contacted my hosting company and they said other than UserDir and TRACE/TRACK, the rest has to be done via cpanel when they push through a new update.

    Has anyone dealt with these reports / issues before? I would hate to have to tell my client I can't get her to pass because cpanel doesn't have the updated software in place yet, but it's looking like I will have to wait for cpanel to update rather than do it myself.

    Thanks in advance..
    Mike
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We won't update OpenSSH. That is software provided by the Operating System Vendor ( e.g. RedHat, CentOS, etc).

    Much of your requirements are met by the interfaces in cPanel 11.24. Also, the following documents might assist you in your analysis:

    http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#openssl
    http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#frontpage

    Further, reading and understanding the PCI Compliance specification, or hiring someone with that knowledge, will help you tremendously in providing answers to the Auditing companies.

    Last, search the forum for PCI related posts as the matters you posted have been discussed many times.
     
    #2 cPanelKenneth, Dec 18, 2008
    Last edited: Dec 18, 2008
  3. prodigious

    prodigious Member

    Joined:
    Feb 7, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi Kenneth,

    Thank you for your help, it is much appreciated.

    I checked that PCI page you linked to and it looks like my installation of OpenSSL is 0.9.7a and does not contain the bugfixes needed. They also say "legacy" at the end when I grep what versions I have.

    I have now upgraded to cPanel 11.24.4-C32486 - WHM 11.24.2 - X 3.9, but the outdated version of openSSL remains. Do you have any tips on how to get a newer version installed easily?

    I'm betting that if I change my OS from Redhat 9 to CentOS or another that is still being updated, it may fix the OpenSSH issue.

    I will do searches on other PCI compliance threads - thanks for the tip.

    -Mike
     
  4. bvierra

    bvierra Well-Known Member

    Joined:
    Jul 28, 2006
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Southern California
    RH9 is EOL by RedHat... That is why there is no update. You need to update your OS to one that is still supported.
     
  5. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    The openssh issue won't go away on centos as they still use backported patches. You can however manually compile openssh and openssl and get rid of the alert.

    However if you are still running RH9 you are likely vulnerable to other exploits and I seriously recommend doing an upgrade via yum to at least rhel3 if not rhel4. The upgrade to rhel3 is quite easy, the upgrade to rhel4 takes a little more time and effort!

    I hope this helped!
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    That's known as a false positive and should be reported as such to to the auditing company.
     
Loading...

Share This Page