The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Updates

Discussion in 'General Discussion' started by Maistre, Aug 13, 2004.

  1. Maistre

    Maistre Member

    Joined:
    Feb 22, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Las Vegas
    WHM/cPanel currently installs OpenSSL 0.9.7a. There are security issues with this build. I am unable to pass a security test from SecurityMetrics which many creditcard companies use to scan their clients for security problems.

    From Security Metrics:
    The remote host is using a version of OpenSSL which is older than 0.9.6m or 0.9.7d There are several bug in this version of OpenSSL which may allow an attacker to cause a denial of service against the remote host. The test server solely relied on the banner of the remote host to issue this warning Solution: Upgrade to version 0.9.6m (0.9.7d) or newer. Risk Factor: Medium BID: 9899

    My NOC support people tell me they cannot install 0.9.7d as it will "break" cPanel and possibly cause SSH to not function.

    Any ideas or suggestions?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, it's a bug in the security check. You'd think people would have learned that RH backport fixes by now - they've been doing it for years and are making it into an art form with RHE ;)
     
  3. Maistre

    Maistre Member

    Joined:
    Feb 22, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Las Vegas
    So basically you are saying the actual software on the server is updated to the latest version but it is retaining an old header thus creating a false positive in regards to the security scan.

    Is this correct?

    Amazing that it just can't report an accurate picture of what is really on the server.

    Thank you for your insite.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's not inaccurate, because RedHat do qualify the version number with a number of their own if you check the rpm. It's just that the security scan is making an assumption where it should not. It should check on the server whether it is vulnerable, but is obviously only doing a cursory rather an indepth scan for vulnerabilities. It is definitely the security scanner that is at fault here, not the OS.
     
Loading...

Share This Page