The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance - Bind Failed

Discussion in 'Security' started by rezman, Oct 17, 2011.

  1. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I got a report from Trustwave.com from a client that a few item's failed. I was able to fix all of them but Bind.

    What failed:
    Code:
    Multiple Vendors BIND 'inet_network()'
    Off-by-One Buffer Overflow
    Vulnerability, CVE-2008-0122
    [url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0122]National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-0122)[/url]
    Code:
    ISC BIND Out-Of-Bailiwick Data
    Handling Error, CVE-2010-0382
    [url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0382]National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-0382)[/url]
    Code:
    BIND OpenSSL DSA_do_verify and
    EVP_VerifyFinal Function Signature
    Verification Vulnerability, CVE-2009-0025
    [url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3614]National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-3614)[/url]
    I'm sure a simple update of bind will fix this. Does Cpanel have any scripts to update this? What would be the best way to go about updating this.

    I'm currently running: BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5
    I have two servers running this version and they are setup as DNS cluster. So I would need to update both obviously.

    Update Preferences:
    - Release Tier: RELEASE
    - Daily Updates: Update cPanel & WHM daily

    Also would changing Release Tier to "Current" be any better?
     
  2. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've noticed over here in this older thread (which I can't reply in) it seems some of the PCI failures are false positive. I have opened disputes with the ones I have found evidences to fixes in change logs but I can't find anything for CVE-2009-0025.

    Also will running /scripts/nsdup safely update my bind? (in theory)
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Running /scripts/nsdup will not update Bind. In cPanel you have the choice of using Bind or NSD. If you're using Bind, you don't want to run /scripts/nsdup.

    CVE-2009-0025 was resolved in Bind 9.3.6-P1. Since you're running 9.3.6-16-P1 (newer), you're good to go. Unfortunately you can't just simply show them the output of "rpm -q --changelog bind |grep CVE" since CVE-2009-0025 isn't one of the ones listed in the Changelog.

    Just let your compliance testing place know that you're running Bind 9.3.6-16-P1. They can do the investigative work to prove to themselves that it includes the CVE-2009-0025 patch I would presume.

    M
     
  4. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Actually copying the --changelog to them showing the CVE number works on several PCI companies.
    I would also show them the RPM version so they can notice its a rhel system which has their patches backported.
     
  5. Ken Shipley

    Ken Shipley Registered

    Joined:
    Oct 18, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, Texas, United States
    cPanel Access Level:
    Root Administrator
    here is what I get via security metrics:

    Description: vulnerable BIND version: 9.3.6-P1-RedHat-9.3.6-16.P1.el5 Severity: Critical Problem CVE: CVE-2009-0696 CVE-2009-4022 CVE-2010-0097 CVE-2010-3613 CVE-2010-3614

    Any suggestions?

    Thanks,
    Ken
     
  6. JerrySmith

    JerrySmith Active Member

    Joined:
    Apr 21, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    If you submit a ticket with your server login details (please do not post them here or send via PM), we can verify any vulnerability on your fixes if you provide the full PCI compliance report or excerpts from it.
     
    #6 JerrySmith, Oct 27, 2011
    Last edited by a moderator: Jan 27, 2016
Loading...

Share This Page