PCI Compliance Fail - Ports 2083, 2087 and 2096

dhammerindy · Aug 7, 2014

I get errors in a PCI compliance scan.

"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities"

This happens on ports 2083, 2087, 2096 but not on 22 and 443.

When I run...

rpm -q --changelog openssl | grep -B 1 CVE-2002-0656

... I get nothing. I get nothing for that and numbers 2000-535, 2001-1141, 2002-0655, 2002-0656, 2002-0657 and 2002-0659

An openssl version check gives me this...

# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Some OS Info
2.6.32-042stab090.3 #1 SMP Fri Jun 6 09:35:21 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux

WHM version 11.44.1

So is this a false positive? Is there something I need to do to fix those ports? I just want to make sure I do this right before I submit a false positive report. I had received a similar warning for bind but I checked and bind comes back as patched so that one is ok.

quizknows · Aug 7, 2014

It's got to be a false positive, those CVEs are ancient.

cPanelMichael · Aug 7, 2014

Hello

Yes, it does look like a false positive. What PCI scanning tool did you use?

Thank you.

dhammerindy · Aug 7, 2014

cPanelMichael said:
Hello

Yes, it does look like a false positive. What PCI scanning tool did you use?

Thank you.

403 Labs was used. Can you recommend another service I can use for verification purposes?

quizknows · Aug 8, 2014

What OS version are you running? Or the full RPM name for your OpenSSL version

also in your first post it seems you might be checking openSSH instead of openSSL. Make sure you're checking the right change log.

dhammerindy · Aug 9, 2014

quizknows said:
What OS version are you running? Or the full RPM name for your OpenSSL version

also in your first post it seems you might be checking openSSH instead of openSSL. Make sure you're checking the right change log.

I checked ssh but the response included openSSL info.

# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

I believe the server runs CentOS 6.

Here is everything on the openSSL rpm.

# rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.14 Build Date: Thu 05 Jun 2014 08:59:14 AM EDT
Install Date: Fri 06 Jun 2014 12:16:37 AM EDT Build Host: c6b8.bsys.dev.centos.org
Group : System Environment/Libraries Source RPM: openssl-1.0.1e-16.el6_5.14.src.rpm
Size : 4209656 License: OpenSSL
Signature : RSA/SHA1, Thu 05 Jun 2014 09:02:17 AM EDT, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
URL : OpenSSL: The Open Source toolkit for SSL/TLS
Summary : A general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

cPanelMichael · Aug 12, 2014

dhammerindy said:
403 Labs was used. Can you recommend another service I can use for verification purposes?

Comodo and TrustGuard are common vendors used in the hosting industry for PCI scans. You may also find the following documents helpful:

PCI Scanning
PCI Troubleshooting

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
R	Trustwave failing PCI compliance : TLSv1.0 Supported: Port: tcp/2224	Security	1	Feb 7, 2020
B	In Progress [CPANEL-26253 ] PCI compliance failure due to unsecured Horde cookies	Security	7	Mar 12, 2019
G	Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443	Security	2	May 10, 2018
H	PCI Compliance fail on Domain starting with 'www.' but no associated ports open	Security	2	Feb 10, 2015
M	PCI compliance test passes on port 443, but fails on ports 2087, 2083, 2096 and 2078	Security	3	Apr 28, 2014

Search

Search

PCI Compliance Fail - Ports 2083, 2087 and 2096

dhammerindy

Registered

quizknows

Well-Known Member

cPanelMichael

Administrator

dhammerindy

Registered

quizknows

Well-Known Member

dhammerindy

Registered

cPanelMichael

Administrator