PCI compliance test passes on port 443, but fails on ports 2087, 2083, 2096 and 2078

MacPhotoBiker · Apr 28, 2014

Hi,

I'm trying to get my server PCI compliant, and I'm using this scanner:

Check PCI DSS compliance - Online free pci dss compliance checker

Port 443 passes the test just fine:
"SSlv2 disabled. SSL Server won't allow Anonymous Authentication Vulnerability."

However, on ports 2087, 2083, 2096 and 2078 I receive the following error message:

SSL Server Allows Anonymous Authentication Vulnerability. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. An attacker can exploit this vulnerability to impersonate your server to clients.Please disable support for anonymous authentication.

Could you help me out to solve these issues?

Thanks a lot!

cPanelMichael · Apr 29, 2014

Hello

Are you able to use an alternate PCI scan that lists specific reasons for test failures? For instance, I do not see any references to specific CVE reports or specific attack vectors. Here is a third-party URL to an alternate PCI scan that describes how to manually check if anonymous authentication is possible:

https://community.qualys.com/docs/DOC-1097

Thank you.

MacPhotoBiker · Apr 29, 2014

Hi Michael,

thanks for pointing out that I should rather a different scanner

I just did, and I received the following two vulnerabilities:

1) rsh Service Detection rsh (8889/tcp)
CVE-1999-0651

2)OpenSSH < 5.7 Multiple Vulnerabilities ssh (2516/tcp)
CVE-2010-4478, CVE-2012-0814

I'm running a VPS on Centos 6.5.

Couldyou guide me in the right direction to solve these issues?

Thanks a lot!

cPanelMichael · May 2, 2014

Hello

It's likely reporting false positives based on the version number in cases where patches have been backported, or in cases where it does not effect the version shipped with your OS. RSH is not a standard package so you could remove it using your system package manager (YUM) if you have no specific requirement for it. CentOS 6 should not be effected by the OpenSSH CVE reports referenced:

https://access.redhat.com/security/cve/CVE-2012-0814
https://access.redhat.com/security/cve/CVE-2010-4478

In both cases it states:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6.

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI compliance test passes on port 443, but fails on ports 2087, 2083, 2096 and 2078

MacPhotoBiker Registered

cPanelMichael Forums Analyst
Staff Member

MacPhotoBiker Registered

cPanelMichael Forums Analyst
Staff Member

TLSv1.0 - block for PCI compliance?

PCI Compliance for Passive FTP Ports

Security Metrics refuse cPanel PCI Compliance

PCI Compliance - TLS 1.0 Protocol Detection

Testing http2 question

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI compliance test passes on port 443, but fails on ports 2087, 2083, 2096 and 2078

MacPhotoBiker Registered

cPanelMichael Forums Analyst Staff Member

MacPhotoBiker Registered

cPanelMichael Forums Analyst Staff Member

TLSv1.0 - block for PCI compliance?

PCI Compliance for Passive FTP Ports

Security Metrics refuse cPanel PCI Compliance

PCI Compliance - TLS 1.0 Protocol Detection

Testing http2 question

Share This Page

cPanelMichael Forums Analyst
Staff Member

cPanelMichael Forums Analyst
Staff Member