Forums
Forums

Quick Links
- Search Forums
- New Posts
Search titles only

Posted by Member:

Separate names with a comma.

Newer Than:

Search this thread only

Search this forum only

Display results as threads

More...

Useful Searches

Recent Posts
Resources
Resources

Quick Links
Feature Requests
Defects
Menu

This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance

Discussion in 'Security' started by eglwolf, Sep 20, 2012.

eglwolf Well-Known Member

Joined:

Jan 1, 2004

Messages:

185

Likes Received:

0

Trophy Points:

166

I just ran a quarterly scan on my server and it failed with this notice (see below). How do I fix this?

Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key H KEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders \\SCHANNEL\\SendExtraRecord. Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled. Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure. See also : http://www.openssl.org/~bodo/tls-cbc.txt thái: BEAST Microsoft Security Bulletin MS12-006 - Important : Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012 Fixing the BEAST - Unleashed - Site Home - MSDN Blogs Data Received: Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES(256)|Mac=SHA1 Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389
Click to expand...

and

Description: SMTP Service Cleartext Login Permitted Synoposis: The remote mail server allows cleartext logins. Impact: The remote host is running an SMTP server that advertises that it allows cleartext logins over unencrypted connections. An attacker may be able to uncover user names and passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e. LOGIN or PLAIN) is used. See also : RFC 4422 - Simple Authentication and Security Layer (SASL) RFC 4954 - SMTP Service Extension for Authentication Data Received: The SMTP server advertises the following SASL methods over an unencrypted channel : All supported methods : PLAIN, LOGIN Cleartext methods : PLAIN, LOGIN Resolution: Configure the service to support less secure authentication mechanisms only over an encrypted channel. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:N
Click to expand...

#1 eglwolf, Sep 20, 2012
eglwolf Well-Known Member

Joined:

Jan 1, 2004

Messages:

185

Likes Received:

0

Trophy Points:

166

Can anyone help?

#2 eglwolf, Sep 23, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,622

Likes Received:

24

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

Have you searched Google for these? PCI compliance errors should be helped by the company who is charging for the scan as far as I'm concerned. Most companies charge a large fee and then don't even assist in trying to decipher what they are claiming is failing.

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#3 cPanelTristan, Sep 23, 2012
RealAdmins Registered

Joined:

Sep 24, 2012

Messages:

1

Likes Received:

0

Trophy Points:

1

cPanel Access Level:

DataCenter Provider

cPanelTristan said: ↑

PCI compliance errors should be helped by the company who is charging for the scan as far as I'm concerned.
Click to expand...

As someone with a couple of decades of enterprise hosting experience, I'd have to disagree with that. The scan vendor's job is to check for vulnerabilities and report them back. The server admin, provider, and/or software vendor is responsible for fixing their vulnerabilities.

Anywho... To help:

In the first case the "vulnerability" is kind of interesting. The server itself is not vulnerable at all and the attack requires a compromised browser. It seems that most of the PCI scan vendors are triggering on this if any cipher other than RC4 is in use. This could be an issue with about 0.09% of the internet connecting to you (the better bet is to allow for fallback to a CBC based cipher if RC4 isn't supported, but the scan vendors aren't allowing this.).

The fix in cPanel's poorly implemented SSL configuration via cpanel would be to:
Go to Service Configuration ->Apache Configuration -> Global Configuration
Select the custom value for SSL Cipher Suite and set it to: RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM

It's also best if you add these two lines to your /usr/local/apache/conf/includes/pre_main_global.conf
# CVE-2011-3389
SSLHonorCipherOrder On
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Then run the following commands:
/usr/local/cpanel/bin/build_apache_conf
/etc/init.d/httpd restart

Rerun your scan and you should be set on the BEAST attack stuff.

The second is something that's pretty annoying to server admins with cpanel-type installations. The major problem here is that you have mail running on the SSL site IP. I recommend pointing the domain's email to a dedicated mail IP and firewalling out email to the SSL IP. To just pass this scan you can likely go to Service Configuration ->Exim Configuration Manager ->Basic Editor ->Security and turn "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" ON. Note: any clients sending mail using that IP will need to make sure they have encrypted authentication turned on in their client.

Regards,

Doug

#4 RealAdmins, Sep 24, 2012
Infopro cPanel Sr. Product Evangelist
Staff Member

Joined:

May 20, 2003

Messages:

15,418

Likes Received:

285

Trophy Points:

433

Location:

Pennsylvania

cPanel Access Level:

Root Administrator

Twitter:

Follow @InfoprosNetwork

This documentation may prove useful to you:
PCI Compliance Info - cPanel Documentation

____________________________

Join us for the 2017 cPanel Conference!
Sept. 26th & 27th in Fort Lauderdale, Florida
https://conference.cpanel.net/

#5 Infopro, Sep 24, 2012
merlinpa1969 Well-Known Member

Joined:

Dec 3, 2003

Messages:

108

Likes Received:

0

Trophy Points:

166

Location:

PA

cPanel Access Level:

Root Administrator

actually for the Beast attach which is what Security Metrics is failing folks over its an isse that needs to be addressed by cPanel NOT Security Metrics and there is a bug report in about it
The issue is that cpanel says that SM shouldnt be scanning for it, and SM says its a valid issue.

So the documents that were linked to are absolutly worthless

#6 merlinpa1969, Sep 26, 2012

(You must log in or sign up to post here.)

Loading...

Similar Threads - Compliance

PCI Compliance for Passive FTP Ports

Serra, Jun 30, 2016, in forum: Security

Replies:

2

Views:

541

cPanelMichael

Jul 10, 2016
Security Metrics refuse cPanel PCI Compliance

santrix, Mar 10, 2016, in forum: Security

Replies:

4

Views:

747

santrix

Mar 11, 2016
PCI Compliance - TLS 1.0 Protocol Detection

PromptDev, Oct 26, 2015, in forum: Security

Replies:

6

Views:

1,158

cPanelMichael

Nov 10, 2015

Share This Page