Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED PCI Fails - Sweet32 on Ports 2083/2087

Discussion in 'Security' started by eglwolf, Sep 5, 2017.

  1. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    Today, my PCI scan failed because of the same issue Sweet32. However, this time it is on ports 2087 and 2083. I've changed nothing for 3 months and all was good. What did cpanel change that would have caused this?

    CVE-2016-2183
    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

    Port: tcp/2083
    Port: tcp/2087

    This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

    NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.

    CVE: CVE-2016-2183
    NVD: CVE-2016-2183
    CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N

    Service: http
    Application: cpanel:cpanel
    Reference:
    CVE-2016-2183 - Red Hat Customer Portal
    Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
    The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog
    Evidence:
    Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : DES-CBC3-SHA
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    78
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi eglwolf,

    It looks like you've already found one of the threads that concerns this issue:
    SOLVED - PCI Scan Fails On Web Services Ports

    Have you tried updating the cipher suite at WHM > Service Configuration >cPanel Web Services Configuration to one provided in the thread?:
    SOLVED - PCI Scan Fails On Web Services Ports

    Could you also confirm your current cPanel version and OS release? My test box shows this CVE patched in the openssl package:
    Code:
    # rpm -q openssl --changelog|grep -A1 2016-2183
    - mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
      112 bit effective strength
    We also have an internal case(CPANEL-11108) concerning disabling these ciphers by default, which was implemented in cPanel 66.

    Thanks,
     
  3. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    I made this change and it worked. I believe the recent cpanel update reset these settings that we previously had which caused it to fail.

    cPanel Web Services Configuration
    TLS/SSL Cipher List
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5
     
Loading...

Share This Page