The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI failure on cPanel ports

Discussion in 'Security' started by Legin76, Apr 29, 2014.

  1. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Hi

    I've got this same issue on two servers.


    Security Hole found on port/service "www (2096/tcp)"

    Status

    Fail (This must be resolved for your device to be compliant).

    Plugin

    "OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities"

    Category

    "Gain a shell remotely "

    Priority

    "Urgent

    Synopsis

    The remote service uses a library that is affected by a buffer overflow vulnerability.

    Description

    The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3.

    Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself.

    Risk factor

    CVE-2002-0655 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2002-0656 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2002-0657 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2000-0535 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:N/I:P/A:N), CVE-2001-1141 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:P/I:N/A:N), CVE-2002-0659 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:N/I:N/A:P)


    Plugin
    output

    Note that since safe checks are enabled, this check might be fooled by
    non-openssl implementations and produce a false positive.
    In doubt, re-execute the scan without the safe checks
     
    #1 Legin76, Apr 29, 2014
    Last edited: Apr 29, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,697
    Likes Received:
    657
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Check to see if patches for those vulnerabilities have been backported to OpenSSL on your system. For example:

    Code:
    rpm -q --changelog openssl | grep -B 1 CVE-2002-0655
    Thank you.
     
  3. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Both My servers show no response..

    # rpm -q --changelog openssl | grep -B 1 CVE-2002-0655
    #

    One is CENTOS 6.5 x86_64 xenpv and the other REDHAT Enterprise 5.10 i686 standard.
     
  4. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,697
    Likes Received:
    657
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The PCI failure you posted is different than the one in the other thread, so it's better handled separately.

    Are you sure you receive the exact same failure description on both servers? What version of OpenSSL is installed on the CentOS 6 machine?

    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    CentOS 5 and 6 (or RHEL 5/6) should have backported RPMs that address any PCI breaking issues with OpenSSL. Your vendor is being a bit obnoxious flagging CVEs from 2002, seeing as the operating systems you're using are newer than the vulnerabilities. Clearly it's a false positive.

    I usually run yum updates to be safe, and dump the whole change log ( rpm -q --changelog openssl > textfile.txt ) and provide that text file to the PCI vendor along with the OS version and full RPM name. This works better than 95% of the time in my personal experience.
     
  7. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Both are giving the exact same errors.

    Security Hole found on port/service "www (2096/tcp)"
    Security Hole found on port/service "www (2087/tcp)"
    Security Hole found on port/service "www (2083/tcp)"

    Is there a way I can display the version being used on those ports?

    I've submitted one as a false positive on one of them to see.


    Both servers are also showing the error below. There are a few more warnings similar to this with passes but I suspect that they relate to the same fix.

    Security Hole found on port/service "dns (53/udp)"

    Status

    Fail (This must be resolved for your device to be compliant).

    Plugin

    "ISC BIND 9 Zero-Length RDATA Section Denial of Service / Information Disclosure"

    Category

    "DNS "

    Priority

    "Urgent

    Synopsis


    The remote name server may be affected by a denial of service / information disclosure vulnerability.

    Description

    According to its self-reported version number, the remote installation of BIND does not properly handle resource records with a zero-length RDATA section, which may lead to unexpected outcomes, such as crashes of the affected server, disclosure of portions of memory, corrupted zone data, or other problems.

    Note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is actually affected.

    See also:

    http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P1/CHANGES
    http://ftp.isc.org/isc/bind9/9.7.6-P1/CHANGES
    http://ftp.isc.org/isc/bind9/9.8.3-P1/CHANGES
    http://ftp.isc.org/isc/bind9/9.9.1-P1/CHANGES
    https://kb.isc.org/article/AA-00698
    https://www.isc.org/software/bind/advisories/cve-2012-1667


    Risk factor

    CVE-2012-1667 - High / CVSS BASE SCORE :8.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:N/A:C)


    Plugin output

    Installed version : 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
    Fixed version : 9.8.3-P1


    Addition Information

    CVE:

    CVE-2012-1667

    BID : 53772 Other references : OSVDB:82609, CERT:381699

    Solution

    Upgrade to BIND 9.6-ESV-R7-P1 / 9.7.6-P1 / 9.8.3-P1 / 9.9.1-P1 or later.
     
  8. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I forgot to mention that the Cent OS server has openssl-1.0.1e.

    I suspect that it's just not showing the openssl version when they do the check. Could this be why it thinks its an old version?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,697
    Likes Received:
    657
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The PCI scanner is only looking at the version number. Please ensure you check to see if the CVE reports have been backported to the version of the package installed on your system. For example, with CVE-2012-1667, you can see a patch for it is already included:

    Code:
    # rpm -q --changelog bind | grep -B 1 CVE-2012-1667
    * Mon Jun 04 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1
    - fix CVE-2012-1667
    Thank you.
     
  10. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I get the following..

    # rpm -q --changelog bind | grep -B 1 CVE-2012-1667
    * Mon Jun 04 2012 Adam Tkac <atkac redhat com> 30:9.3.6-20.P1.1
    - fix CVE-2012-1667 and CVE-2012-1033
    and
    # rpm -q --changelog bind | grep -B 1 CVE-2012-1667
    * Mon Jun 04 2012 Adam Tkac <atkac redhat com> 32:9.8.2-0.10.rc1
    - fix CVE-2012-1667


    I'll submit them all as false positives.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,697
    Likes Received:
    657
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  12. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Excellent.. Thanks for your help.
     
Loading...

Share This Page