The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI scan openssl upgrade

Discussion in 'Security' started by Rooney, Nov 18, 2010.

  1. Rooney

    Rooney Member

    Joined:
    Feb 27, 2006
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    TrustKeeper PCI scan recommends openssl upgrade to 0.9.8n or more due to multiple vulnerabilities whereas On CentOS 5.5 server, even after cPanel upgrade to the latest version, only 0.9.8e is available.

    The negative score of PCI scan cannot be marked as false positives because many are not covered with the cPanel compatible openssl version like CVE-2010-0742, CVE-2010-1633 , CVE-2010-0742, CVE-2010-1633 etc.

    If upgraded, will it break the compatibility like -cPanel Don- says here : http://forums.cpanel.net/620481-post4.html ?

    How to get 0.9.8n work properly with apache ?
     
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You can compile and install openssl in your new server , but you need to take care of some things,
    - prefix must be /usr
    - enable shared support
    - Make the soft links fro /lib/libssl* to /usr/local/lib/libsssl*

    Then compile openssh , curl , apache, php ,etc,. I had to face these issues recently for making PCIDSS compliance in cpanel server
     
  3. garrettp

    garrettp Well-Known Member
    PartnerNOC

    Joined:
    Jun 18, 2004
    Messages:
    312
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    I would strongly recommend against using the mentioned source upgrade for OpenSSL. Doing so you are quite likely to break application compatibility and library linkages.

    RedHat backports security patches to it's OpenSSL versions without updating the major/minor versions numbers, which causes some of the "dumber" PCI scanners to issue false positives. The better PCI scanners will actually test for the patching of individual CVEs as opposed to simply checking a version number. In all likeliness if you are running the latest version of OpenSSL for your distro version, you will be fine.

    You can check for CVE patches manually using the following command:

    Code:
    rpm -q --changelog openssl|less
     
  4. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    I forget to add one line. It is only suggested for experts , other wise you broke things . 99% distros use patched versions of latest fix , so the scanning of major version is really foolish.
     
  5. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Running CentOS 5 and updated via yum nightly.

    Getting a notice from a PCI scan company, that there are multiple vulnerabilities for OpenSSH.
    I have already tried to tell them that CentOS backports all the security fixes and they want proof.

    So I did a

    rpm -qa --changelog openssh | grep CVE

    and got only 4 fixes listed:

    CVE-2007-4752
    CVE-2006-5794
    CVE-2006-4924
    CVE-2006-5051

    However, PCI Scan(idiots) claim all of these are vulnerable:

    CVE Numbers:

    CVE-2000-0525, CVE-2001-0144, CVE-2001-0816, CVE-2001-0872, CVE-2001-1380,
    CVE-2001-1507, CVE-2002-0083, CVE-2002-0575, CVE-2002-0639, CVE-2002-0640,
    CVE-2003-0190, CVE-2003-0386, CVE-2003-0682, CVE-2003-0693, CVE-2003-0695,
    CVE-2003-0786, CVE-2003-0787, CVE-2003-1562, CVE-2004-2069, CVE-2005-2797,
    CVE-2005-2798, CVE-2006-0225, CVE-2006-4924, CVE-2006-4925, CVE-2006-5051,
    CVE-2006-5052, CVE-2006-5794, CVE-2007-2243, CVE-2007-4752, CVE-2008-1483,
    CVE-2008-1657, CVE-2008-3234, CVE-2008-3259, CVE-2008-5161, CVE-2011-0539

    Some of these go back to 2000... I know there are more security issues that have been patched. I tried yum -y upgrade again and it said I'm running the latest version with all security fixes. But still
    the

    rpm -qa --changelog openssh | grep CVE (even rpm -qa --changelog openssh | less) doesn't show any other CVE's listed, other than the 4 above.

    Strange part, the PCI scan passed last month, no problem. But this month they are stating that all of the above are a problem (and they weren't last month).

    Not sure what else to tell the scan(idiots)...

    Any help would be greatly appreciated.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You are simply going to have to go to the national vulnerability database and show them the version impacted like this one:

    National Vulnerability Database (NVD) National Vulnerability Database (CVE-2000-0525)

    Nav control image OR
    spacer spacer Nav control image * cpe:/a : openbsd : openssh:1.2
    spacer spacer Nav control image * cpe:/a : openbsd : openssh:1.2.3
    spacer spacer Nav control image * cpe:/a : openbsd : openssh:2.1

    This only impacted versions of OpenSSH 1.2, 1.2.3 and 2.1, so all later versions were patched. I would ask to speak to someone higher up at the PCI scan company to ask why they are tagging CVEs for OpenSSH versions lower than openssh-4.3p2-72.el5 that is provided by RHEL 5 and CentOS 5. It isn't a backport when you have a newer version than that impacted by the CVE, since newer versions already contain all bug fixes. No CVE that impacted a prior version to 4.3 will be listed under the 4.3 changelog
     
  7. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Thanks Tristan, that's what I did and so far have not heard back from them.
     
  8. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi Tristan,

    Thanks for providing such valuable information. We had to upgrade openssh on many vpses, dedicated servers to meet pci standards.
     
Loading...

Share This Page