Security Metrics PCI compliance - Exim fails test.

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

-------
The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
-------

-- YES - We do indeed have the latest version of Exim installed (see the version readout below).

-- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

Here's the latest exim -bV readout:

---------------------------------------------
Exim version 4.69 #1 built 10-Jun-2008 11:34:56
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf
---------------------------------------------

Anyone know what could possibly be going on here?

Thanks very much!
 

SB-Nick

Well-Known Member
Aug 26, 2008
175
9
68
cPanel Access Level
Root Administrator
Hello,

It looks like a false positive from your PCI Compliance Company, i suggest you to contact them and request them to perform a manual PCI Compliance scan for that vulnerability in particular.
 

procam

Well-Known Member
Nov 24, 2003
121
0
166
This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

-------
The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
-------

-- YES - We do indeed have the latest version of Exim installed (see the version readout below).

-- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

Here's the latest exim -bV readout:

---------------------------------------------
Exim version 4.69 #1 built 10-Jun-2008 11:34:56
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf
---------------------------------------------

Anyone know what could possibly be going on here?

Thanks very much!
For those rushing to comply before the deadline if this is your only issue the exim false poz most likely you will not be able to get a reply from security metrics by email or phone as I was unable to the past few weeks~ simply shutdown exim and rerun the test after you are cleared print test and fax it in restart exim easier than spending days trying to reach these fools that wont answer the phone or email for manual approval.
 

[email protected]

Registered
Oct 29, 2008
1
0
51
Weird - I had no problem getting them on the phone, and no problem passing the PCI compliance, either.

The only part I failed was that the VBulletin login on my forum wasn't encrypted which, in and of itself, appears to have bloody nothing to do with credit card security but, hey, whatever floats their boat. :D
 

innsites

Well-Known Member
Nov 30, 2005
57
0
156
PCI & Exim (securitymetrics)

My last holdup on being certified was the exim risk factor. If you are running 4.69 and do not have 'headers_check_syntax' or 'sender_verify = true' in exim.conf, the only way to get certified with SecurityMetrics was to call tech support and forward a copy of exim -bV results to the tech by email. THAT SAID, the tech I spoke with today said they would REDUCE the risk factor for this particular vulnerability so as it would not be a holdup to certification in the future.

ALL SET. PCI Certification on cPanel complete.

KTC
http://siteworks.com
 

brejman

Registered
Apr 16, 2005
3
0
151
had the same problem, changed two things at the same time so not sure exactly which one fixed that issue, it worked so i didn't care to test individually... lol

1. whm >> security center >> smtp tweak: enable that

2. on the domain/host you gave to SM, make sure under cpanel >> default address, that all unrouted mail is set to fail with a message

i originally had mine set to black hole, what the pci scanner is looking for is the error message a mail server gives if there is no such user, if you have it set to black hole it assumes it is relaying mail but in fact it really isn't...

i actually had that error message plus a few more, i changed these two settings and all the exim mail server issues (i had) with the security metrics pci scanner were resolved