SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Vince778

Member
Jan 1, 2010
14
1
53
I just need a clarification from the CP Admins please.

I'm a noob user and this is probably the most confusing thread I've ever read. After 7 pages and what appears to be a final comment from a CP Admin I still have no idea what I'm supposed to do.

Will this issue be resolved on it's own in the next auto update or do we continue to wait? If we're expected to do anything on our end to fix this can we get a clear list of instructions please?

Regards,

Vince
 
  • Like
Reactions: sneader

Tom Risager

Well-Known Member
Jul 10, 2012
116
6
18
Copenhagen, Denmark
cPanel Access Level
Root Administrator
As far as I can tell using vulnerability scanners the POODLE attack is prevented after upgrading to 11.44.1.19 without my having to do any configuration updates. Would be nice to have confirmation, though - the release notes seem to indicate that manual configuration is still necessary. It is also unclear to me if there are still services that are vulnerable.

It seems to me that cPanel has been hard at work getting this resolved quickly, no complaints there. Communication hasn't been great, though.
 

ladydi711

Well-Known Member
Sep 4, 2001
140
6
318
I agree it would be helpful to have some more comments from cPanel on this.

After 11.44.1.19, my sites were still being reported as using SSL v3. I went into WHM, Apache Configuration, Global Configuration. On the first option, SSL Cipher Suite, I selected the recommended option. This forced a rebuild of Apache, and now my sites are reporting that SSL v3 is disabled.

So, it seems to me that a rebuild of Apache is required after the update to 11.44.1.19.

Anyone else have this experience?
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
I agree it would be helpful to have some more comments from cPanel on this.

After 11.44.1.19, my sites were still being reported as using SSL v3. I went into WHM, Apache Configuration, Global Configuration. On the first option, SSL Cipher Suite, I selected the recommended option. This forced a rebuild of Apache, and now my sites are reporting that SSL v3 is disabled.

So, it seems to me that a rebuild of Apache is required after the update to 11.44.1.19.

Anyone else have this experience?

I can confirm this worked for me too. However it seems to apply the the new configuration automatically when the cpanel upgrade is run with the 'forced' option, otherwise you have to actively go to the WHM 'Service Configuration' section and actively apply / rebuilt / restart the updated service configuration for Apache, Dovecot, Exim (and possibly Courrier which I never use).

The cPanel/WHM SSL ports (2083, 2087, 2096) seem to be fixed immediately following update to 11.44.1.19
 

AlHawtin

Registered
Oct 23, 2014
2
0
1
cPanel Access Level
Reseller Owner
I can confirm this worked for me too. However it seems to apply the the new configuration automatically when the cpanel upgrade is run with the 'forced' option, otherwise you have to actively go to the WHM 'Service Configuration' section and actively apply / rebuilt / restart the updated service configuration for Apache, Dovecot, Exim (and possibly Courrier which I never use).

The cPanel/WHM SSL ports (2083, 2087, 2096) seem to be fixed immediately following update to 11.44.1.19
I can also confirm that this worked for me. It took a few tries however and Qualsys now rates us at A-. The A- because our cert needs to be re-issued with SHA-2. Can get to that now that POODLE is out of the way.

One small problem we ran into was the directive All -SSLv2 was still in the Pre VirtualHost Include. This was overriding that -SSLv3 in the Global Configuration which was set as ALL -SSLv2 -SSLv3. Something to watch out for.

We are PCI compliant so we had to remove the null ciphers which are left in the cPanel PCI cipher suite selection. Our cipher suite directive is custom as:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-EXP:!kEDH:!aNULL

So - with a re-issued cert, we should be back to our A rating and our PCI work can re-start.

Thanks to all that posted here and cPanel for getting this finally in place.
 

tibbitts

Member
Oct 26, 2009
15
0
51
So, would it be correct to summarize that we now have various reports that:

1. merely upgrading resolves the vulnerabilities;

2. upgrading resolves the vulnerabilities, but only if run with the force option;

3. upgrading resolves the vulnerabilities, but only if apache is rebuilt post-upgrade (possibly combined with #2);

4. upgrading resolves the vulnerabilities but only if the correct set of options is manually selected in individual service configurations after upgrading, depending on which services are installed (possibly combined with #2 or #3)?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
Hello,

Below is a copy of our updated response to customers:

On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).

The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example.

It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. In addition, this vulnerability does not appear to affect SSH and FTP services. Regardless, we recommend that you update your server as soon as possible to address this vulnerability.

As of 10/22/2014 cPanel has released versions of cPanel to disable SSLv3. These versions are:
11.46.0.9
11.44.1.19

Our changes introduced in the above versions disable SSLv3 support by default; however, in order for those changes to take effect through the update process, the services must be restarted. If you are currently running one of the above versions or later, or once you have upgraded your server, you will need to follow the below steps to ensure that SSLv3 is properly disabled.

In addition, if you have already performed manual configuration changes on your server to disable SSLv3, you will need to revert those changes.

In order to identify the version of cPanel you are running, please log into WHM as root and identify the version in the top right of the WHM interface.

Upgrade instructions can be found here:
http://documentation.cpanel.net/dis...testVersion-HowtoupdateyourcPanel&WHMsoftware

====

To disable SSLv3 once your server has been upgraded to one of the supported versions listed above:

For Apache:

1. Go to WHM => Service Configuration => Apache Configuration => Global Configuration.
2. SSL/TLS Cipher Suite (the second option, not "SSL Cipher Suite") should contain “All -SSLv2 -SSLv3”.
3. Go to the bottom of the page, and select the Save button to restart the service.

For LiteSpeed:

Update to LiteSpeed version 4.2.18.

For more information about Litespeed & POODLE: LSWS 4.2.18 Released

Note about Mail Servers:

The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.

For cpsrvd:

1. Go to WHM => Service Configuration => cPanel Web Services Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.

For cpdavd:

1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.

For Dovecot:

1. Go to WHM => Service Configuration => Mailserver Configuration.
2. SSL Protocols should contain “!SSLv2 !SSLv3”. If it does not, replace the text in this field.
3. Go to the bottom of the page, and select the Save button to restart the service.

For Courier:

Courier has released a new version to mitigate this as of 10/22, until we have an opportunity review, test, and publish the new version of Courier please switch to Dovecot for enhanced security.

For Exim:

1. Go to Home » Service Configuration » Exim Configuration Manager
2. Under Advanced Editor, look for 'openssl_options'.
3. Make sure the field contains "+no_sslv2 +no_sslv3".
4.Go to the bottom of the page, and select the Save button to restart the service.

====

To revert any manual changes you may have made to mitigate POODLE prior to the 11.46 upgrade:

For Apache:

1. Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2. Select a version or All Versions.
3. Remove the following lines from the text box:

SSLHonorCipherOrder On
SSLProtocol +All -SSLv2 -SSLv3

4. Press the Update button to rebuild your Apache configuration.

For LiteSpeed:

No changes are necessary if you are using LiteSpeed version 4.2.18.

For cpsrvd:

1. Go to WHM => Service Configuration => cPanel Web Services Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.

For cpdavd:

1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.

For Dovecot:

No change is required.

For Courier:

The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.

For Exim:

1. Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor.
2. Go to SECTION: Config at the top.
3. Search for openssl_options.
4. Ensure that this setting is set to "+no_sslv2 +no_sslv3" which is the cPanel Default.
5. Go to the bottom of the page, and select the Save button.

====

For major versions lower than those listed above, please review our documentation on adjusting cipher protocols here:
http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Please let us know if you have any questions about this procedure or about the vulnerability in general.

Thank you.
 

porcupine

Well-Known Member
PartnerNOC
Apr 18, 2002
74
0
306
Toronto, Ontario
cPanel Access Level
DataCenter Provider
For Apache:

1. Go to WHM => Service Configuration => Global Configuration.
2. SSL/TLS Cipher Suite (the second option, not "SSL Cipher Suite") should contain “All -SSLv2 -SSLv3”.
3. Go to the bottom of the page, and select the Save button to restart the service.
You missed a step, it should read:

1. Go to WHM => Service Configuration => Apache Configuration => Global Configuration.
 
Last edited by a moderator:

porcupine

Well-Known Member
PartnerNOC
Apr 18, 2002
74
0
306
Toronto, Ontario
cPanel Access Level
DataCenter Provider

easyswiss

Active Member
PartnerNOC
Apr 19, 2011
44
1
58
I have there 2 questions.

On all servers we have upgraded and rebootet we have still the "Vulnerable notice" like cpanel.net
Is this because the SSL/TLS Cipher Suite ? How can i check if the servers is "really" not vulnerable?

https://www.poodlescan.com/

Scan results
CPANEL.NET:443 (208.74.125.13) - VULNERABLE

This server supports the SSL v3 protocol.

This server does NOT support the SSL v2 protocol.
I found there a thing which links to TLS/SSL Server Supports SSLv2 | Rapid7

STORE.CPANEL.NET:443 (208.74.123.52) - VULNERABLE

This server supports the SSL v3 protocol.

This server supports the SSL v2 protocol. You should really disable this protocol. It's WAY deprecated.
Is it really a good idea to enable v2 (or same above with the TLS cipher suite)? Because this version is vulnerable by other (old) exploits.
 
Last edited:

sneader

Well-Known Member
Aug 21, 2003
1,195
65
178
La Crosse, WI
cPanel Access Level
Root Administrator

gnsw

Member
Aug 6, 2014
7
0
1
cPanel Access Level
Root Administrator
I have there 2 questions.

On all servers we have upgraded and rebootet we have still the "Vulnerable notice" like cpanel.net
Is this because the SSL/TLS Cipher Suite ? How can i check if the servers is "really" not vulnerable?

https://www.poodlescan.com/



I found there a thing which links to TLS/SSL Server Supports SSLv2 | Rapid7



Is it really a good idea to enable v2 (or same above with the TLS cipher suite)? Because this version is vulnerable by other (old) exploits.
Hi, I have the same problem, I have followed all the instructions but (https://www.poodlescan.com/) it keeps saying that my server is vulnerable, does it have anything to do I use apache 2.4?
have you been able to solve?
thanks
 

ethical

Well-Known Member
Apr 7, 2009
97
8
58
i see cpanels letter doesnt mention FTP is it not vulnerable to poodle?

If i try to change the TLS cipher suite to HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

FTP server wont restart properly

any ideas?

edit: also if i scan port 21 using poodlescan.com I get SSLv3 is disabled but i also get this warning

This server supports the SSL v2 protocol. You should really disable this protocol

even though i have !SSLv2 ?

Thanks
John
 
Last edited:

ethical

Well-Known Member
Apr 7, 2009
97
8
58
sorry and one more note, when testing using ssllabs and the default cpanel settings that supposedly fixes this, it STILL reports the server as vulnerable to poodle unless I change the setting to

-All +TLSv1
 

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
sorry and one more note, when testing using ssllabs and the default cpanel settings that supposedly fixes this, it STILL reports the server as vulnerable to poodle unless I change the setting to
-All +TLSv1
Since SSLLab is only testing on 443 I wonder if you have already recompiled apache via easyapache. Perhaps you have some settings in the apache configs left.

You're right about Poodlescan and Port 21. Not sure if that result is correct. When I connect directly on that port with SSLv2 I receive nothing. Looks not that via port 21 the connection is secured.
 

sneader

Well-Known Member
Aug 21, 2003
1,195
65
178
La Crosse, WI
cPanel Access Level
Root Administrator
OpenSSL question:

According to the fine folks at OpenSSL, we should be using version 1.0.1j:

https://www.openssl.org/news/secadv_20141015.txt

But when I check the version on my boxen, we are showing 1.0.1e-fips:

OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013

Was there a backported patch applied? I'm sure the nice security scanning folks are going to be asking me this question soon enough. :)

- Scott