TLS 1.2 Poodle Vulnerability for WHM and Cpanel Ports

jestep

Well-Known Member
Dec 18, 2006
49
1
158
Just started failing PCI on a server for a poodle vulnerability for WHM and Cpanel ports, 2083 and 2087.

CVE's are:
2015-4078
2014-8730
2015-5369

This server has been running for years right now with very few changes. I don't see these when I grep the openssl changelog. Is there somewhere else I need to look to show these were patched or did I miss a big security issue with TLS 1.2? Kind of scratching my head on this one, none of my other servers are failing it...

Even though all servers are running identical operating systems and SSL/TLS and identical cipher implementations, the description from trustwave is:

Certain TLS implementations do not properly conform to the TLS RFC and support the CBC padding scheme from SSLv3. This could allow an attacker to exploit a padding-oracle and compromise the confidentiality of a TLS session.
 
Last edited:

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
None of these CVE's seem relevant to standard CentOS/RHEL installations. The details on each of them are here:

Description
Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Description
Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MAG PSC360 8.1 before 8.1r5, 8.0 before 8.0r13, 7.4 before 7.4r13.5, and 7.1 before 7.1r22.2 and PPS 5.1 before 5.1R5 and 5.0 before 5.0R13, when Hardware Acceleration is enabled, does not properly validate the Finished TLS handshake message, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted Finished message.

Description
The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

The only one that was even listed by Red Hat is:

But they make a note that it does not affect the versions of OpenSSL shipped with RHEL 6, 7 or 8

Statement
Not vulnerable. This issue does not affect the version of openssl, nss and gnutls as shipped in Red Hat Enterprise Linux 5, 6 and 7.
I'm not entirely sure I understand why any of these is coming up for your PCI scan since they're all related to specific software that isn't standard.
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
The only one that was even listed by Red Hat is:

But they make a note that it does not affect the versions of OpenSSL shipped with RHEL 6, 7 or 8
That was pretty much my thought and it's only on one server of a bunch that are all scanned at the same time that are all setup the same way. Must be a false positive.

Other question, can you tell me the location of the file used to control SSL ciphers and directives for WHM and cpanel interfaces. I bricked the interface by testing removing TLS 1.2 from it and need to edit it manually.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
I've done this myself with something else and you can edit

Code:
/var/cpanel/conf/cpsrvd/main
Then run the following:

Code:
mkdir /root/ssl_socket_args-backup
mv /var/cpanel/conf/cpsrvd/ssl_socket_args /root/ssl_socket_args-backup/
/scripts/restartsrv_cpsrvd
Once you've been able to access successfully you can remove the /root/ssl_socket_args-backup folder