TLS 1.2 Poodle Vulnerability for WHM and Cpanel Ports

[jestep]

Just started failing PCI on a server for a poodle vulnerability for WHM and Cpanel ports, 2083 and 2087.

CVE's are:
2015-4078
2014-8730
2015-5369

This server has been running for years right now with very few changes. I don't see these when I grep the openssl changelog. Is there somewhere else I need to look to show these were patched or did I miss a big security issue with TLS 1.2? Kind of scratching my head on this one, none of my other servers are failing it...

Even though all servers are running identical operating systems and SSL/TLS and identical cipher implementations, the description from trustwave is:

Certain TLS implementations do not properly conform to the TLS RFC and support the CBC padding scheme from SSLv3. This could allow an attacker to exploit a padding-oracle and compromise the confidentiality of a TLS session.

 

[cPanelLauren]

None of these CVE's seem relevant to standard CentOS/RHEL installations. The details on each of them are here:

NVD - CVE-2015-4078

nvd.nist.gov

Description
Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).

NVD - CVE-2015-5369

nvd.nist.gov

Description

Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MAG PSC360 8.1 before 8.1r5, 8.0 before 8.0r13, 7.4 before 7.4r13.5, and 7.1 before 7.1r22.2 and PPS 5.1 before 5.1R5 and 5.0 before 5.0R13, when Hardware Acceleration is enabled, does not properly validate the Finished TLS handshake message, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted Finished message.

NVD - CVE-2014-8730

nvd.nist.gov

Description

The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

The only one that was even listed by Red Hat is:

Red Hat Customer Portal - Access to 24x7 support and knowledge

access.redhat.com

But they make a note that it does not affect the versions of OpenSSL shipped with RHEL 6, 7 or 8

Statement
Not vulnerable. This issue does not affect the version of openssl, nss and gnutls as shipped in Red Hat Enterprise Linux 5, 6 and 7.

I'm not entirely sure I understand why any of these is coming up for your PCI scan since they're all related to specific software that isn't standard.

 

[jestep]

The only one that was even listed by Red Hat is:

Red Hat Customer Portal - Access to 24x7 support and knowledge

access.redhat.com

But they make a note that it does not affect the versions of OpenSSL shipped with RHEL 6, 7 or 8

That was pretty much my thought and it's only on one server of a bunch that are all scanned at the same time that are all setup the same way. Must be a false positive.

Other question, can you tell me the location of the file used to control SSL ciphers and directives for WHM and cpanel interfaces. I bricked the interface by testing removing TLS 1.2 from it and need to edit it manually.

 

[cPanelLauren]

I've done this myself with something else and you can edit

/var/cpanel/conf/cpsrvd/main

Then run the following:

mkdir /root/ssl_socket_args-backup
mv /var/cpanel/conf/cpsrvd/ssl_socket_args /root/ssl_socket_args-backup/
/scripts/restartsrv_cpsrvd

Once you've been able to access successfully you can remove the /root/ssl_socket_args-backup folder