Trustwave PCI Failed - 3 Issues

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
I have the following 3 failed notification on a new server that I am trying to resolve. I believe that I have tried all the methods I have been able to find through other threads. Amy help would be great.

  • Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32, CVE-2016-2183
  • TLSv1.0 Supported
  • Reflected Cross-Site Scripting Vulnerability
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The cross site scripting, if valid, is likely an issue in the hosted application (website) itself. The report should have steps to reproduce that issue. Often those can be false positives but you should have the web dev have a good look at it. The other ones we would need to know what service/port number is associated with them in order to help.
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
The block cipher algorithm is on port tcp/21 and Port: tcp/443
Evidence:

Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA


TLSv1.0 Supported Port: tcp/443
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: apache:http_server

Evidence:

Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
I have done the things in these threads and others. However, I still fail on these 3 things.

Port: tcp/21
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32


Evidence:
Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA


tcp/443
TLSv1.0 Supported


Evidence:
Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : AES128-SHA

tcp/21
SSL/TLS Weak Encryption Algorithms


Evidence:
Cipher Suite: TLSv1_1 : ECDHE-RSA-RC4-SHA
Cipher Suite: TLSv1_1 : RC4-SHA
Cipher Suite: TLSv1_1 : RC4-MD5
Cipher Suite: TLSv1_2 : ECDHE-RSA-RC4-SHA
Cipher Suite: TLSv1_2 : RC4-SHA
Cipher Suite: TLSv1_2 : RC4-MD5
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

For port 21, this is related to a bug with Pure-FTPd. We have an internal case open to address the issue, and will update the associated forums thread once it's published:

Pure-FTPd Cipher Settings

Regarding port 443, could you let us know what cipher settings have you configured for Apache?

Thank you.
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
Here are the apache cipher settings:

SSL Cipher Suite
GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

SSL/TLS Protocal: All -SSLv2 -SSLv3
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
SSL/TLS Protocal: All -SSLv2 -SSLv3
Hello,

You'd need to change this to the following if you want to disable TLS v1.0:

Code:
All -SSLv2 -SSLv3 -TLSv1
Thank you.
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
So the last thing outstanding is the following:

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
tcp/2087/2083

Evidence:

Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
I'll try but I am running:
  • CENTOS 7.3 x86_64 vmware – localhost
  • WHM 62.0 (build 16)