The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trustwave PCI Failed - 3 Issues

Discussion in 'Security' started by eglwolf, Mar 9, 2017.

Tags:
  1. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    I have the following 3 failed notification on a new server that I am trying to resolve. I believe that I have tried all the methods I have been able to find through other threads. Amy help would be great.

    • Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32, CVE-2016-2183
    • TLSv1.0 Supported
    • Reflected Cross-Site Scripting Vulnerability
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    The cross site scripting, if valid, is likely an issue in the hosted application (website) itself. The report should have steps to reproduce that issue. Often those can be false positives but you should have the web dev have a good look at it. The other ones we would need to know what service/port number is associated with them in order to help.
     
  3. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    The block cipher algorithm is on port tcp/21 and Port: tcp/443
    Evidence:

    Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : DES-CBC3-SHA


    TLSv1.0 Supported Port: tcp/443
    CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
    Service: apache:http_server

    Evidence:

    Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
    Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
    Cipher Suite: TLSv1 : AES256-SHA
    Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
    Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
    Cipher Suite: TLSv1 : AES128-SHA
    Cipher Suite: TLSv1 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1 : DES-CBC3-SHA
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  5. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    I have done the things in these threads and others. However, I still fail on these 3 things.

    Port: tcp/21
    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32


    Evidence:
    Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : DES-CBC3-SHA


    tcp/443
    TLSv1.0 Supported


    Evidence:
    Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
    Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
    Cipher Suite: TLSv1 : AES256-SHA
    Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
    Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
    Cipher Suite: TLSv1 : AES128-SHA

    tcp/21
    SSL/TLS Weak Encryption Algorithms


    Evidence:
    Cipher Suite: TLSv1_1 : ECDHE-RSA-RC4-SHA
    Cipher Suite: TLSv1_1 : RC4-SHA
    Cipher Suite: TLSv1_1 : RC4-MD5
    Cipher Suite: TLSv1_2 : ECDHE-RSA-RC4-SHA
    Cipher Suite: TLSv1_2 : RC4-SHA
    Cipher Suite: TLSv1_2 : RC4-MD5
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    For port 21, this is related to a bug with Pure-FTPd. We have an internal case open to address the issue, and will update the associated forums thread once it's published:

    Pure-FTPd Cipher Settings

    Regarding port 443, could you let us know what cipher settings have you configured for Apache?

    Thank you.
     
  7. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Here are the apache cipher settings:

    SSL Cipher Suite
    GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    SSL/TLS Protocal: All -SSLv2 -SSLv3
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to change this to the following if you want to disable TLS v1.0:

    Code:
    All -SSLv2 -SSLv3 -TLSv1
    Thank you.
     
  9. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    So the last thing outstanding is the following:

    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
    tcp/2087/2083

    Evidence:

    Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_1 : DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
    Cipher Suite: TLSv1_2 : DES-CBC3-SHA
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  11. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    I'll try but I am running:
    • CENTOS 7.3 x86_64 vmware – localhost
    • WHM 62.0 (build 16)
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page