PCI failure on cPanel ports

Legin76

April 29, 2014 06:18

Hi I've got this same issue on two servers. Security Hole found on port/service "www (2096/tcp)" Status Fail (This must be resolved for your device to be compliant). Plugin "OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities" Category "Gain a shell remotely " Priority "Urgent Synopsis The remote service uses a library that is affected by a buffer overflow vulnerability. Description The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself. Risk factor CVE-2002-0655 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2002-0656 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2002-0657 - High / CVSS BASE SCORE :7.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:P/A:P), CVE-2000-0535 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:N/I:P/A:N), CVE-2001-1141 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:P/I:N/A:N), CVE-2002-0659 - Medium / CVSS BASE SCORE :5.0 CVSS2#(AV:N/AC:L/Au:N/C:N/I:N/A:P) Plugin output Note that since safe checks are enabled, this check might be fooled by non-openssl implementations and produce a false positive. In doubt, re-execute the scan without the safe checks

Comments

11 comments

cPanelMichael

April 29, 2014 15:27
Hello :) Check to see if patches for those vulnerabilities have been backported to OpenSSL on your system. For example: rpm -q --changelog openssl | grep -B 1 CVE-2002-0655
Thank you.
0
Legin76

April 29, 2014 15:38
Both My servers show no response.. # rpm -q --changelog openssl | grep -B 1 CVE-2002-0655 # One is CENTOS 6.5 x86_64 xenpv and the other REDHAT Enterprise 5.10 i686 standard.
0
Legin76

April 29, 2014 16:03
I've just noticed that this has been separated from the thread it was part of.. This also affects the other ports as shown in the other thread but I've only shown the example of the one.
0
cPanelMichael

April 29, 2014 19:07
The PCI failure you posted is different than the one in the other thread, so it's better handled separately. [QUOTE]One is CENTOS 6.5 x86_64 xenpv and the other REDHAT Enterprise 5.10 i686 standard.
Are you sure you receive the exact same failure description on both servers? What version of OpenSSL is installed on the CentOS 6 machine? Thank you.
0
quizknows

April 30, 2014 03:50
CentOS 5 and 6 (or RHEL 5/6) should have backported RPMs that address any PCI breaking issues with OpenSSL. Your vendor is being a bit obnoxious flagging CVEs from 2002, seeing as the operating systems you're using are newer than the vulnerabilities. Clearly it's a false positive. I usually run yum updates to be safe, and dump the whole change log ( rpm -q --changelog openssl > textfile.txt ) and provide that text file to the PCI vendor along with the OS version and full RPM name. This works better than 95% of the time in my personal experience.
0
Legin76

April 30, 2014 09:00
Both are giving the exact same errors. Security Hole found on port/service "www (2096/tcp)" Security Hole found on port/service "www (2087/tcp)" Security Hole found on port/service "www (2083/tcp)" Is there a way I can display the version being used on those ports? I've submitted one as a false positive on one of them to see. Both servers are also showing the error below. There are a few more warnings similar to this with passes but I suspect that they relate to the same fix. Security Hole found on port/service "dns (53/udp)" Status Fail (This must be resolved for your device to be compliant). Plugin "ISC BIND 9 Zero-Length RDATA Section Denial of Service / Information Disclosure" Category "DNS " Priority "Urgent Synopsis The remote name server may be affected by a denial of service / information disclosure vulnerability. Description According to its self-reported version number, the remote installation of BIND does not properly handle resource records with a zero-length RDATA section, which may lead to unexpected outcomes, such as crashes of the affected server, disclosure of portions of memory, corrupted zone data, or other problems. Note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is actually affected. See also: Risk factor CVE-2012-1667 - High / CVSS BASE SCORE :8.5 CVSS2#(AV:N/AC:L/Au:N/C:P/I:N/A:C) Plugin output Installed version : 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 Fixed version : 9.8.3-P1 Addition Information CVE: CVE-2012-1667 BID : 53772 Other references : OSVDB:82609, CERT:381699 Solution Upgrade to BIND 9.6-ESV-R7-P1 / 9.7.6-P1 / 9.8.3-P1 / 9.9.1-P1 or later.
0
Legin76

April 30, 2014 09:22
I forgot to mention that the Cent OS server has openssl-1.0.1e. I suspect that it's just not showing the openssl version when they do the check. Could this be why it thinks its an old version?
0
cPanelMichael

May 02, 2014 14:18
The PCI scanner is only looking at the version number. Please ensure you check to see if the CVE reports have been backported to the version of the package installed on your system. For example, with CVE-2012-1667, you can see a patch for it is already included: # rpm -q --changelog bind | grep -B 1 CVE-2012-1667 * Mon Jun 04 2012 Adam Tkac 32:9.8.2-0.10.rc1 - fix CVE-2012-1667
Thank you.
0
Legin76

May 02, 2014 14:53
I get the following.. # rpm -q --changelog bind | grep -B 1 CVE-2012-1667 * Mon Jun 04 2012 Adam Tkac 30:9.3.6-20.P1.1 - fix CVE-2012-1667 and CVE-2012-1033 and # rpm -q --changelog bind | grep -B 1 CVE-2012-1667 * Mon Jun 04 2012 Adam Tkac 32:9.8.2-0.10.rc1 - fix CVE-2012-1667 I'll submit them all as false positives.
0
cPanelMichael

May 02, 2014 15:06
Yes, the output shows patches have been backported for those vulnerabilities. Thank you.
0
Legin76

May 02, 2014 15:13
Excellent.. Thanks for your help.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?