PCI Compliance Fail - Ports 2083, 2087 and 2096

dhammerindy

• August 07, 2014 14:21

I get errors in a PCI compliance scan. "OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities" This happens on ports 2083, 2087, 2096 but not on 22 and 443. When I run... rpm -q --changelog openssl | grep -B 1 CVE-2002-0656 ... I get nothing. I get nothing for that and numbers 2000-535, 2001-1141, 2002-0655, 2002-0656, 2002-0657 and 2002-0659 An openssl version check gives me this... # ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 Some OS Info 2.6.32-042stab090.3 #1 SMP Fri Jun 6 09:35:21 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux WHM version 11.44.1 So is this a false positive? Is there something I need to do to fix those ports? I just want to make sure I do this right before I submit a false positive report. I had received a similar warning for bind but I checked and bind comes back as patched so that one is ok.

• 

  quizknows

  • August 07, 2014 19:24

  It's got to be a false positive, those CVEs are ancient.

  0
• 

  cPanelMichael

  • August 07, 2014 19:34

  Hello :) Yes, it does look like a false positive. What PCI scanning tool did you use? Thank you.

  0
• 

  dhammerindy

  • August 07, 2014 20:44

  [quote="cPanelMichael, post: 1704102">Hello :) Yes, it does look like a false positive. What PCI scanning tool did you use? Thank you.
  403 Labs was used. Can you recommend another service I can use for verification purposes?

  0
• 

  quizknows

  • August 08, 2014 22:04

  What OS version are you running? Or the full RPM name for your OpenSSL version also in your first post it seems you might be checking openSSH instead of openSSL. Make sure you're checking the right change log.

  0
• 

  dhammerindy

  • August 09, 2014 15:02

  [quote="quizknows, post: 1704602">What OS version are you running? Or the full RPM name for your OpenSSL version also in your first post it seems you might be checking openSSH instead of openSSL. Make sure you're checking the right change log.
  I checked ssh but the response included openSSL info. # ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 I believe the server runs CentOS 6. Here is everything on the openSSL rpm. # rpm -qi openssl Name : openssl Relocations: (not relocatable) Version : 1.0.1e Vendor: CentOS Release : 16.el6_5.14 Build Date: Thu 05 Jun 2014 08:59:14 AM EDT Install Date: Fri 06 Jun 2014 12:16:37 AM EDT Build Host: c6b8.bsys.dev.centos.org Group : System Environment/Libraries Source RPM: openssl-1.0.1e-16.el6_5.14.src.rpm Size : 4209656 License: OpenSSL Signature : RSA/SHA1, Thu 05 Jun 2014 09:02:17 AM EDT, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem URL : [url=http://www.openssl.org/]OpenSSL: The Open Source toolkit for SSL/TLS Summary : A general purpose cryptography library with TLS implementation Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.

  0
• 

  cPanelMichael

  • August 12, 2014 16:04

  [quote="dhammerindy, post: 1704141">403 Labs was used. Can you recommend another service I can use for verification purposes?
  Comodo and TrustGuard are common vendors used in the hosting industry for PCI scans. You may also find the following documents helpful: PCI Scanning PCI Troubleshooting Thank you.

  0

Please sign in to leave a comment.