Skip to main content

PCI Scan Fails On Web Services Ports

SJR
Trustwave does the PCI scans for my server. The 3 ports, 2083, 2087, and 2096 continue to fail for these ciphers: TLSv1_1 : RC4-SHA TLSv1_1 : RC4-MD5 TLSv1_2 : RC4-SHA TLSv1_2 : RC4-MD5 TLSv1_1 : DES-CBC3-SHA TLSv1_2 : DES-CBC3-SHA Here are my current settings in WHM > Service Configuration > cPanel Web Services Configuration: TLS/SSL Cipher List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA:!DSS TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1 You can see at the end of this cipher list where I have excluded the offending ciphers. I have tried many, many combinations of ciphers, not only in this Web Services Config, but also in Apache Global Config settings. Regardless of what I try I can't get rid of these pci failing ciphers. Here is my openssl version: root [/]# rpm -qa | grep openssl openssl-devel-1.0.1e-60.el7.x86_64 openssl-libs-1.0.1e-60.el7.x86_64 openssl-1.0.1e-60.el7.x86_64 root [/]# _ Could there be a cipher config file somewhere that is overriding my settings? Could this be a false positive? Not sure what to try next. Any suggestions? Thx, SJR

Comments

22 comments

Date Votes
  • SJR
    As an additional note, I have ports 2082, 2083, 2086, 2087, 2095, and 2096 open in CSF. I understand these ports are used for: 2082 cPanel 2083 cPanel SSL 2086 WHM 2087 WHM SSL 2095 Webmail 2096 Webmail SSL So far I am not able to verify whether or not the non-secure ports (2082, 2086, 2095) can be closed in the firewall without causing any issues with cPanel. My thought is that maybe the PCI scanner is seeing something in the SSL ports that somehow has something to do with the non-secure ports. I will test and explore this further.
    0
  • SJR
    After doing a little research, it appears that it is ok to close the non-secure ports in CSF, so I have closed ports 2082, 2086, and 2095. I also removed a couple other non-essential ports out of the firewall, making sure all open ports are minimal and required. I followed these guidelines: How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation I ran another pci scan and it failed for exactly the same ciphers as prior. I'm also running the latest version of Centos 7.3 60.0.28. Not sure what to try next. :(
    0
  • SJR
    Next update... I changed my settings in WHM > Service Configuration > cPanel Web Services Configuration, to: TLS/SSL Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5 (This is the same list as suggested in: Security/Server Side TLS - MozillaWiki for the 'Modern Compatibility', with the specific exclusions at the end.) TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1 (I chose to exclude TLSv1_1 since I am the only one using the Web Services ports) The next PCI scan showed these failing ciphers on the same 3 ports (TLSv1_2 is only protocol not excluded from protocol list): TLSv1_2 : RC4-SHA TLSv1_2 : RC4-MD5 TLSv1_2 : DES-CBC3-SHA For the PCI failing cipher DES-CBC3-SHA, one of Trustwave's directions for remediation is: "If disabling 64 bit block ciphers is not possible, please limit the number of requests client can make in a single TLS session and / or the keep-alive timeout value. As stated before, successful attack requires huge amounts of data gathered in a single TLS session (without rekeying)." WHM > Service Configuration > Apache Configuration > Keep Alive > Off. Turning this setting off complies with Trustwave's directions above. I then disputed the cipher DES-CBC3-SHA showing I had compensating controls in place and it was approved. So, now I am down to just 2 PCI fails on the 3 ports, 2083, 2087, and 2096: TLSv1_2 : RC4-SHA TLSv1_2 : RC4-MD5 Note: In a different area of the scan report it shows "Enumerated TLS/SSL Cipher Suites", and then shows a list of ciphers in which the failing two above are included in the list. Unless I am mistaken, there must be some library or config file that has a list of ciphers available on these 3 ports, and 'excluding' the ciphers in the 'cPanel Web Services Configuration' list is 'not' removing them from being seen as available ciphers on these ports. Still hoping someone has a solution...
    0
  • SJR
    Note: On this "Enumerated TLS/SSL Cipher Suites" list mentioned above from the scan, there are 13 ciphers listed. None of the 13 ciphers in this list are ciphers that are included in my cPanel Web Services Configuration > TLS/SSL Cipher List. However, when I log into any of the 3 services on the 3 ports that are failing on the PCI scan (2083 cPanel, 2087 WHM, 2096 Webmail), the cipher that is used in the connection is the 2nd cipher in the list of ciphers that I have entered in the TLS/SSL Cipher List. So again, unless I am mistaken, the scan is seeing 13 ciphers, two of which are causing the pci scan to fail. And these 13 ciphers are not in my entered cipher list. And, these 13 ciphers are apparently not being used in the actual connection, but they are somehow showing up as available on the scan. Where could these be coming from, and how do I turn them off or disable them? Help!
    0
  • cPanelMichael
    Hello, It looks like you've opened a support ticket for additional assistance with this issue. I'll update this thread with the outcome of the support ticket once the ticket closes. Thanks!
    0
  • cPanelMichael
    Hello, To update, internal case CPANEL-10758 was opened to address an issue where the initial implementation of SNI in cpsrvd overlooked the cipher list setting in WHM, which server administrators utilize for PCI compliance. I'll update this thread again once the resolution is published. Thanks!
    0
  • Serra
    Hello, To update, internal case CPANEL-10758 was opened to address an issue where the initial implementation of SNI in cpsrvd overlooked the cipher list setting in WHM, which server administrators utilize for PCI compliance. I'll update this thread again once the resolution is published. Thanks!

    Thank you.
    0
  • SJR
    Update: I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line: "Fixed case CPANEL-10796: Make cpsrvd"s SNI obey the server"s Web Services cipher list setting." As of January 30th, cPanel version 62 went to the RELEASE tier. After I upgraded my server to version 62.0.7, I ran a PCI scan and it passed on all 3 ports. (2083 cPanel, 2087 WHM, 2096 Webmail) There are times that Trustwave's scan doesn't seem consistent, but I believe the problem is now fixed. I will confirm after a second scan runs.
    0
  • Serra
    Update: I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line: "Fixed case CPANEL-10796: Make cpsrvd"s SNI obey the server"s Web Services cipher list setting."

    Good. I've yet to get it. Should be in a day or so.
    0
  • cPanelMichael
    Update: I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line: "Fixed case CPANEL-10796: Make cpsrvd"s SNI obey the server"s Web Services cipher list setting." As of January 30th, cPanel version 62 went to the RELEASE tier. After I upgraded my server to version 62.0.7, I ran a PCI scan and it passed on all 3 ports. (2083 cPanel, 2087 WHM, 2096 Webmail) There are times that Trustwave's scan doesn't seem consistent, but I believe the problem is now fixed. I will confirm after a second scan runs.

    Hello, I'm happy to see the issue is now addressed. CPANEL-10796 is the case number for this resolution in cPanel version 62, whereas CPANEL-10758 is the case number for cPanel version 60 (not yet published). Both cases include the same resolution. Thank you.
    0
  • cPanelMichael
    Hello, The resolution for cPanel version 60 is now published as part of cPanel version 60.0.36: Fixed case CPANEL-10758: Make cpsrvd"s SNI obey the server"s Web Services cipher list setting. Thanks!
    0
  • eglwolf
    Trustwave still fails on these two issues each month: 1) Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 2) SSL/TLS Weak Encryption Algorithms Both on port 21. I have done these things suggested in this post. cpanel version 64.0.24 TLS/SSL Cipher is: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5 TLS/SSL Protocals are: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
    0
  • Serra
    Try TLS/SSL Cipher: AES128+EECDH:AES128+EDH:!SSLv2:!SSLv3:!3DES
    0
  • eglwolf
    @Serra, I tried that and still failed. What else can I try?
    0
  • Serra
    @Serra, I tried that and still failed. What else can I try?

    Can you give me the exact fail message they are giving you? I'm wondering if I'm on the wrong track.
    0
  • eglwolf
    SSL/TLS Weak Encryption Algorithms The SSL-based service running on this host appears to support the use of "weak" ciphers such as: - Ciphers suites that have key-lengths of less than 128 bits. - Ciphers suites using anonymous Diffie-Hellman algorithms (no authentication). - Ciphers suites offering no encryption. - Ciphers suites using pre-shared keys. - Ciphers suites using RC4 or MD5. Please note that this vulnerability CANNOT be disputed using a Risk Mitigation and Migration plan. This is a separate finding and must be treated as such. Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data. NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.
    0
  • Serra
    Does it say what ports?
    0
  • eglwolf
    Yes sorry. TCP Port 21
    0
  • Serra
    Just to be clear, you are putting that here: HomeHome "Service Configuration "FTP Server Configuration under the TLS Cipher Suite and you are using Pure-FTP?
    0
  • eglwolf
    Umm, no. I put it cPanel Web Services Configuration TLS/SSL Cipher List So I will change the FTP one, and now what needs to go back into the > cPanel Web Services Configuration > TLS/SSL Cipher List?
    0
  • Serra
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5 Third times a charm... I just couldn't give the right information!
    0
  • eglwolf
    That worked! Thanks.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post