Skip to main content

Trustwave PCI Failed - 3 Issues

Comments

11 comments

  • quizknows
    The cross site scripting, if valid, is likely an issue in the hosted application (website) itself. The report should have steps to reproduce that issue. Often those can be false positives but you should have the web dev have a good look at it. The other ones we would need to know what service/port number is associated with them in order to help.
    0
  • eglwolf
    The block cipher algorithm is on port tcp/21 and Port: tcp/443 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA TLSv1.0 Supported Port: tcp/443 CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N Service: apache:http_server Evidence: Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA Cipher Suite: TLSv1 : AES256-SHA Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA Cipher Suite: TLSv1 : AES128-SHA Cipher Suite: TLSv1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1 : DES-CBC3-SHA
    0
  • cPanelMichael
    Hello, For port 21, the following thread discusses this issue: Pure-FTPd Cipher Settings For the remaining issues, this thread should help: I need to disable TLS v1.0 Thank you.
    0
  • eglwolf
    I have done the things in these threads and others. However, I still fail on these 3 things. Port: tcp/21 Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA tcp/443 TLSv1.0 Supported Evidence: Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA Cipher Suite: TLSv1 : AES256-SHA Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA Cipher Suite: TLSv1 : AES128-SHA tcp/21 SSL/TLS Weak Encryption Algorithms Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-RC4-SHA Cipher Suite: TLSv1_1 : RC4-SHA Cipher Suite: TLSv1_1 : RC4-MD5 Cipher Suite: TLSv1_2 : ECDHE-RSA-RC4-SHA Cipher Suite: TLSv1_2 : RC4-SHA Cipher Suite: TLSv1_2 : RC4-MD5
    0
  • cPanelMichael
    Hello, For port 21, this is related to a bug with Pure-FTPd. We have an internal case open to address the issue, and will update the associated forums thread once it's published: Pure-FTPd Cipher Settings Regarding port 443, could you let us know what cipher settings have you configured for Apache? Thank you.
    0
  • eglwolf
    Here are the apache cipher settings: SSL Cipher Suite GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS SSL/TLS Protocal: All -SSLv2 -SSLv3
    0
  • cPanelMichael
    SSL/TLS Protocal: All -SSLv2 -SSLv3

    Hello, You'd need to change this to the following if you want to disable TLS v1.0:
    All -SSLv2 -SSLv3 -TLSv1
    Thank you.
    0
  • eglwolf
    So the last thing outstanding is the following: Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 tcp/2087/2083 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA
    0
  • cPanelMichael
    Hello, Check to see if this thread helps for that report: SOLVED - PCI Scan Fails On Web Services Ports Thank you.
    0
  • eglwolf
    I'll try but I am running: [LIST]
  • CENTOS 7.3 x86_64 vmware " localhost [LIST]
  • WHM 62.0 (build 16)
  • 0
  • cPanelMichael
    Here's the specific post with the ciphers used by the user in that thread: SOLVED - PCI Scan Fails On Web Services Ports Thank you.
    0

Please sign in to leave a comment.