Trustwave PCI Failed - 3 Issues
I have the following 3 failed notification on a new server that I am trying to resolve. I believe that I have tried all the methods I have been able to find through other threads. Amy help would be great.
[LIST]
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32, CVE-2016-2183
TLSv1.0 Supported
Reflected Cross-Site Scripting Vulnerability
-
The cross site scripting, if valid, is likely an issue in the hosted application (website) itself. The report should have steps to reproduce that issue. Often those can be false positives but you should have the web dev have a good look at it. The other ones we would need to know what service/port number is associated with them in order to help. 0 -
The block cipher algorithm is on port tcp/21 and Port: tcp/443 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA TLSv1.0 Supported Port: tcp/443 CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N Service: apache:http_server Evidence: Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA Cipher Suite: TLSv1 : AES256-SHA Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA Cipher Suite: TLSv1 : AES128-SHA Cipher Suite: TLSv1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1 : DES-CBC3-SHA 0 -
Hello, For port 21, the following thread discusses this issue: Pure-FTPd Cipher Settings For the remaining issues, this thread should help: I need to disable TLS v1.0 Thank you. 0 -
I have done the things in these threads and others. However, I still fail on these 3 things. Port: tcp/21 Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA tcp/443 TLSv1.0 Supported Evidence: Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA Cipher Suite: TLSv1 : AES256-SHA Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA Cipher Suite: TLSv1 : AES128-SHA tcp/21 SSL/TLS Weak Encryption Algorithms Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-RC4-SHA Cipher Suite: TLSv1_1 : RC4-SHA Cipher Suite: TLSv1_1 : RC4-MD5 Cipher Suite: TLSv1_2 : ECDHE-RSA-RC4-SHA Cipher Suite: TLSv1_2 : RC4-SHA Cipher Suite: TLSv1_2 : RC4-MD5 0 -
Hello, For port 21, this is related to a bug with Pure-FTPd. We have an internal case open to address the issue, and will update the associated forums thread once it's published: Pure-FTPd Cipher Settings Regarding port 443, could you let us know what cipher settings have you configured for Apache? Thank you. 0 -
Here are the apache cipher settings: SSL Cipher Suite GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS SSL/TLS Protocal: All -SSLv2 -SSLv3 0 -
SSL/TLS Protocal: All -SSLv2 -SSLv3
Hello, You'd need to change this to the following if you want to disable TLS v1.0:All -SSLv2 -SSLv3 -TLSv1
Thank you.0 -
So the last thing outstanding is the following: Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32 tcp/2087/2083 Evidence: Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_1 : DES-CBC3-SHA Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA Cipher Suite: TLSv1_2 : DES-CBC3-SHA 0 -
Hello, Check to see if this thread helps for that report: SOLVED - PCI Scan Fails On Web Services Ports Thank you. 0 -
I'll try but I am running: [LIST] - CENTOS 7.3 x86_64 vmware " localhost [LIST]
- WHM 62.0 (build 16)
0 -
Here's the specific post with the ciphers used by the user in that thread: SOLVED - PCI Scan Fails On Web Services Ports Thank you. 0
Please sign in to leave a comment.
Comments
11 comments