Skip to main content

PCI compliance report issues

Comments

2 comments

  • cPanelMichael
    Hello, 1. As I understand, the "AllowChrootSymlinks" ProFTPd configuration option is enabled by default. The report referenced on the URL below notes a bug that applies to systems where "AllowChrootSymlinks" is turned off: CVE - CVE-2017-7418 Thus, by default, your server should not be affected by this bug. That said, I've opened internal case CPANEL-17794 to request an update to the ProFTPd version we distribute with cPanel. I'll monitor this case and update this thread with more information as it becomes available. 2. cPanel does not distribute the OpenSSH package. It's provided by your OS (e.g. CentOS). You can update your system packages to the latest versions offered by your OS with the "yum update" command, however it doesn't look like CentOS distrubutes OpenSSH 7.6 with the corresponding bug fix at this time: Bug 1506630 " CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation That said, note the analysis of this bug: Analysis: It seems the maximum impact of this flaw is that the attacker can create an extremely large number of zero length files to fill up a harddisk on a remote server which the attacker has read-only access to.
    Additionally, it only applies to systems with SFTP configured in read-only mode, which isn't a default configuration. Thank you.
    0
  • cPanelMichael
    Hello, To update, the updated version of ProFTPd is included in cPanel version 70: Fixed case CPANEL-17794: Update proftpd to 1.3.6-1.cp1170. Thank you.
    0

Please sign in to leave a comment.