cPanel & WHM 11.30
Installation Guides
cPanel User Guide
WHM User Guide
Locale System
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
Installation Guides
cPanel User Guide
WHM User Guide
Locale System
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
PCI Compliance Scanning and Software Versions
Most PCI compliance scanning systems are based on a specific version number of a software package that has a reported vulnerability. However, many Operating Systems use backporting to update the software packages they distribute rather than distributing a whole new version of the software package. Backporting allows the operating system vendor to change only the parts of the software affected by the security vulnerability without introducing new features that have not yet been tested. In backporting, the software version number is not incremented but instead a flag is attached, for example: OpenSSL 0.9.7c may be updated with a backport to OpenSSL 0.9.7c-2 rather than fully updating to OpenSSL 0.9.7d.
Most PCI scanning systems look only for 0.9.7d or higher and therefore, incorrectly show 0.9.7c-2 as vulnerable. In this case, the PCI compliance company should be informed that you are using a backported version of the software package which has been patched for the vulnerability. Once properly informed, they can record your software version and mark a false positive in the scan results. Below, we will discuss some specific software packages and how to determine if vulnerabilities have been patched by backporting.
openssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5 This means that your currently installed OpenSSL package is openssl-0.9.8b-10 Now, we can check the RPM change log to see if the vulnerability fix was included in that version: root@myserver:/# rpm --changelog -q openssl-0.9.8b-10.el5 | less
* Tue Jan 15 2008 Tomas Mraz In this case, we see that in 0.9.8b-9, three CVE reports were fixed, which should match any CVEs that your PCI compliance scanning company is looking to have fixed. You can now inform the PCI compliance scanning company of the patched version and which CVEs it reflects so they can mark this as a false positive.
OpenSSL
Primarily, it is important to note that OpenSSL is used by a number of different system services and packages and you should only replace your OpenSSL installation as a last resort. In order to determine which OpenSSL package is installed on your system, you should run the following command: rpm -qa | grep openssl You'll likely see output like this: root@myserver:/# rpm -qa | grep opensslopenssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5 This means that your currently installed OpenSSL package is openssl-0.9.8b-10 Now, we can check the RPM change log to see if the vulnerability fix was included in that version: root@myserver:/# rpm --changelog -q openssl-0.9.8b-10.el5 | less
* Tue Jan 15 2008 Tomas Mraz In this case, we see that in 0.9.8b-9, three CVE reports were fixed, which should match any CVEs that your PCI compliance scanning company is looking to have fixed. You can now inform the PCI compliance scanning company of the patched version and which CVEs it reflects so they can mark this as a false positive.
mod_frontpage
Many PCI scans will note the Apache mod_frontpage module as vulnerable to a buffer overflow error which may cause privilege escalation including root access. This however, is based on the default Apache installation and not valid in cPanel's environment. A typically scan may provide these results:TCP 443 https 7 The remote host is using the Apache mod_frontpage module. mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access. Since we are not able to remotely determine the version of mod_frontpage you are running, you are advised to manually check which version you are running as this may be a false positive. If you want the remote server to be remotely secure, we advise you do not use this module at all. Solution: Disable this module Risk Factor: High CVE : CVE-2002-0427When using a cPanel configured Apache, fpexe is configured differently than on a default installation as such: Apache 2 With Apache 2.x or 2.2.x compiled through EasyApache, fpexe is replaced by /scripts/fp-auth which is never setuid root. Apache 1 With Apache 1.3.x compiled through EasyApache, fpexe is custom built from the shar files in /scripts/fetchfpexec, /scripts/fpexec3 and /scripts/fp3. fpexec will only be setuid if Apache's suexec functionality is disabled. Even with suexec disabled, fpexec is not directly executing the frontpage binaries. fpexe hands the work off to /scripts/fp-auth which does additional access checks. As noted above, using either Apache 1 or 2 compiled through cPanel's EasyApache system does not leave a system vulnerable to the exploit noted in the CVE report as /scripts/fp-auth prevents the privilege escalation scenario from occurring. Note: We do recommend discontinuing the use of mod_frontpage based on compatibility and support. The module is no longer supported by any upstream development team and has reached end-of-life. While we will continue to support mod_frontpage as long as it is practical to do so, there are better publishing methods available. We recommend enabling WebDAV (cpdavd) for publishing as it provides enhanced security and stability and is an actively supported protocol.
Topic revision: r4 - 15 Oct 2010 - 19:27:00 - Main.MelanieSeibert
Copyright © cPanel 2000–2011.