PCI Compliance Scanning and Software Versions

Overview

Most PCI compliance scanning systems are based on a specific version number of a software package that has a reported vulnerability. However, many operating systems use backporting to update the software packages they distribute rather than distributing a whole new version of the software package. Backporting allows the operating system vendor to change only the parts of the software affected by the security vulnerability without introducing new features that have not yet been tested. In backporting, the software version number is not incremented but instead a flag is attached.

For example: OpenSSL 0.9.7c may be updated with a backport to OpenSSL 0.9.7c-2 rather than fully updating to OpenSSL 0.9.7d. Most PCI scanning systems look only for 0.9.7d or higher and therefore, incorrectly show 0.9.7c-2 as vulnerable. In this case, the PCI compliance company should be informed that you are using a backported version of the software package which has been patched for the vulnerability. Once properly informed, they can record your software version and mark a false positive in the scan results. Below, we will discuss some specific software packages and how to determine if vulnerabilities have been patched by backporting.

OpenSSL

Primarily, it is important to note that OpenSSL is used by a number of different system services and packages. You should only replace your OpenSSL installation as a last resort.

In order to determine which OpenSSL package is installed on your system, run the following command:

rpm -qa | grep openssl

The output should resemble the following:

root@myserver:/# rpm -qa | grep openssl
openssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5

This means that your currently installed OpenSSL package is openssl-0.9.8b-10

Now, you can check the RPM change log to see if the vulnerability fix was included in that version:

root@myserver:/# rpm --changelog -q openssl-0.9.8b-10.el5 | less

In this case, we see that in 0.9.8b-9, three CVE reports were fixed. This should match any CVEs that your PCI compliance scanning company would want to have fixed.

You can now inform the PCI compliance scanning company of the patched version and which CVEs it reflects so they can mark this as a false positive.

mod_frontpage

ALERT! Warning: We strongly recommend that you do not install FrontPage. If you wish to install FrontPage, you must install the Custom Module. Microsoft® discontinued support for FrontPage extensions on Linux servers in 2006. You should exercise caution if you install FrontPage extensions, as they have been known to cause security issues. We recommend that you publish content with a different method, such as FTP or WebDAV.

Many PCI scans will note the Apache mod_frontpage module as vulnerable to a buffer overflow error which may cause privilege escalation, including root access. This is based on the default Apache installation and not valid in cPanel's environment. A typical scan may provide these results:

TCP 443 https 7

The remote host is using the Apache mod_frontpage module. mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow which may allow an attacker to gain root access. Since we are not able to remotely determine the version of mod_frontpage you are running, you are advised to manually check which version you are running as this may be a false positive. If you want the remote server to be remotely secure, we advise you do not use this module at all.

Solution: Disable this module

Risk Factor: High

CVE : CVE-2002-0427

When using a cPanel configured Apache, the fpexe FrontPage binary is configured differently than on a default installation

Apache 2
With Apache 2.2.x compiled through EasyApache, fpexe is replaced by /scripts/fp-auth which is never setuid root.

Apache 2 compiled through cPanel's EasyApache system does not leave a system vulnerable to the exploit noted in the CVE report. /scripts/fp-auth prevents the privilege escalation scenario from occurring.

Exim

cPanel & WHM creates patches for Exim to help make Exim PCI compliant. Change Log patches should always be included in the RPM.

Cipher Keys Adjustment

You can use the PCI scanning software to determine which ciphers are allowed to be used during an encrypted communication. To adjust your Cipher Keys for PCI Compliance, follow these steps:

For Exim:

  1. Login to WHM as the root user.
  2. Select Service Configuration.
  3. Select Exim Configuration Manager.
  4. Select Advanced Editor.
  5. Go to the tls_require_ciphers box and add the following:
    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
  6. Click the Save button.

For POP/IMAP:

  1. Login to WHM as the root user.
  2. Select Service Configuration.
  3. Select Mailserver Configuration.
  4. Enter the following in the SSL Cipher List box:
    ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
  5. Click the Save button.

Simple Mail Transfer Protocol

PCI Compliance requires email client encryption. Encryption is provided in your email client as SSL and TLS. To enable encryption of your SMTP transactions, follow these steps:
  1. Login to WHM as the root user.
  2. Click Exim Configuration Manager.
  3. Enable the following option:
    Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.
  4. Click the Save button.

Backported CVEs

To determine which CVEs are present, run the following command:
# rpm -q --changelog exim | grep CVE

The output should resemble the following:

# rpm -q --changelog exim | grep CVE
fix for CVEs CVE-2010-2024, CVE-2010-2023
Update CVE-2011-0017 patch to fix use of -C flag by unprivileged users.
CVE-2011-0017: Backport patch from EXIM 4.74 for arbitrary file overwrite bug.
CVE-2010-4344: Apply string_format buffer overflow patch
CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc/exim
CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc

The output will display the CVE number you must fix. You should send the output that reflects the patched software to the PCI scanning company.

Bind

Although cPanel & WHM does not create BIND, BIND is installed on all cPanel servers by default.. Vendor updates will typically resolve PCI compliance issues.

Bind CVE-2011-4313

The BIND change log does not show CVE-2011-4313 directly. Instead, the change log shows under RHEL #754398.

You can test for the presence of this fix with this script:
# rpm -q --changelog bind | grep 754398

Your output should look like this:
- fix DOS against recursive servers (#754398)

You should send the output which reflects the patched software to the PCI scanning company.

Hide the BIND version

To become PCI compliant, the BIND version on your server must be hidden

To do this, follow these steps:

  1. SSH into the server and become the root user.
  2. Edit /etc/named.conf and add this to the options section:
    version "";
  3. Restart named:
    # /scripts/restartsrv_named

You should rescan your server with your account on the PCI company's website.

Hide the DNS server hostname

To become PCI compliant, your DNS server’s hostname must be hidden.

To do this, follow these steps:

  1. SSH into the server and become the root user.
  2. Edit /etc/named.conf and add this to the "options" section:
    hostname "";
  3. Restart named:
    # /scripts/restartsrv_named

You should rescan your server with your account on the PCI company's website.

Mailman

Mailman can be completely disabled when you scan for PCI Compliance.

To disable Mailman:

  1. Login to WHM as the root user.
  2. Select Server Configuration.
  3. Select Tweak Settings.
  4. Select Mail.
  5. Go to Enable Mailman mailing lists.
  6. Select Off.
  7. Click the Save button.

To pass a PCI scan without disabling Mailman:

  1. SSH to the server as the root user and create the following file:
    /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess.

    The contents of the file should look like this:
     <Limit GET POST> 
     order deny, allow 
     <deny from all> 
     </Limit> 
     
    <Limit PUT DELETE> 
     order deny, allow 
     <deny from all> 
     </Limit> 

This will deny web requests for Mailman. After you finish these steps, rescan your server with your account on the PCI company's website.

Topic revision: r10 - 10 Feb 2014 - 20:51:30 - Main.ShavaunTesareski