Page tree
Skip to end of metadata
Go to start of metadata

Overview

Most PCI compliance scanning systems are based on a specific version number of a software package that contains a reported vulnerability. This document discusses some of the specific software packages that contain known vulnerabilities. It will also help you determine whether developers used the backporting process to patch a software package.

What is backporting?

Backporting allows the operating system vendor to change only the parts of the software that were affected by the security vulnerability. In this way, it avoids the introduction of new features that the developers did not test. This process does not increment the version number. Instead, the developers attach a flag to the package.

Operating system developers often backport updates in order to avoid the need to distribute a new version of the software package.

For example, an operating system developer may combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2. If most PCI scanning systems look for OpenSSL version 0.9.7d or higher, they may incorrectly show OpenSSL 0.9.7c-2 as vulnerable. In this case, you would inform the PCI compliance company that you use a backported version of the software package, which its developers patched for the vulnerability. After you inform them of this, they can record your software version and mark a false positive in the scan results.

OpenSSL

Warning:

You should only replace your OpenSSL installation as a last resort.

Many different system services and packages use OpenSSL. To check your OpenSSL installation for backporting, perform the following steps:

  1. Determine which OpenSSL package exists on your system. To do this, run the following command:

    rpm -qa | grep openssl

    The following output that is similar to the following example indicates that the version of your OpenSSL package is openssl-0.9.8e-36:

    openssl-0.9.8e-36.el5_11
    openssl-0.9.8e-36.el5_11
  2. To check the RPM change log for vulnerability fixes that that version includes, run the following command:

    rpm --changelog -q openssl-0.9.8b-10.el5 | less
  3. If the RPM change log includes fixes for the CVEs that your PCI compliance scanning company requires, inform them of the patched version and which CVEs it includes so that they can mark it as a false positive.

OpenSSH

The version of OpenSSH that is currently available via the default repositories is OpenSSH version 5.3.

To determine which OpenSSH package is installed on your system, run the following command:

rpm -qa | grep openssh

The output that is similar to the following example indicates that the version of your OpenSSH package is openssh-5.3p1-94.e16:

openssh-clients-5.3p1-94.el6.i686
openssh-server-5.3p1-94.el6.i686
openssh-5.3p1-94.el6.i686

This version of OpenSSH may result in a PCI scan that returns the following two vulnerabilities:

  • OpenSSH J-PAKE Session Key Retrieval Vulnerability — This issue does not affect OpenSSH as shipped with RedHat Enterprise Linux 4, 5, and 6. For more information, read CVE-2010-4478 on RedHat's web site.
  • OpenSSH "child_set_env()" Security Bypass Issue —This issue has low impact on security and does not pose a severe risk to most systems. Even though this issue has been addressed in OpenSSH 6.6, the RedHat repositories do not yet contain this updated version. If you wish to update OpenSSH to the new version, you must install it manually.

    Warning:

    We strongly suggest that only qualified Systems Administrators should only replace your OpenSSH installation as a last resort. Unless you have a qualified system administrator, do not update your OpenSSH installation. cPanel does not provide support for software that is not yet available in the repositories.

    For information on how to update your OpenSSH software, read this third-party tutorial at ptudor.

mod_frontpage

PCI scans may report the Apache mod_frontpage module as a vulnerability, due to a buffer overflow error that may cause privilege escalation, which includes root access. The vulnerability exists in a default Apache installation, but not in cPanel's environment.

A typical scan returns results that resemble the following example:

TCP 443 https 7
The remote host is using the Apache
 mod_frontpage module. mod_frontpage older than 1.6.1 is vulnerable to a
 buffer overflow which may allow an attacker to gain root access. Since 
we are not able to remotely determine the version of mod_frontpage you 
are running, you are advised to manually check which version you are 
running as this may be a false positive. If you want the remote server 
to be remotely secure, we advise you do not use this module at all.
Solution: Disable this module
Risk Factor: High
CVE : CVE-2002-0427

Warning:

We strongly recommend that you do not install FrontPage. The module is no longer supported by any upstream development team and has reached End Of Life. We recommend that you publish content with a different method, such as FTP or WebDAV.

Exim

cPanel & WHM includes patches that help to make Exim PCI compliant. The RPM change log includes information about these patches.

Simple Mail Transfer Protocol

PCI Compliance requires email client encryption. Your email client provides SSL and TLS encryption. To enable encryption of your SMTP transactions, perform the following steps as the root user:

  1. Navigate to WHM's Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager).
  2. Enable the Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. option.
  3. Click Save.

Backported CVEs

To view the CVE-related fixes in your version of Exim, run the following command:

rpm -q --changelog exim | grep CVE

 

The output will display the CVE number, for example:

fix for CVEs CVE-2010-2024, CVE-2010-2023
Update CVE-2011-0017 patch to fix use of -C flag by unprivileged users.
CVE-2011-0017: Backport patch from EXIM 4.74 for arbitrary file overwrite bug.
CVE-2010-4344: Apply string_format buffer overflow patch
CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc/exim
CVE-2010-4345: Compile with ALT_CONFIG_PREFIX=/etc

 

To report the CVE fixes that your Exim installation includes, send the output that reflects the patched software to the PCI scanning company.

Cipher Keys adjustment

Your PCI compliance scanning software reports which ciphers it permits for use during an encrypted communication. To adjust your cipher keys for PCI compliance, perform the steps listed in each of the tabs below as the root user:

Note:

The PCI compliance scanning software that you use may cause the results of a scan to vary. For more information, contact your PCI compliance company.

For Exim's Advanced Editor, perform the following steps:

  1. Navigate to the Advanced Editor section of WHM's Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager).
  2. Enter the following line of code in the tls_require_ciphers text box:

    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
  3. Click Save.

For the Dovecot mail servers, perform the following steps:

  1. Navigate to WHM's Mailserver Configuration interface (Home >> Service Configuration >> Mailserver Configuration).
  2. Enter the following line of code in the TLS Cipher List text box:

    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
  3. Click Save.

For cPanel Web Services configuration, perform the following steps:

  1. Navigate to WHM's cPanel Web Services Configuration interface (Home >> Service Configuration >> cPanel Web Services Configuration)
  2. Enter the following line of code in the TLS/SSL Cipher List text box:

    ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH 
  3. Click Save.

For cPanel Web Disk configuration, perform the following steps:

  1. Navigate to WHM's cPanel Web Disk Configuration interface (Home >> Service Configuration >> cPanel Web Disk Configuration).
  2. Enter the following line of code in the TLS/SSL Cipher List text box:

    ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH
  3. Click Save.

For FTP servers, perform the following steps:

  1. Navigate to WHM's FTP Server Configuration interface (Home >> Service Configuration >> FTP Server Configuration).
  2. Enter the following line of code in the TLS Cipher Suite text box:

    HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3
  3. Click Save.

Bind

Although cPanel & WHM does not create BIND, all cPanel servers include BIND by default. Vendor updates will typically resolve PCI compliance issues.

BIND CVE-2011-4313

The BIND change log does not show CVE-2011-4313 directly. Instead, the change log shows under RHEL #754398.

Run the following command to test for the presence of this fix:

rpm -q --changelog bind | grep 754398

Your output should resemble the following example:

- fix DOS against recursive servers (#754398)

 

To report the CVE fixes that your BIND installation includes, send the output that reflects the patched software to the PCI scanning company.

 

Hide the BIND Version

To become PCI compliant, you must hide the BIND version on your server.

To do this, perform the following steps:

  1. Connect to the server via SSH as the root user.
  2. Edit the /etc/named.conf file and add the following line of code to the options section:

    version "";
  3. Use the following command to restart BIND:

    /scripts/restartsrv_named
  4. Rescan your server with your account on the PCI company's website.

 

Hide the DNS Server Hostname

To become PCI compliant, you must hide your DNS server’s hostname.

To do this, perform the following steps:

  1. Connect to the server via SSH as the root user.
  2. Edit /etc/named.conf and add the following line of code to the options section:

    hostname "";
  3. Use the following command to restart BIND:

    /scripts/restartsrv_named
  4. Rescan your server with your account on the PCI company's website.

 

Mailman

You can completely disable Mailman when you scan for PCI Compliance.

To disable Mailman, perform the following steps:

  1. Log in to WHM as the root user.
  2. In the Mail section of WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings), set the Enable Mailman mailing lists setting to Off.
  3. Click Save.

If you do not want to disable Mailman, perform the following steps to pass a PCI Compliance scan:

  1. Log in to to the server as the root user via SSH.

  2. Create the following file to deny web requests for Mailman:

    /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess

    The contents of the file should appear similar to the following example:

     <Limit GET POST> 
     order deny, allow 
     <deny from all> 
     </Limit> 
     
    <Limit PUT DELETE> 
     order deny, allow 
     <deny from all> 
     </Limit> 
  3. Rescan your server with your account on the PCI company's website.

Additional documentation