PCI compliant server configuration

The Payment Card Industry Data Security Standard is a security standard for an organization that uses a credit card for money transactions. Nowadays most of the eCommerce customers seek PCI compliance servers for handling card transactions. To pass the PCI scan we need to follow the guidelines issued by the scanning companies like Trust wave and Security metrics. If we submit our domain name to a scanning company, they will scan and produce PDF files with vulnerabilities and their resolution.  In this article, I will share the major vulnerabilities and the resolution for it.

1.ISC BIND Unsupported Version Detection

It can be considered as false positive. Redhat supports bind 9.3.6 and patches it. The changelog is here:

To list change logs execute # rpm -q bind –changelog command.

===
* Wed Sep 02, 2015 Tomas Hozza <thozza@redhat.com> – 30:9.3.6-25.P1.4
– Fix CVE-2015-5722

* Mon Jul 27, 2015, Florian Weimer <fweimer@redhat.com> – 30:9.3.6-25.P1.3
– Fix CVE-2015-5477

* Wed Dec 10, 2014, Tomas Hozza <thozza@redhat.com> 30:9.3.6-25.P1.2
– Remove files backup after patching (Related: #1171971)

2. TLS Version 1.0 Protocol Detection (PCI DSS)
The remote service encrypts traffic using a protocol with known weaknesses.
Impact:
The remote service accepts connections encrypted using TLS 1.0. This version of  TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on before June 30, 2016. Consult the application’s documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater.
Fix:-
With the help of https://www.ssllabs.com tool, we can check currently enabled protocol. From the below image you can see that TLS1.0 is disabled in my server
protocol_enabled

Now I will explain to you how to disable the TLS1.0 protocol. Open your apache configuration file and search for “SSLProtocol”, here you can see currently disabled protocol. To disable TLS1.0 add -TLSv1 string at the end of the line. In WHM you can do this from Home »Service Configuration »Apache Configuration »Global Configuration
3. ISC BIND 9 Zero-Length RDATA Section Denial of Service / Information Disclosure

Fix: It can be considered as false positive. The OS vendor back-ports fixed and patches. The changelog is here
# rpm -q –changelog bind | grep -i cve-2012-1667 ( cve-2012-1667 This CVE you can get from the scan result )
– fix CVE-2012-1667

4. ISC BIND 9 DNSSEC Cache Poisoning
This flaw does not introduce additional risks to bind installations that are not using DNSSEC, as a successful attack requires bypass of other cache poisoning protections (such as random query source ports and transaction ids). This flaw only allows for the bypass of protection provided by DNSSEC.
To understand more about this vulnerability read https://access.redhat.com/security/cve/cve-2009-4022

5.OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass

CVE-2007-4752 – Does not affect CentOS 6 as per https://access.redhat.com/security/cve/cve-2007-4752
CVE-2007-2243 – Does not affect CentOS 6 as per https://access.redhat.com/security/cve/cve-2007-2243

6. CGI Generic SQL Injection (blind)
This fail is related to the software (osCommerce) installed on your account, this would need to be updated by a web developer who would need to secure the site for you :

7. Web Application Potentially Vulnerable to Clickjacking –
> To be corrected by the web developer. Can be implemented by adding the following line in the sites .htaccess file for example:
Header append X-FRAME-OPTIONS “SAMEORIGIN”

8. ISC BIND 9 9.4-ESV < 9.4-ESV-R4, 9.6.2 < 9.6.2-P3, 9.6-ESV < 9.6-ESV-R3, 9.7.x < 9.7.2-P3
Multiple Vulnerabilities –
> The OS vendor back-ports fixed and patches. Please see change log:
# rpm -q –changelog bind | grep -i CVE-2010-3613
– fixes for CVE-2010-3762, CVE-2010-3613 and CVE-2010-3614

9. SSL certificate with the wrong hostname

Impact:
The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Resolution:-
To resolve this vulnerability we need to disable the cPanel shortcuts by closing ports 2078, 2083, 2087 and 2096 for the site’s dedicated IPs
You can deny IPs by adding the following rule csf.deny file
tcp|in|d=2078|d=**.***.***.***

 

10. ISC BIND Cache Update Policy Deleted Domain Name Resolving Weakness

Impact:-
According to its self-reported version number, the remote installation of BIND will continue to allow revoked domain names to be resolved due to an issue related to the cache update policy. Note that SecurityMetrics has only relied on the version itself and has not attempted to determine whether or not the install is affected. See also :
http://www.nessus.org/u?38f47769
https://www.isc.org/software/bind/advisories/cve-2012-1033
http://ftp.isc.org/isc/bind9/9.6-ESV-R6/CHANGES
http://ftp.isc.org/isc/bind9/9.7.5/CHANGES
http://ftp.isc.org/isc/bind9/9.8.2/CHANGES
http://ftp.isc.org/isc/bind9/9.9.0/CHANGES

Resolution:-

The OS vendor back-ports fixed and patches. Please see the changelog:
# rpm -q –changelog bind | grep -i cve-2012-1033
– fix CVE-2012-1033

 

11. SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Impact:-
The remote host supports the use of RC4 in one or more cipher suites. The RC4  cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker can obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext. See also:

http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf http://www.isg.rhul.ac.uk/tls/
http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf
Solution:-
Add the following Cipher in your apache configuration file.
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

 

12 . Web Server Uses Basic Authentication Without HTTPS –
The following web pages use Basic Authentication over an unencrypted channel :
/awstats/cgi-bin:/ realm=”Authorization Required” /download:/ realm=”Authorization
Required” /awstats:/ realm=”Authorization Required”
> Dispute as not customer facing or force SSL via sites .htaccess.

 

13. ISC BIND 9 Multiple DoS Vulnerabilities
# rpm -q –changelog bind | grep -i CVE-2014-8500
– Fix CVE-2014-8500 (#1171974)

 

14. Web servers uses plain-text form-based authentication – “http://domain-name/wp-login.php” method=”post”

This can be corrected by enabling SSL secure login for WordPress

 15. The cookie does not contain the “secure” attribute – apply the “secure” attributes to cookies and force all sensitive requests to be sent via HTTPS.

Enable secure flag in cookie settings will fix this issue.

 

16. TLS version 1.0 protocol detection ( Port 2083 )

I know that I have already discussed the TLS version 1.0 issue in the same post but that was about the apache SSL cipher suite. But here I am going to write about the cPanel or WHM SSL suite. From the PCI scan result, we can understand that whether the issue is related to a domain SSL / cipher suite ( Apache ) or cPanel / WHM SSL cipher suite.

pci_scan_result

 

From the above PCI scan, it is clear that the issue is related to cPanel and the port number is 2083.

Solution:-

We have to disable TLSv1 on WHM Home » Service Configuration » cPanel Web Services Configuration.

Append the following entry to the existing “TLS/SSL Protocols” list:

:!TLSv1

The final entry would look like this if you’ve made no previous changes:

SSLv23:!SSLv2:!SSLv3:!TLSv1

Check the attached screenshot.

cpanel_webservice_configuration

 

Leave a Reply

Your email address will not be published. Required fields are marked *