PCI compliance fails on ports 20000 and 10000

3 posts / 0 new
Last post
#1 Fri, 01/04/2013 - 19:53
katir

PCI compliance fails on ports 20000 and 10000

We are working on PCI compliance issue and SecurityMetrics, our auditor is flagging ports 10000 and 20000 with the following:

any ideas one what we can do to plug these so-called "holes" (or some way to verify that these are false positives, which Security Metrics will accept. (can we point webmin, virtualmin, usermin to our own SSL certs?)

TCP 20000 dnp 6.4 Description: SSL Certificate Cannot Be Trusted Synopsis: The SSL certificate for this service cannot be trusted. Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. Third, the certificate chain may contain a signature that either didn't match the certificate's information, or was not possible to verify. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize. If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Data Received: The following certificates were at the top of the certificate chain sent by the remote host, but are signed by an unknown certificate authority

TCP 20000 dnp 6.4 Description: SSL Self-Signed Certificate Synopsis: The SSL certificate chain for this service ends in an unrecognized self- signed certificate. Impact: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority. Data Received: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : Resolution: Purchase or generate a proper certificate for this service. Risk Factor: Medium/ CVSS2 Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N

TCP 10000 ndmp 5.0 Description: SSL Certificate with Wrong Hostname Synopsis: The SSL certificate for this service is for a different host. Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine. Data Received: The identity known by SecurityMetrics is

TCP 20000 dnp 4.3 Description: SSL Weak Cipher Suites Supported Synopsis: The remote service supports the use of weak SSL ciphers. Impact: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network. See also : http://www.openssl.org/docs/apps/ciphers.html Data Received: Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP- RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Other references : CWE:327, CWE:326, CWE:753, CWE:803, CWE:720 Resolution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium/ CVSS2 Base Score: 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N TCP 20000 dnp 4.3 Description: SSL Medium Strength Cipher Suites Supported Synopsis: The remote service supports the use of medium strength SSL ciphers. Impact: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Data Received: Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Resolution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium/ CVSS2 Base Score: 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N

20000 dnp 4.0 Description: SSL Certificate Chain Contains Weak RSA Keys Synopsis: The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 1024 bits. Impact: At least one of the X.509 certificates sent by the remote host has a key that is shorter than 1024 bits. Such keys are considered weak due to advances in available computing power decreasing the time required to factor cryptographic keys. Some SSL implementations, notably Microsoft's, may consider this SSL chain to be invalid due to the length of one or more of the RSA keys it contains. See also : http://www.nessus.org/u?f460485a http://www.nessus.org/u?7949cc5f Data Received: The following certificates were part of the certificate chain sent by the remote host, but contain RSA keys that are considered to be weak.

|-Subject : O=Usermin Webserver on ..........-RSA Key Length : 512 bits Resolution: Replace the certificate in the chain with the weak RSA key with a stronger key, and reissue any certificates it signed. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:P TCP 20000 N/A 4.0 Title: SSL server accepts weak ciphers Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Resolution: For Apache mod_ssl web servers, use the [http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite] SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles [http://support.microsoft.com/kb/187498] 187498 and [http://support.microsoft.com/kb/245030] 245030. For other types of web servers, consult the web server documentation. Risk Factor: Medium/ CVSS2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Fri, 01/04/2013 - 22:15
andreychek

PCI companies seem to be finding more and more things to flag these days :-)

They're essentially saying that since you only have a self-signed SSL cert, and not a commercial cert, that they're opting to flag Webmin and Usermin.

It sounds like they're saying you'll need to update those certificates with commercial SSL certs.

If you already have a commercial SSL cert installed on one of your websites, you can go into Server Configuration -> Manage SSL Certificates, and click the "Copy to Webmin" and "Copy to Usermin" buttons.

Also, note that if you mark a forum post as private, there's only one person who regularly watches the forums who will see it... rather than doing that, I'd suggest just removing any private info from your post.

-Eric

Sat, 01/05/2013 - 21:41
katir

Thanks Eric: That was easy enough to do right away... we will see on the next scans... I removed some detail form the reports above and made this public.

Topic locked