PCI Compliance vulnerabilities

PCI Compliance vulnerabilities

Postby EKjellquist » Mon Feb 24, 2020 4:16 pm

Folks,

Just wanted to pass on what we're seeing as far as PCI Compliance scans relative to AMS. For reference, we port-forward all the relevant AMS ports (e.g. 25, 110, 143, 465, 587, 995, 8000, 8100) from our edge router to the local IP for our AMS server, and ports 80/443 are proxied via Apache 2.4 on a different local server (also behind NAT). We're using AMS 4.2.6, which AFAIK is still using OpenSSL 1.0.2L (as it was updated but then reverted back to 1.0.2L in later AMS patches). These are the risks that showed up in my most recent scan as of this writing:

(1) Web config file exposed (port 8000/TCP) - the scanner could get to and read web.config for webmail. I can set permissions on the webmail directory to correct it, probably, not sure what the recommendation is?
(2) Port 587 / TCP over SSL - CVE-2013-2566 / CVE-2015-2808 - TLS 1.2 with RC4 128-bit ciphers supported - RC4-MD5 and RC4-SHA - this would have to be correted with updated OpenSSL version
(3) Port 25 / TCP - EHLO responds, implies AMS uses ESMTP, which uses the AUTH command. It also responds to LOGIN as one of those AUTH parameters (even though you can set AMS to only allow logins from legit accounts and require secure connections only). AMS would need to be updated to deny or not respond to LOGIN requests and completely disable plaintext / unencrypted session requests when 'require secure connection' option is specified in AMS options...
(4) Port 25 / TCP over SSL - old cipher issue, same as (2)
(5) Port 143 / TCP over SSL - old cipher issue, same as (2)
(6) Port 465 / TCP over SSL - old cipher issue, same as (2)
(7) Port 995 / TCP over SSL - old cipher issue, same as (2)
(8) Port 587 / TCP - same as (3)
(9) Port 443 / 8000 - HTTP Security Header Not Detected - AMS' web server may need the following options added for X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and HSTS directives. I added what I didn't have already in my Apache config (which will clear this for me), but for others who aren't proxying, this would need to be corrected in AMS' web server. I added the following in my Apache config to clear this line item:

Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"

There are other things I don't get dinged on already b/c they're mitigated in other parts of my Apache config, but afaik most of these items would get cleared by an OpenSSL update.
EKjellquist
 
Posts: 55
Joined: Tue Sep 09, 2014 10:40 pm

Re: PCI Compliance vulnerabilities

Postby EKjellquist » Mon Feb 24, 2020 7:11 pm

As a follow-up, I installed IISCrypto (as this has helped in similar situations on other servers), which you can use to limit which protocols / ciphers / hashes / etc are allowed through Windows at all. Sadly this does not actually make the PCI scan pass even after doing so because the AMS still returns that RC4-MD5 and RC4-SHA ciphers are available (even if IISCrypto would actually disallow them).
IISCrypto.jpg
'Best Practice' settings -MD5 and -SHA hashes
IISCrypto.jpg (127.36 KiB) Viewed 550 times
EKjellquist
 
Posts: 55
Joined: Tue Sep 09, 2014 10:40 pm

Re: PCI Compliance vulnerabilities

Postby EKjellquist » Mon Feb 24, 2020 7:11 pm

IISCrypto_ciphers.jpg
IISCrypto Cipher 'Best Practices'
IISCrypto_ciphers.jpg (186.69 KiB) Viewed 548 times
Here are the Cipher settings I'm using:
EKjellquist
 
Posts: 55
Joined: Tue Sep 09, 2014 10:40 pm

Re: PCI Compliance vulnerabilities

Postby Code Crafters » Tue Feb 25, 2020 11:07 pm

Thanks for the feedback. A few times now, we've upgraded OpenSSL only to have to revert it due to some instability. The code we have to interact with this is quite complex. There is a new branch of versions that we need to switch to but as it's not a simple thing to implement, we haven't been able to do it yet. However, we definitely want to do this in a major future update. As for the web server headers, you can use the built in web server or IIS / apache etc. We will try to look at adding any missing security headers to our built in custom-built web server too.
Code Crafters
 
Posts: 879
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron