BuycPanel Blog

BuycPanel Blog

Latest news and updates

PCI Compliance and Software Versions

Posted by Allura on 07 08 2018.

Introduction
A specific software package version number is used by most PCI compliance scanning systems and it contains a noted vulnerability. This piece of document acknowledges some of the well-defined software packages reported to have noted vulnerabilities. Not only this, it also determines the developer’s usage of the backport process to patch a software package.

Back porting
This process allows operating system vendor to alter or change only the software versions that are known to have security vulnerability. Following this path, it avoids the use of certain software modules containing new features which is yet to be tested by the developers.

Operating system developers often backport the updates to avoid the need to allot a new version of the software package. For example: operating system developer can combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2 . If it shows OpenSSL 0.9.7c-2 as vulnerable, then, one can inform the PCI…

Introduction

A specific software package version number is used by most PCI compliance scanning systems and it contains a noted vulnerability. This piece of document acknowledges some of the well-defined software packages reported to have noted vulnerabilities. Not only this, it also determines the developer’s usage of the backport process to patch a software package.

Back porting

This process allows operating system vendor to alter or change only the software versions that are known to have security vulnerability. Following this path, it avoids the use of certain software modules containing new features which is yet to be tested by the developers.

Operating system developers often backport the updates to avoid the need to allot a new version of the software package. For example: operating system developer can combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2 . If it shows OpenSSL 0.9.7c-2 as vulnerable, then, one can inform the PCI compliance company and use the backport version. It can record one’s software version and mark a false positive in the scan results.

OpenSSL

One needs to follow these steps in order to check their OpenSSL installation.

Steps

  • Run the command to know the existing OpenSSL package on one’s system:

rpm -qa | grep openssl

  • Run the command in order to check the RPM change log for vulnerability fixes included in the version:

rpm –changelog -q openssl-0.9.8b-10.el5|less

  • Fixes for the CVE’s may be there in the RPM change log that the PCI compliance scanning company will require. One must inform about the patched version and which CVE’s it includes in case the fixes appears, so that they can mark it as a false positive.

One must configure the SSLCipherSuite directive’s value in the Global Configuration Section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration) to adjust the server for PCI compliance.

SSLCipherSuite

One can perform these steps if a problem occurs where PCI compliance scans of part 443 do not pass and other SSLCipherSuite entries exist in the /etc/apache2/conf/httpd.conf file:

Steps

  • Run the command to check additional SSLCipherSuite entries in /etc/apache2/conf/httpd.conf file:

grep -i sslciphersuite/etc/apache2/conf/httpdconf

  • Run the following command to check VirtualHosts:

grep sslciphersuite/var/cpanel/userdata/*/*_SSL

  • Run the command if this step return any results and remove the already existing SSLCipherSuite entries:

perl -pi -e ‘s{sslciphersuite:.*}{}ms;’ path/to/file/from/step/2

  • After removing the entries, run the command to rebuild conf file:

/usr/local/cpanel/scripts/rebuildhttpdconf

  • Run the command to confirm existence of only one global SSLCipherSuite entry:

grep -i sslciphersuite/etc/apache2-conf/httpd.conf

  • Run the command to restart the Apache after confirming the existence of only one global entry:

/scripts/restartrsv_httpd

  • Lastly, rescan part 443 for PCI compliance.

OpenSSH

Command rpm -qa | grep openssh helps in knowing the existing OpenSSH package in the system. Output may resemble:

openssh-clients-5.3p1-94.el6.i686

openssh-server-5.3p1-94.el6.i686

openssh-5.3p1-94.el6.i686

Output will resemble if OpenSSH package 6.6.1p1-35.el7_3 already exists in the server:

openssh-6.6.1p1-35.el7_3.x86_64

openssh-server6.6.1p1-35.el7_3.x86_64

openssh-clients6.6.1p1-35.el7_3.x86_64

Conclusion

PCI compliance and Software versions has processes and steps that leads to technical working of the existing package in the system.