pci

  1. baronn

    PCI - Disable Plain text authentication

    Hi Everyone, Getting this issue with PCI for: Remote Mail Service Accepting Unencrypted Credentials Detected (IMAP) basically: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE STARTTLS LOGINDISABLED] Dovecot ready. vidence: ~$ telnet xxx.xxx.xx.xxx. 143...
  2. J

    PCI+ Scan Issues

    I'm getting 4 vulnerabilities with my scan: 1. Information gathering e: FTP on TCP port 21. CVSS Base Score4.3- AV:N/AC:M/Au:N/C:P/I:N/A:NCVSS Temporal Score3.3- E:U/RL:W/RC:URSeverity3CategoryInformation gatheringCVE IDVendor ReferenceBugtraq IDDate UpdatedJul 1, 2021ThreatA remote management...
  3. V

    openssh privileged escalation vuln

    I ran a PCI scan on a cPanel server that I'm managing. One of the failed results showed this: Does cPanel have a patch or an update to version 8.8 ? Thanks! ----------------------------- OpenSSH Privilege Escalation Vulnerability THREAT: OpenSSH (OpenBSD Secure Shell) is a set of computer...
  4. V

    pci scan blocked by IPS?

    Hi, May I know what is causing this on our cPanel server? Is it the cPhulkd daemon? How to resolve this, disable cPhulkd when running the scan...
  5. V

    PCI Scan - /webmail fails

    Vulnerability Details: Service: https Sent: GET /webmail/<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0 Host: domain.net User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-alive Received: 'redirect_url'...
  6. S

    SSL Labs A+ Rating - Ideal settings

    Hi I am a newbie to ciphers and the like but I would like to score A+ on SSL Labs but the default settings of cPanel do not achieve this. I also want to make the other services really secure but I have not found a cheatsheet with them all on. Does anyone have an upto date/custom/official set...
  7. V

    SOLVED PCI DSS scan fails OpenSSH

    Hi, My server is running the WHM/cPanel v78.0.23 on latest version of CentOS 7.6 The PCI-DSS scan fails for the SSH security with the following message/recommendation: Does cPanel have a fix for this? Or do I need to manually install/upgrade OpenSSH to version 8? I'd rather not do anything...
  8. Bashed

    SSL Server Test Rating

    Ran a test on Qualys SSL Labs and got a B rating. DNS CAA = no TLS 1.2 = yes (other TLS/SSL protocols = no) Forward Secrecy = with some browsers See attached. Would appreciate help on getting that A rating My Settings: SSL Cipher Suite...
  9. W

    Plaintext Authentication is disabled issue

    Working though PCI compliance for customer and when i set: Allow Plaintext Authentication (from remote clients):NO no mail clients can connect using pop3 only webmail Changed settings in the mail client to ssl tls or auto to no avail.
  10. S

    cPanel / Comodo Service SSL Certificate Fails PCI

    My 'manage service ssl certificate' was recently replaced with the cPanel / Comodo free one year certificate. My PCI scan vendor just ran a scan on the server and all the services that the ssl certificate covers have failed the scan. Here is the results of the fail: "Details Category General...
  11. E

    PCI Fails SSH weak hashing and key exchange

    So one of my customers PCI scans is failing from Trustwave for these 2: Weak SSH Hashing Algorithms Weak SSH Key Exchange None of my other Domains on that server are failing Controlscan PCI scans. The best part is the description "This vulnerability is not recognized by the national...
  12. D

    PCI Scan failing on SMTP Service Cleartext Login Permitted

    Hello everyone. Our latest PCI Compliancy scan is failing on "SMTP Service Cleartext Login Permitted" on port 465. It's saying that the server is advertising PLAIN or LOGIN, and to only allow less secure connections via secured channels. I've actually read just about every article and forum...
  13. G

    Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443

    Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443 even though SSLCipherSuite disables them. I’ve search a number of posts on this topic but have been unable to find a solution to my problem. I am currently failing PCI compliance on: SSL/TLS Weak Encryption...
  14. D

    PCI Compliance

    We're having an issue with PCI Compliance on our server. We've got 3 packages that need to be updated: -EXIM -BIND -OPENSSH I've got specific versions for minimum requirements that I've verified we don't meet. Our WHM version is current and I don't have any packages marked for update. So I...
  15. C

    SOLVED SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

    Hi, My server is failing a PCI scan on a few ports with: "SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)" - CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068osvdb : 45127, 45106, 45108cwe : 310 } The following known CA certificates were part of the certificate...
  16. E

    PCI compliance is getting ridiculous

    So PCI compliance is getting out of control .... Now they will not allow FTP as it is now classified as Obsolete or insecure. "Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit." They are saying the same for SSH If this keeps up my...
  17. S

    Unsecure cookie still getting sent even though service disabled

    Hi, We have some issues where we have disabled all web-based email client (Roundcube, Horde, etc) but our PCI-DSS scan still get the cookie with no secure attribute related to it. Does that mean disabling them in WHM doesn't get rid of them? How do we solved this to get compliant, do we need to...
  18. E

    SOLVED PCI compliance report issues

    ProFTPD version 1.3.5B is vulnerable -- ProFTPD CVE-2017-7418 Local Security Bypass Vulnerability "ProFTPD is prone to a local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. ProFTPD prior to 1.3.5e...
  19. P

    Want to adjust cipher suite - test on virtualhost first?

    We have a VPS with about a dozen various corporate sites, however our server has been flagged as having weak keys. This prompted us to evaluate the entire cipher suite, and we would like to update it across the board. But we'd like to test an updated combination before deploying it to the...
  20. rfcabal

    SSH CVE-2016-8858

    Hi guys I have a question, recently one of our clients is worry about CVE-2016-8858 which affect ssh version 6.6p1. I have run this command rpm -q --changelog openssh | grep CVE-2016-8858 and nothing comes out. does it mean my actual version of ssh it is not affected by this vulnerability...