Trustwave PCI Failed - 3 Issues

eglwolf · Mar 9, 2017

I have the following 3 failed notification on a new server that I am trying to resolve. I believe that I have tried all the methods I have been able to find through other threads. Amy help would be great.

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32, CVE-2016-2183
TLSv1.0 Supported
Reflected Cross-Site Scripting Vulnerability

quizknows · Mar 9, 2017

The cross site scripting, if valid, is likely an issue in the hosted application (website) itself. The report should have steps to reproduce that issue. Often those can be false positives but you should have the web dev have a good look at it. The other ones we would need to know what service/port number is associated with them in order to help.

eglwolf · Mar 9, 2017

The block cipher algorithm is on port tcp/21 and Port: tcp/443
Evidence:

Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA

TLSv1.0 Supported Port: tcp/443
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N
Service: apache:http_server

Evidence:

Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA

cPanelMichael · Mar 12, 2017

Hello,

For port 21, the following thread discusses this issue:

Pure-FTPd Cipher Settings

For the remaining issues, this thread should help:

I need to disable TLS v1.0

Thank you.

eglwolf · Mar 16, 2017

I have done the things in these threads and others. However, I still fail on these 3 things.

Port: tcp/21
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Evidence:
Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA

tcp/443
TLSv1.0 Supported

Evidence:
Cipher Suite: TLSv1 : ECDHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES256-SHA
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : ECDHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : DHE-RSA-AES128-SHA
Cipher Suite: TLSv1 : AES128-SHA

tcp/21
SSL/TLS Weak Encryption Algorithms

Evidence:
Cipher Suite: TLSv1_1 : ECDHE-RSA-RC4-SHA
Cipher Suite: TLSv1_1 : RC4-SHA
Cipher Suite: TLSv1_1 : RC4-MD5
Cipher Suite: TLSv1_2 : ECDHE-RSA-RC4-SHA
Cipher Suite: TLSv1_2 : RC4-SHA
Cipher Suite: TLSv1_2 : RC4-MD5

cPanelMichael · Mar 16, 2017

Hello,

For port 21, this is related to a bug with Pure-FTPd. We have an internal case open to address the issue, and will update the associated forums thread once it's published:

Pure-FTPd Cipher Settings

Regarding port 443, could you let us know what cipher settings have you configured for Apache?

Thank you.

eglwolf · Mar 16, 2017

Here are the apache cipher settings:

SSL Cipher Suite
GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

SSL/TLS Protocal: All -SSLv2 -SSLv3

cPanelMichael · Mar 16, 2017

eglwolf said:
SSL/TLS Protocal: All -SSLv2 -SSLv3

Hello,

You'd need to change this to the following if you want to disable TLS v1.0:

Code:

All -SSLv2 -SSLv3 -TLSv1

Thank you.

eglwolf · Mar 16, 2017

So the last thing outstanding is the following:

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
tcp/2087/2083

Evidence:

Cipher Suite: TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_1 : DES-CBC3-SHA
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA

cPanelMichael · Mar 17, 2017

Hello,

Check to see if this thread helps for that report:

SOLVED - PCI Scan Fails On Web Services Ports

Thank you.

eglwolf · Mar 17, 2017

I'll try but I am running:

CENTOS 7.3 x86_64 vmware – localhost

WHM 62.0 (build 16)

cPanelMichael · Mar 17, 2017

Here's the specific post with the ciphers used by the user in that thread:

SOLVED - PCI Scan Fails On Web Services Ports

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
R	Trustwave failing PCI compliance : TLSv1.0 Supported: Port: tcp/2224	Security	1	Feb 7, 2020
G	Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443	Security	2	May 10, 2018
	Trustwave - Insecure ARCFOUR encryption	Security	4	Sep 21, 2016
	Trustwave PCI Failure - mod_proxy	Security	2	Jan 24, 2012
R	TrustWave (PCI) scan fail. Insecure WebDAV Auth.	Security	2	Jan 4, 2012

Search

Search

Trustwave PCI Failed - 3 Issues

eglwolf

Well-Known Member

quizknows

Well-Known Member

eglwolf

Well-Known Member

cPanelMichael

Administrator

eglwolf

Well-Known Member

cPanelMichael

Administrator

eglwolf

Well-Known Member

cPanelMichael

Administrator

eglwolf

Well-Known Member

cPanelMichael

Administrator

eglwolf

Well-Known Member

cPanelMichael

Administrator