PCI Compliance Scans - False Positives

Title

CVE Number

Reason

CPE Based Vulnerabilities for OpenSSH

CVE-2023-51767

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

https://access.redhat.com/security/cve/cve-2023-51767

Furthermore, we use Samsung DDR4/5 which has had TRR enabled since 2014: https://download.semiconductor.samsung.com/resources/device-operation-timing-diagram/DDR4_Device_Operations_Rev11_Oct_14-0.pdf

We also have ran the RowHammer test provided by Google (https://github.com/google/rowhammer-test) and provided the screenshot:

CPE Based Vulnerabilities for OpenSSH

CVE-2020-15778

To exploit this SERVER vulnerability in SCP, a bad actor would first have to obtain the username and either the password or an authorised private key. Should an attacker gain access to those credentials, then they would already enjoy full access to the account via other SSH methods on the same TCP port, so this SCP vulnerability in itself does not provide the attacker with any increase in privileges.

It remains the responsibility of the CLIENT to prove they have adequately audited policies and procedures in place to ensure the safety of any passwords or private keys associated with their account. This much is beyond the scope of Krystal Hosting.

While Krystal Hosting accept incoming SCP connections to this server from internal automation systems, those connections are only accepted from known host addresses using key based authentication to unprivileged accounts with no access to card data.

CPE Based Vulnerabilities for OpenSSH

CVE-2019-6110

CVE-2019-6111

CVE-2019-6109

CVE-2018-20685

These are CLIENT vulns. The client does not make outbound SSH connections of any kind FROM this server, and are therefore not at risk. Krystal Hosting make outbound connections to hosts on their internal/ network only, and then only using key pairs and where the host fingerprint is already validated through internal processes. Such client connections are made from unprivileged account with no access to card data.

CPE Based Vulnerabilities for OpenSSH

CVE-2021-41617

None of the directives that makes our server vulnerable are enabled:

[root@cardok-lon1 ~]# grep '^AuthorizedKeysCommand' /etc/ssh/sshd_config  
[root@cardok-lon1 ~]# grep '^AuthorizedPrincipalsCommand' /etc/ssh/sshd_config  
[root@cardok-lon1 ~]#

https://access.redhat.com/security/cve/cve-2021-41617

CPE Based Vulnerabilities for OpenSSH

CVE-2019-16905

The versions of OpenSSH shipped with Red Hat (Including Almalinux), do not enable support for XMSS and therefore are not affected by this flaw.

https://access.redhat.com/security/cve/cve-2019-16905

CPE Based Vulnerabilities for OpenSSH

CVE-2020-14145

CVE-2020-14145 relates to an SSH CLIENT leakage issue whereby a MITM attack could be mounted to provide false identity information where a client does not yet have the host key cached (~/.ssh/known_hosts in linux). The client does not make outbound SSH connections of any kind FROM this server. Krystal Hosting make outbound connections to hosts on their internal network only, and then only using key pairs and where the host fingerprint is already validated through internal processes. Such client connections are made from unprivileged account with no access to card data.

CPE Based Vulnerabilities for OpenSSH

CVE-2007-2768

OPIE for PAM is not shipped with AlmaLinux 8 and is therefore not vulnerable:

[root@arrakis ~]# find /etc/pam.d -type f -exec grep -nHe "opie" {} ";"  
[root@arrakis ~]#

CPE Based Vulnerabilities for OpenSSH

CVE-2016-20012

This is disputed

https://access.redhat.com/security/cve/CVE-2016-2001

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-20012

Although a CVE was assigned upstream and Red Hat doesn't consider it to be a security flaw and won't receive any patch, also the CVE was made as disputed by MITRE. Considering that Red Hat is closing this flaw as NOTABUG.

CPE Based Vulnerabilities for OpenSSH

CVE-2017-15906

This fix has been backported:

[root@sahara ~]# rpm -qa --changelog openssh | grep CVE-2018-15473
- Fix for CVE-2018-15473 (#1619079)

CPE Based Vulnerabilities for OpenSSH

CVE-2023-38408

Backported

[root@kuat-lon2 ~]# rpm -q --changelog openssh| grep CVE-2023-38408  
Related: CVE-2023-38408 Resolves: CVE-2023-38408

CPE Based Vulnerabilities for OpenSSH

CVE-2018-15919

Not vulnerable:

[root@sahara ~]# grep '^GSSAPIAuthentication' /etc/ssh/sshd_config GSSAPIAuthentication no

CPE Based Vulnerabilities for OpenSSH

CVE-2007-2243

Not vulnerable:

[root@pinnacles ~]# grep '^ChallengeResponseAuthentication' /etc/ssh/sshd_config
ChallengeResponseAuthentication no

CPE Based Vulnerabilities for OpenSSH

CVE-2021-36368

This is disputed: https://nvd.nist.gov/vuln/detail/CVE-2021-36368

The attack requires that the host node is already compromised in a way where attackers can modify the config. Our servers Use Cloudlinux so all permissions and processes and run inside a cage so no client user could make changes to the system config. As well as that, we do also maintain the SSH config so if there were any changes made, this would reset.

CPE Based Vulnerabilities for OpenSSH

CVE-2008-3844

This only affects Redhat versions 4 and 5:

https://access.redhat.com/security/cve/CVE-2008-3844

CPE Based Vulnerabilities for OpenSSH

CVE-2023-51384

This vulnerability only applies to instances where destination constraints are defined and multiple keys are returned from a PKCS#11 token. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected.

The affected functionality was added only in OpenSSH 8.9, we have earlier version in Red Hat Enterprise Linux 6, 7, 8 and 9.

https://access.redhat.com/security/cve/cve-2023-51384

CPE Based Vulnerabilities for OpenSSH

CVE-2024-3094

This was an edgecase vulneralbility. This only affected hosts using Beta/Edge releases. Almalinux and Centos was not affected by this since both of these are downstream of the release.

CPE Based Vulnerabilities for OpenSSH

CVE-2023-51385

CVE-2023-48795

[root@fergus-lon2 ~]# rpm -q --changelog openssh| grep -A 3 Terrapin
- Fix Terrapin attack
  Resolves: RHEL-19308

* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-22
- Fix Terrapin attack
  Resolves: RHEL-19308
- Forbid shell metasymbols in username/hostname
  Resolves: RHEL-19788

CPE Based Vulnerabilities for OpenSSH

CVE-2024-6387

[ ~]# rpm --changelog -q openssh-8.7p1-38.el9.alma.2.x86_64| less
* Mon Jul 01 2024 Jonathan Wright <jonathan@almalinux.org> - 8.7p1-38.alma.2
- Fix regreSSHion attack
  Resolves: CVE-2024-6387

Exim

CVE-2023-51766

This is fixed in all versions of 118 was fixed in 116.0.11.

[root@server1 ~]# rpm -q --changelog cpanel-exim | grep 51766
- CPANEL-43706: Apply upstream patches for CVE-2023-51766

HSTS Missing From HTTPS Server

N/A

HSTS can be added at the site level using the following in the sites .htaccess file:

Header Set Strict-Transport-Security: max-age=10886400; includeSubDomains

SMTP Server Non-standard Port Detection

N/A

- Port 525 is an intentionally open port.

- Our hosting SMTP daemon simply listens on TCP/525 additionally to TCP/25 because some of our client's ISPs restrict their port 25 connectivity to their own mail services.

- Authentication for relaying remote domains requires username/password.

- Relaying for remote domains requires the connection be elevated to TLS BEFORE authentication is accepted.

- The port is filtered against known bad actors.

Cookie Does Not Contain The "secure" Attribute

N/A

Please report these as false positives, on the basis that requests received to ports 2082, 2086, 2095. are replied with nothing more than a redirection to the service's secure HTTPS port.

e.g. 2082, 2086, 2095 are non-SSL ports that redirect the user to 2083, 2087, 2096 respectively. There is no application, or processing of any submitted data other than the connecting host's connection details.

Database Reachable from the Internet

N/A

Although port 3306 responds, MySQL is not reachable as per the following output:

$ telnet 185.53.58.213 3306

Trying 185.53.58.213...
Connected to 185.53.58.213.
Escape character is '^]'.
Host '10.210.11.183' is not allowed to connect to this MariaDB serverConnection closed by foreign host.

Multiple Mail Server EXPN/VRFY Information Disclosure (Port 587)

N/A

EXPN and VRFY are disabled on the fleet. Can be verified with Telnet by running help:

$ telnet biers-lon.krystal.uk 587
Trying 77.72.2.54...
Connected to biers-lon.krystal.uk.
Escape character is '^]'.
220- ESMTP Exim  
220-   We do not authorize the use of this system to transport unsolicited, 
220    and/or bulk e-mail.
help
214-Commands supported:
214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP

cpsrvd XSS

CVE-2023-29489

This impacts cPanel versions prior to 11.109.9999.116 and this system is not effected:

[root@bors ~]# cat /usr/local/cpanel/version
11.110.0.33

iconv Output Buffer

CVE-2024-2961

Has been mitigated in CL8 and CL7

[root@tabernas ~]# rpm -q glibc-common-2.17-326.el7_9.3.x86_64 --changelog | grep 2961
- CVE-2024-2961: Out of bounds write in iconv conversion to ISO-2022-CN-EXT (RHEL-31803)