Fix Virtual private server PCI compliance vulnerabilitys

Closed

Description

Hi,

We have had a Trustwave PCI scan completed on our Virtual private server and it has flagged up a few vunerability's, we require these fixing and to perform a scan that passes upon completion.

Here is our server specification;

CentOS 6.3 (Final), Parallels Plesk Panel [url removed, login to view]

Here is the list of issues we require fixing;

#1. Unencrypted Communication Channel Accessibility (Policy Violation) The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5. b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

CVSSv2: AV:N/AC:L/Au:N/C:C/I:C/A:N([url removed, login to view])

Service: ftp

#2. MTA Open Mail Relaying Allowed The SMTP mail transport agent (MTA) allows unauthenticated users to relay messages. Spammers can use this vulnerability to waste bandwidth and hide the true source of unsolicited messages.

CVE: CVE-1999-0512 NVD: CVE-1999-0512 CVSSv2: AV:N/AC:L/Au:N/C:C/I:C/A:C([url removed, login to view])

Service: smtp

#3. Web Application Transmits Login Credentials Without Encryption There is a web application running on this host that transmits login credentials over HTTP, which is a cleartext protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.

CVSSv2: AV:A/AC:H/Au:N/C:C/I:N/A:N([url removed, login to view])

Service: http

#4. SSLv2 Supported This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008" (see the reference link in this finding).

CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N([url removed, login to view])

Service: smtp

#5. Unix/Linux RPC Service Accessibility (Policy Violation) Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])

Service: sunrpcportmap

#6. Unix/Linux RPC Service Accessibility (Policy Violation) Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])

Service: sunrpcportmap

#7. DB Accessibility (Policy Violation) There is a port open on this server that is usually used for database connections. Payment industry policy forbids exposing databases containing cardholder data directly to the Internet.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])

Service: mysql

Thanks,

Neal

Skills: Apache, Compliance, Linux, Plesk

See more: cve 1999 0512, unencrypted communication channel accessibility, mta open mail relaying allowed, trustwave unencrypted communication channel accessibility, server pci, unencrypted communication channel accessibility smtp, mta open mail relaying allowed plesk pci, weaknesses list, users requirements specification, user specification requirement, trustwave, services fix, rpc over http, remote support linux, Private security, list services linux, list of weaknesses, linux list services, lack of internet, fix services, b&c compliance, application requirement specification, apache web server features, ac transit, 3 weaknesses

Project ID: #4898238

Awarded to:

muzumbu

Skilled Linux Admin with Plesk and PCI Experience available for work.

$150 USD in 3 days
(52 Reviews)
5.2

2 freelancers are bidding on average $150 for this job

kvide

Hi, I can solve your PCI DSS related issues. Please read PM for details.

$150 USD in 3 days
(0 Reviews)
0.0