PCI DSS and SSL v 3


With widespread and disastrous SSL/TLS vulnerabilities taking place such as POODLE and FREAK, SSL and early TLS versions are no longer considered strong cryptography and any web site that still uses them is insecure.

According to the new rules in PCI DSS v3.1, companies have until June 30, 2016 to update to a more recent version of TLS (1.1 or higher). Prior to this date, existing implementations using SSL or an early TLS must have a formal risk mitigation and migration plan in place.

The PCI DSS v3.1 requirements directly affected are:

  • Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
  • Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
  • Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

 

ZZ Servers is here to help you meet these new requirements. We have tools and procedures in place to quickly implement required changes and help you maintain the security and compliance of your PCI infrastructure. Please contact your Account Manager as soon as possible so we can help you implement the required changes.

GHOST – The latest Linux Vunlerability


During a code audit performed internally at Qualys, a buffer overflow in the GNU C Library (glibc) was found. Qualys worked closely with Linux distribution vendors to create a patch for all distributions impacted. Vendors made the patch available Wednesday January 28, 2015.

GHOST exposes a buffer overflow that can be triggered locally and remotely in the gethostbyname functions. It allows attackers to take full control of a machine through the heap-based buffer overflow __nss_hostname_digits_dots() function used by the gethostbyname function calls. Numerous core processes call on gethostbyname, including but not limited to auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd and udevd. Applications using glibc are granted access to a DNS resolver, which converts the hostnames into an IP address.

ZZ Servers has patched all internal systems as of January 29, 2015. Managed clients will be patched by Friday February 6, 2015.

ZZ Servers strongly recommends that all other clients patch their Linux systems with the latest update to glibc. Applying the needed patch is just the same as installing all other patches on a Linux system. However, the flaw exists in older versions of glibc predating the 2.18 release. The latest available patches for all glibc versions of RedHat and Debian flavors have fixed the GHOST vulnerability.

Protecting Against the POODLE SSLv3 Vulnerability


Introduction

On October 14th, 2014, POODLE (Padding Oracle On Downgraded Legacy Encryption), a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.

Even though SSLv3 is an older version and is mainly obsolete, there are many pieces of software that still fall back on SSLv3 when better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if SSLv3 is an available alternative for both participants attempting a connection.

The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable.

To find out more information about the vulnerability, consult the CVE information found at CVE-2014-3566.

 

What is POODLE?

POODLE is a weakness in version 3 of the SSL protocol that allows an attacker in a context of man-in-the-middle to decipher the plain text content of a SSLv3 encrypted message.

 

Who is Affected by POODLE?

POODLE affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited.

Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.

 

How Does It Work?

The POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages. Since these messages cannot be verified by the receiving party, an attacker can replace them and pass the messages on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint.

An average one out of every 256 requests will be accepted at the destination, allowing the attacker to decrypt a single byte. This can be repeated easily in order to progressively decrypt additional bytes. Any attacker able to repeatedly force a participant to resend data using this protocol can break the encryption in a very short amount of time.

 

How Can I Protect Myself?

Actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties.

Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.

 

Protecting Common Applications

How to disable SSLv3 on some common server applications is covered below. Take care to evaluate your servers to protect any additional services that may rely on SSL/TCP encryption.

Because POODLE does not represent an implementation problem and is an inherent issue with the entire protocol, there is no workaround and the only reliable solution is to disable it.

 

Apache Web Server

To disable SSLv3 on the Apache web server, adjust the SSLProtocol directive provided by the mod_ssl module.

This directive can be set either at the server level or in a virtual host configuration. Depending on the distribution’s Apache configuration, the SSL configuration may be located in a separate file that is sourced.

Ubuntu

The server-wide specification for servers can be adjusted by editing the /etc/apache2/mods-available/ssl.conf file. If mod_ssl is enabled, a symbolic link will connect this file to the mods-enabled subdirectory:

Save and close the file. Restart the service to enable the changes:

 

CentOS

Adjust this in the SSL configuration file located here (if SSL is enabled):

Find the SSLProtocol directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:

Save and close the file. Restart the service to enable the changes:

 

OpenVPN VPN Server

Recent versions of OpenVPN do not allow SSLv3. The service is not vulnerable to this specific problem.

See this post on the OpenVPN forums for more information.

 

Postfix SMTP Server

If the Postfix configuration is set up to require encryption, it will use a directive called:

This can be found in the main Postfix configuration file:

 

To ensure that SSLv3 and SSLv2 are not accepted select the parameter below. If encryption is not forced to not change anything:

Save configuration. Restart the service to implement changes:

 

Further Steps

Along with server-side applications, any client applications should be updated.

Web browsers may be vulnerable to this issue because of their step-down protocol negotiation. Ensure that all browsers do not allow SSLv3 as an acceptable encryption method. This may be adjustable in the settings or through the installation of an additional plugin or extension.

 

Summary

POODLE is a dangerous vulnerability with far reaching ramifications because of a large installed application base which requires support for SSLv3. Protective measures need to be taken to protect both consumer and provider resources that utilize SSL encryption.

Application Firewall Signature – 201410020822 (Baseline Version Update)


A baseline version for ZZ Servers’ Application Firewall 201410020822 is now available.  ZZ Servers will be performing baseline version updates on the Application Firewall.

ChangeLog for Baseline Version 201410020822

Changed rule: bash injection CVE-2014-6271 and CVE-2014-7169 – Reason: IMPORTANT: We will enable the "apply_patterns_to_keys" in the BaselineProtectionHandler for full protection against ShellShock.

If you have any questions or need additional help, please contact ZZ Servers Support.

Bash Security Vulnerability Patch Instructions


A new major security vulnerability impacting Linux customers who leverage Bash as their shell was announced in Sepetember. ZZ Servers strongly recommends customers exposed to this vulnerability apply the appropriate security patch as soon as possible. Below are instructions for patching your systems:

  • For Debian or Ubuntu, run the following command:

 

apt-get update && apt-get install –y –only-upgrade bash

  • For CentOS or RedHat, run the following command:

 

yum update bash 

 

If you have any questions or need additional help, please contact ZZ Servers Support.