eFa server failing PCI Compliance scan

Questions and answers about how to do stuff
Post Reply
cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

eFa server failing PCI Compliance scan

Post by cphillips » 10 Jul 2019 09:20

Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.

User avatar
shawniverson
Posts: 2839
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 10 Jul 2019 10:18

Plan on moving to v4. :dance:
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 14 Jul 2019 08:38

Ok, I've now built an eFa 4.0 VM and still having the same issue, I also had security warning, TLS 1.0 enabled etc. I've sorted those out but still need to remedy the following:

CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"

Thanks in advance

User avatar
shawniverson
Posts: 2839
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 14 Jul 2019 14:10

Many of these look like false positives based on the smtpd banner (?) and postfix has long since fixed these issues.

For example...

CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.

Code: Select all

-rw-------. 1 root root  0 Jan 19 22:05 inet.smtp
-rw-------. 1 root root  0 Jan 20 19:34 inet.submission
-rw-------. 1 root root 33 Jul 14 00:37 master.pid
-rw-------. 1 root root  0 Jun 27 23:10 unix.bounce
-rw-------. 1 root root  0 Jan 19 22:10 unix.cleanup
-rw-------. 1 root root  0 Jan 19 22:10 unix.defer
-rw-------. 1 root root  0 Jan 19 22:10 unix.flush
-rw-------. 1 root root  0 Jan 22 21:46 unix.local
-rw-------. 1 root root  0 Jan 19 22:13 unix.retry
-rw-------. 1 root root  0 Jan 19 22:05 unix.showq
-rw-------. 1 root root  0 Jan 19 22:10 unix.smtp
You can clearly see that only root has access, and postfix is running under the user postfix. Furthermore, selinux is enforcing.

I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

User avatar
shawniverson
Posts: 2839
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 14 Jul 2019 14:17

Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 15 Jul 2019 13:52

shawniverson wrote:
14 Jul 2019 14:17
Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Thanks, I've raised a ticket with the scanning company for them to investigate as it does indeed look like false positives.

I'll report back what they say!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 25 Jul 2019 12:36

Just to update this..

I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!

Also had to setup a proper SSL certificate as the self generated one was failing.

Got there in the end.

Post Reply