Page 1 of 1

eFa server failing PCI Compliance scan

Posted: 10 Jul 2019 09:20
by cphillips
Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.

Re: eFa server failing PCI Compliance scan

Posted: 10 Jul 2019 10:18
by shawniverson
Plan on moving to v4. :dance:

Re: eFa server failing PCI Compliance scan

Posted: 14 Jul 2019 08:38
by cphillips
Ok, I've now built an eFa 4.0 VM and still having the same issue, I also had security warning, TLS 1.0 enabled etc. I've sorted those out but still need to remedy the following:

CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"

Thanks in advance

Re: eFa server failing PCI Compliance scan

Posted: 14 Jul 2019 14:10
by shawniverson
Many of these look like false positives based on the smtpd banner (?) and postfix has long since fixed these issues.

For example...

CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.

Code: Select all

-rw-------. 1 root root  0 Jan 19 22:05 inet.smtp
-rw-------. 1 root root  0 Jan 20 19:34 inet.submission
-rw-------. 1 root root 33 Jul 14 00:37 master.pid
-rw-------. 1 root root  0 Jun 27 23:10 unix.bounce
-rw-------. 1 root root  0 Jan 19 22:10 unix.cleanup
-rw-------. 1 root root  0 Jan 19 22:10 unix.defer
-rw-------. 1 root root  0 Jan 19 22:10 unix.flush
-rw-------. 1 root root  0 Jan 22 21:46 unix.local
-rw-------. 1 root root  0 Jan 19 22:13 unix.retry
-rw-------. 1 root root  0 Jan 19 22:05 unix.showq
-rw-------. 1 root root  0 Jan 19 22:10 unix.smtp
You can clearly see that only root has access, and postfix is running under the user postfix. Furthermore, selinux is enforcing.

I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.

Re: eFa server failing PCI Compliance scan

Posted: 14 Jul 2019 14:17
by shawniverson
Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html

Re: eFa server failing PCI Compliance scan

Posted: 15 Jul 2019 13:52
by cphillips
shawniverson wrote: 14 Jul 2019 14:17 Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Thanks, I've raised a ticket with the scanning company for them to investigate as it does indeed look like false positives.

I'll report back what they say!

Re: eFa server failing PCI Compliance scan

Posted: 25 Jul 2019 12:36
by cphillips
Just to update this..

I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!

Also had to setup a proper SSL certificate as the self generated one was failing.

Got there in the end.

Re: eFa server failing PCI Compliance scan

Posted: 20 Jul 2023 10:27
by VictoriaM31
cphillips wrote: 10 Jul 2019 09:20 Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.
To address the Banner Based Vulnerabilities for Postfix smtpd and ensure PCI compliance, it's advisable to update the Postfix version to the latest stable release, which should contain security patches to address the mentioned CVEs. However, since the current version on your eFa 3.0.2.6 server (Postfix 3.1.4) is already quite outdated, migrating to eFa v4 might be a more comprehensive solution. eFa v4 likely incorporates the latest version of Postfix and other security enhancements, making it easier to maintain compliance and security. Remember to follow best practices and security guidelines when updating or migrating to ensure smooth transition and maintain PCI compliance. If you need further assistance on how to get PCI compliance, feel free to ask for more specific details regarding your setup. Good luck!