Hi,
I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.
The latest scan has failed with the following:
Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N
It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?
Thanks in advance.
eFa server failing PCI Compliance scan
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: eFa server failing PCI Compliance scan
Plan on moving to v4.
Re: eFa server failing PCI Compliance scan
Ok, I've now built an eFa 4.0 VM and still having the same issue, I also had security warning, TLS 1.0 enabled etc. I've sorted those out but still need to remedy the following:
CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N
They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"
Thanks in advance
CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N
They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"
Thanks in advance
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: eFa server failing PCI Compliance scan
Many of these look like false positives based on the smtpd banner (?) and postfix has long since fixed these issues.
For example...
CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.
You can clearly see that only root has access, and postfix is running under the user postfix. Furthermore, selinux is enforcing.
I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.
For example...
CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.
Code: Select all
-rw-------. 1 root root 0 Jan 19 22:05 inet.smtp
-rw-------. 1 root root 0 Jan 20 19:34 inet.submission
-rw-------. 1 root root 33 Jul 14 00:37 master.pid
-rw-------. 1 root root 0 Jun 27 23:10 unix.bounce
-rw-------. 1 root root 0 Jan 19 22:10 unix.cleanup
-rw-------. 1 root root 0 Jan 19 22:10 unix.defer
-rw-------. 1 root root 0 Jan 19 22:10 unix.flush
-rw-------. 1 root root 0 Jan 22 21:46 unix.local
-rw-------. 1 root root 0 Jan 19 22:13 unix.retry
-rw-------. 1 root root 0 Jan 19 22:05 unix.showq
-rw-------. 1 root root 0 Jan 19 22:10 unix.smtp
I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: eFa server failing PCI Compliance scan
Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.
http://www.postfix.org/announcements/postfix-3.2.2.html
http://www.postfix.org/announcements/postfix-3.2.2.html
Re: eFa server failing PCI Compliance scan
Thanks, I've raised a ticket with the scanning company for them to investigate as it does indeed look like false positives.shawniverson wrote: ↑14 Jul 2019 14:17 Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.
http://www.postfix.org/announcements/postfix-3.2.2.html
I'll report back what they say!
Re: eFa server failing PCI Compliance scan
Just to update this..
I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!
Also had to setup a proper SSL certificate as the self generated one was failing.
Got there in the end.
I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!
Also had to setup a proper SSL certificate as the self generated one was failing.
Got there in the end.
-
- Posts: 1
- Joined: 20 Jul 2023 10:20
Re: eFa server failing PCI Compliance scan
To address the Banner Based Vulnerabilities for Postfix smtpd and ensure PCI compliance, it's advisable to update the Postfix version to the latest stable release, which should contain security patches to address the mentioned CVEs. However, since the current version on your eFa 3.0.2.6 server (Postfix 3.1.4) is already quite outdated, migrating to eFa v4 might be a more comprehensive solution. eFa v4 likely incorporates the latest version of Postfix and other security enhancements, making it easier to maintain compliance and security. Remember to follow best practices and security guidelines when updating or migrating to ensure smooth transition and maintain PCI compliance. If you need further assistance on how to get PCI compliance, feel free to ask for more specific details regarding your setup. Good luck!cphillips wrote: ↑10 Jul 2019 09:20 Hi,
I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.
The latest scan has failed with the following:
Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N
It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?
Thanks in advance.