eFa server failing PCI Compliance scan

Questions and answers about how to do stuff
Post Reply
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

eFa server failing PCI Compliance scan

Post by cphillips »

Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson »

Plan on moving to v4. :dance:
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips »

Ok, I've now built an eFa 4.0 VM and still having the same issue, I also had security warning, TLS 1.0 enabled etc. I've sorted those out but still need to remedy the following:

CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"

Thanks in advance
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson »

Many of these look like false positives based on the smtpd banner (?) and postfix has long since fixed these issues.

For example...

CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.

Code: Select all

-rw-------. 1 root root  0 Jan 19 22:05 inet.smtp
-rw-------. 1 root root  0 Jan 20 19:34 inet.submission
-rw-------. 1 root root 33 Jul 14 00:37 master.pid
-rw-------. 1 root root  0 Jun 27 23:10 unix.bounce
-rw-------. 1 root root  0 Jan 19 22:10 unix.cleanup
-rw-------. 1 root root  0 Jan 19 22:10 unix.defer
-rw-------. 1 root root  0 Jan 19 22:10 unix.flush
-rw-------. 1 root root  0 Jan 22 21:46 unix.local
-rw-------. 1 root root  0 Jan 19 22:13 unix.retry
-rw-------. 1 root root  0 Jan 19 22:05 unix.showq
-rw-------. 1 root root  0 Jan 19 22:10 unix.smtp
You can clearly see that only root has access, and postfix is running under the user postfix. Furthermore, selinux is enforcing.

I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson »

Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips »

shawniverson wrote: 14 Jul 2019 14:17 Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Thanks, I've raised a ticket with the scanning company for them to investigate as it does indeed look like false positives.

I'll report back what they say!
cphillips
Posts: 27
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips »

Just to update this..

I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!

Also had to setup a proper SSL certificate as the self generated one was failing.

Got there in the end.
VictoriaM31
Posts: 1
Joined: 20 Jul 2023 10:20

Re: eFa server failing PCI Compliance scan

Post by VictoriaM31 »

cphillips wrote: 10 Jul 2019 09:20 Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.
To address the Banner Based Vulnerabilities for Postfix smtpd and ensure PCI compliance, it's advisable to update the Postfix version to the latest stable release, which should contain security patches to address the mentioned CVEs. However, since the current version on your eFa 3.0.2.6 server (Postfix 3.1.4) is already quite outdated, migrating to eFa v4 might be a more comprehensive solution. eFa v4 likely incorporates the latest version of Postfix and other security enhancements, making it easier to maintain compliance and security. Remember to follow best practices and security guidelines when updating or migrating to ensure smooth transition and maintain PCI compliance. If you need further assistance on how to get PCI compliance, feel free to ask for more specific details regarding your setup. Good luck!
Post Reply