eFa server failing PCI Compliance scan

Questions and answers about how to do stuff
Post Reply
cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

eFa server failing PCI Compliance scan

Post by cphillips » 10 Jul 2019 09:20

Hi,

I run an eFa 3.0.2.6 server and it is scanned quarterly for compliance as we take credit card payments.

The latest scan has failed with the following:

Banner Based Vulnerabilities for Postfix smtpd
CVEs:
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4. 6AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

It seems this is running Postfix 3.1.4 which is fairly old. Is it possible to update the version of Postfix on this system or am I better off migrating to eFa v4?

Thanks in advance.

User avatar
shawniverson
Posts: 2876
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 10 Jul 2019 10:18

Plan on moving to v4. :dance:
Version eFa 4.0.0 now available!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 14 Jul 2019 08:38

Ok, I've now built an eFa 4.0 VM and still having the same issue, I also had security warning, TLS 1.0 enabled etc. I've sorted those out but still need to remedy the following:

CVE Score Vector
CVE-2009-2939 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2008-4977 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-0411 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-1720 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2012-0811 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
CVE-2008-2936 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C
CVE-2017-10140 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P
CVE-2008-3889 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2008-2937 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

They are coming up under a Security Metrics scan, under the heading "Banner Based Vulnerabilities for Postfix smtpd"

Thanks in advance

User avatar
shawniverson
Posts: 2876
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 14 Jul 2019 14:10

Many of these look like false positives based on the smtpd banner (?) and postfix has long since fixed these issues.

For example...

CVE-2009-2939 says that postfix has write access to pids in /var/spool/postfix/pid, but this is not the case.

Code: Select all

-rw-------. 1 root root  0 Jan 19 22:05 inet.smtp
-rw-------. 1 root root  0 Jan 20 19:34 inet.submission
-rw-------. 1 root root 33 Jul 14 00:37 master.pid
-rw-------. 1 root root  0 Jun 27 23:10 unix.bounce
-rw-------. 1 root root  0 Jan 19 22:10 unix.cleanup
-rw-------. 1 root root  0 Jan 19 22:10 unix.defer
-rw-------. 1 root root  0 Jan 19 22:10 unix.flush
-rw-------. 1 root root  0 Jan 22 21:46 unix.local
-rw-------. 1 root root  0 Jan 19 22:13 unix.retry
-rw-------. 1 root root  0 Jan 19 22:05 unix.showq
-rw-------. 1 root root  0 Jan 19 22:10 unix.smtp
You can clearly see that only root has access, and postfix is running under the user postfix. Furthermore, selinux is enforcing.

I have no idea how it is making this determination. A guess would be since the postfix version is not displayed in the banner, it is making assumptions.
Version eFa 4.0.0 now available!

User avatar
shawniverson
Posts: 2876
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: eFa server failing PCI Compliance scan

Post by shawniverson » 14 Jul 2019 14:17

Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Version eFa 4.0.0 now available!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 15 Jul 2019 13:52

shawniverson wrote:
14 Jul 2019 14:17
Even the most recent vulnerability, CVE-2017-10140, has been fixed. v4 is running postfix version 3.3.0.

http://www.postfix.org/announcements/postfix-3.2.2.html
Thanks, I've raised a ticket with the scanning company for them to investigate as it does indeed look like false positives.

I'll report back what they say!

cphillips
Posts: 26
Joined: 12 Nov 2016 20:16

Re: eFa server failing PCI Compliance scan

Post by cphillips » 25 Jul 2019 12:36

Just to update this..

I had to disable TLS 1.0 and then prove that Postfix was 3.3.0 which then resulted in a PCI DSS pass!

Also had to setup a proper SSL certificate as the self generated one was failing.

Got there in the end.

Post Reply