CentOS 5.6 and PCI Compliance

Support for security such as Firewalls and securing linux
broberts
Posts: 7
Joined: 2009/10/05 22:29:14

CentOS 5.6 and PCI Compliance

Post by broberts » 2011/07/28 22:59:44

I've been finding that there are a number of vulnerabilities appearing on PCI scans which RedHat has decided not to backport with respect to Apache httpd-2.2.3-45.el5.centos.1:
e.g.
CVE-2007-6203
CVE-2008-0455
CVE-2008-0456
CVE-2007-1741
CVE-2007-1743

Quite the hassle. I'm wondering if others have thoughts on addressing these -- or jumping ship from CentOS 5.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 5.6 and PCI Compliance

Post by TrevorH » 2011/07/28 23:18:24

Redhat's line on these

CVE-2007-6203
[quote]
Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site.
[/quote]

CVE-2008-0455 and CVE-2008-0456
[quote]
We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename.
[/quote]

CVE-2007-1741 and CVE-2007-1743
[quote]
These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration
[/quote]

broberts
Posts: 7
Joined: 2009/10/05 22:29:14

Re: CentOS 5.6 and PCI Compliance

Post by broberts » 2011/07/29 20:55:27

Right, I read those. My point is that while RedHat doesn't think CVE-2007-6203 is a vulnerability, our credit card processor's PCI scanner does and hence will not certify unless there is a compensating control.

CVE-2008-0455/6 could be addressed by disabling mod_negotiation.

CVE-2007-1741/3 could be addressed by prohibiting local users.

Apache 2.2.8 or greater addresses these, a backported 2.2.3 that ignores them does not.

What are folks who are subjected to PCI doing to address this sort of thing with CentOS 5.6? A distro like Genatoo keeps in step with the latest Apache which would keep you covered. Is CentOS 6 more in step?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: CentOS 5.6 and PCI Compliance

Post by pschaff » 2011/07/31 15:15:24

Seems like the compensating controls are discussed pretty well in Trevor's post. For CentOS-6 all I can say is that I don't see those CVEs in the changelog.

foxb
Posts: 1927
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

CentOS 5.6 and PCI Compliance

Post by foxb » 2011/08/01 13:45:52

[quote]
broberts wrote:
Right, I read those. My point is that while RedHat doesn't think CVE-2007-6203 is a vulnerability, our credit card processor's PCI scanner does and hence will not certify unless there is a compensating control.

CVE-2008-0455/6 could be addressed by disabling mod_negotiation.

CVE-2007-1741/3 could be addressed by prohibiting local users.

Apache 2.2.8 or greater addresses these, a backported 2.2.3 that ignores them does not.

What are folks who are subjected to PCI doing to address this sort of thing with CentOS 5.6? A distro like Genatoo keeps in step with the latest Apache which would keep you covered. Is CentOS 6 more in step?[/quote]

My understanding on PCI certification process is that you should have latest updates from your provider not every possible update in the world.
Correct me if I'm wrong...

broberts
Posts: 7
Joined: 2009/10/05 22:29:14

Re: CentOS 5.6 and PCI Compliance

Post by broberts » 2011/08/06 20:45:40

A PCI scan must be completed by an ASV (Approved Scanning Vendor).

From https://www.pcisecuritystandards.org:

[quote]Whenever possible, ASVs must use two tools to categorize and rank vulnerabilities, and determine scan compliance:
1. The Common Vulnerability Scoring System (CVSS) version 2.0, which provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10. The CVSS Base Score must, where available, be used by ASVs in computing PCI DSS compliance scoring.
2. The National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability. ASVs should use the CVSS scores whenever they are available.
The use of the CVSS and CVE standards, in conjunction with a common vulnerability database and scoring authority (the NVD) is intended to provide consistency across ASVs.
With a few exceptions (see the Compliance Determination-Overall and by Component section below for details), any vulnerability with a CVSS Base Score of 4.0 or higher will result in a non-compliant scan, and all such vulnerabilities must be remediated by the scan customer. To assist customers in prioritizing the solution or mitigation of identified issues, ASVs must assign a severity level to each identified vulnerability or misconfiguration.[/quote]

So basically you need cover the CVEs with base score >= 4. CVE-2007-6203 falls into this category (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6203). So it's great that "Red Hat does not consider this issue to be a vulnerability" but PCI does (and Red Hats' statement is not a compensating control). So really to make life less painful for people subjected to PCI scans this should be clearly updated and noted in the httpd changelog. patch httpd-2.0.52-escaperrs.patch appears to be out there. Am I the only one out there subjected to PCI scans??

From what I can determine, it appears CentOS 6 has httpd-2.2.19 -- so apache versions > 2.2.8 have all of the above noted CVEs things fixed at the get-go and no backporting was required (hence it doesn't show up the changelog). Thanks for checking Phil!

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: CentOS 5.6 and PCI Compliance

Post by pschaff » 2011/08/06 23:21:30

You are not alone. PCI compliance blind idiocy is widespread. All your issues are with the way [url=http://wiki.centos.org/FAQ/General?highlight=%28TUV%29#head-d29a2b7e61ffc544973098f9dd49fe4663efba50]TUV[/url] does things. Complaining to CentOS will do no good as they just rebuild what flows downstream. If you can't pass the security scan then you need a support entitlement with TUV. You can then ask them to help with your issues. We can't do more than provide the advice we have already provided.

broberts
Posts: 7
Joined: 2009/10/05 22:29:14

Re: CentOS 5.6 and PCI Compliance

Post by broberts » 2011/08/07 05:38:27

Thanks Phil, what you say makes sense and it is going to cause ongoing pain.

The main point of my original post was to see if other CentOS 5 users had some thoughts on addressing the problems I see. It sounds like CentOS 6 may help a reasonable amount as baseline version of apache is substantially newer, but maybe I should be looking at a distro that does things differently.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: CentOS 5.6 and PCI Compliance

Post by pschaff » 2011/08/07 10:36:13

I seriously doubt you will find a distro with better [i][b]real[/b][/i] stability and security, but if you do please let us know.

foxb
Posts: 1927
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Re: CentOS 5.6 and PCI Compliance

Post by foxb » 2011/08/08 15:07:24

[quote]
broberts wrote:
Thanks Phil, what you say makes sense and it is going to cause ongoing pain.

The main point of my original post was to see if other CentOS 5 users had some thoughts on addressing the problems I see. It sounds like CentOS 6 may help a reasonable amount as baseline version of apache is substantially newer, but maybe I should be looking at a distro that does things differently.[/quote]

I do pass PCI with CentOS 5 - that's blind reading of the requirements. Reality is a bit different... but as already quoted you need to contact TUV if you encounter problems or get a consultant to do preliminary scan. CentOS team cannot help you.

Post Reply