PDA

View Full Version : [ubuntu] 10.04 LTS, Apache2, PHP5, OpenLDAP and PCI DSS Compliance



JSeymour
August 4th, 2012, 10:40 PM
Good Day,

For PCI DSS reasons, our outside servers were recently scanned by a security auditing/compliance firm. Imagine my surprise when I got back, amongst other things:



Title: vulnerable Apache version: 2.2.14 Impact: A remote attacker could crash the web server or execute arbitrary commands. Data Received: Server: Apache/2.2.14 (Ubuntu) Resolution: [http://httpd.apache.org/download.cgi] Upgrade Apache 2.0.x to a version higher than 2.0.64 when available, 2.2.x to 2.2.22 or higher. or a version higher than 2.4.1. Risk Factor: High/ CVSS2 Base Score: 10.0

Title: vulnerable PHP version: 5.3.2 Impact: Remote attackers may be able to gain unauthorized access to the web server, cause a denial of service or information disclosure, or execute arbitrary code. Data Sent: GET / HTTP/1.0 Host: 97.78.161.178 User-Agent: Mozilla/4.0 Data Received: X-Powered-By: PHP/5.3.2-1ubuntu4.17 Resolution: PHP should be [http://www.php.net/downloads.php] upgraded to 5.2.17 or higher for 5.2.x, to a version higher than 5.3.12 for 5.3.x, ... Risk Factor: High
Doing a bit of searching, it does not appear there has been, or will be, any effort to fix this.

Furthermore, the scan "questioned" the version of OpenLDAP on the server:



Title: Is your LDAP secure? Impact: If an application uses a vulnerable implementation of LDAP, an attacker could cause a denial of service or execute arbitrary commands. ... Risk Factor: High
The CERT advisory referenced did not apply (it was for an older version), so I at first thought I was okay. But then I thought to make sure. Sure enough: Scanning one of my security mailing lists, I found



Title: OpenLDAP LDAP Search Request Remote Denial of Service
Description: OpenLDAP is an implementation of the Lightweight
Directory Access Protocol. The implementation is exposed to a
remote denial of service issue. Specifically, the issue occurs when
processing a crafted LDAP search request with "attrsOnly" set to true.
OpenLDAP versions prior to 2.4.30 are affected.


It was reported [1],[2] that OpenLDAP's slapd daemon would crash when it received a request to modify a DN and submits an empty old DN in the request. No binding is necessary, so even an anonymous user could cause slapd to crash. This was reported against OpenLDAP 2.4.23 and was fixed in 2.4.24 [3].


Title: OpenLDAP Multiple Security Bypass Vulnerabilities
Description: OpenLDAP is an implementation of the Lightweight
Directory Access Protocol. OpenLDAP is exposed to multiple
security bypass issues. Successfully exploiting these issues will
allow attackers to bypass security restrictions and perform
unauthorized actions. OpenLDAP versions prior to 2.4.24 are affected.
The repos claim I'm up-to-date with 2.4.21.

I foolishly (it turns out) assumed that "LTS" meant I could reasonably expect serious security issues would be addressed in a timely manner. I guess I know better, now.

So I'm guessing it's back to building my own from tarballs :(

Jim

bobmct
August 5th, 2012, 09:52 PM
Hi Jim,

Boy, the old PCI DSS compliance issue can be a real PITA, right?

Here's what I would recommend, first and foremost try to plan on either upgrading your server OS version to 12.04 LTS or update the components (apache, ldap, etc) on your current version. The point is to get the affected components to their most current level. Many security fixes are included in patch to patch, release to release. Once done, try searching for some outside services that will perform specific penetration tests for the referenced ports/service. They may or may not return the same result as your outside pen-test vendor.

If you become current and you still receive the warnings then do some google research to determine if the specific issue has been resolved by the utility and/or OS vendor -OR- find some online docs that discuss how the particular utils are in fact secure.

I've seen a number of compliance/pen-test vendors that are Windows-centric and return FALSE results when probing Linux servers.

If you are confident in the upgrades and have some documentation to substantiate your claims then share with your supervisors your challenge of the selected vendor's findings. It would not be the first time such tests were misleading and/or misinterpreted.

Hope this helps and good luck.

SeijiSensei
August 6th, 2012, 05:09 AM
Version numbers may or may not have anything to do with actual vulnerabilities. You really need to have them tell you which CVE's they think the server exposes. For instance, my CentOS 6.2 server allegedly runs 2.2.15, but the most recent vulnerabilities are patched in that version through backports. From the changelog for Apache on RedHat/CentOS:

"* Mon Feb 06 2012 Joe Orton <jorton@redhat.com> - 2.2.15-15.1
- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,
CVE-2011-3607 (#787598)
- obviates fix for CVE-2011-3638, patch removed"

For Ubuntu 10.04 the same story applies. Read the changelog (http://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.2.14-5ubuntu8.9/changelog) here. The last round of security problems in Apache were fixed there as well. If you're running that version of apache2, I'm pretty sure the vulnerabilities the outside testers are claiming have been fixed through backports.

The current php5 version for 12.04 is 5.3.10, so for Ubuntu servers upgrading to 12.04 should fix both problems. However, again, it appears that the vulnerabilities in php5 were fixed via backports (http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.2-1ubuntu4.17/changelog) in 10.04.


I foolishly (it turns out) assumed that "LTS" meant I could reasonably expect serious security issues would be addressed in a timely manner. I guess I know better, now.

My guess is that these guys don't really know much about Linux distributions if they are relying entirely on version numbers and not looking into whether the specific vulnerabilities have been fixed via backports. The whole point of stable versions with security updates like the Ubuntu LTS versions is to backport security fixes as required but leave the rest of the software unchanged. I would require the pen-testing firm to provide a list of the specific vulnerabilities they believe exist in your server with the CVE numbers assigned to them. I'll be really surprised if that list includes anything that hasn't already been patched.

JSeymour
August 6th, 2012, 06:45 PM
Hi Bob, SeijiSensei,

Thanks for your comments.

Yes, I'm certain they're going by only version numbers. And, SeijiSensei, thanks for waking me up. I knew about back-porting and completely forgot about it.

I guess I'll have to examine the CVEs vs. the Ubuntu 10.04 ChangeLog and see if the ones they're talking about have been addressed.

I may have no choice but to build and install the latest tarballs, anyway. We'll see.

Jim