2

Hey guys, I have tried allowing the scanners IP to be accepted through IPTABLES into the SMTP port, but the scan still fails.

This is the error: The remote SMTP server is vulnerable to a buffer overflow.

The SMTP server doesn't even crash. I have tried white listing the IP in Exim but the scanner still gives the server and says the server is vulnerable to open relay. This is on a CentOS cPanel/WHM server. I have also enabled the SMTP tweak.

Does anyone know how to fix this?

Thanks

Warner
  • 23,756
  • 2
  • 59
  • 69
Darren
  • 85
  • 1
  • 8

5 Answers5

2

The result from your PCI scanning service is likely a false positive, though it can be hard to tell. Chances are they matched the version number of your SMTP program, it usually is announced on connection to port 25, and checked that product and version number against a list of known-vulnerable software. And found a match.

Since you are on Centos, the thing you need to do is go through the entire revision history of the SMTP service's RPM releases looking for a changelog that specifies security fixes. Chances are very good that RedHat has backported the buffer overflow vulnerability into the older revision, but you need to backtrack to be certain. Once that's done, you can flag this as a false positive.

Backporting of security patches is one of the main benefits of using a Linux with a support contract. Centos is the same thing, but you don't get to call in about anything you just get security patches.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Hi, I reviewed the changelog and it was fixed in an earlier version. After checking my exim log I found it was giving the STATE invalid for the error the scanner was trying to generate so I went into my IPTABLES and checked it out and it seems it is dropping the packets. I created a new INPUT rule that makes it so it will reject them. Do you think this will work: iptables -I INPUT 53 -p tcp --dport 25 -m state --state INVALID -j REJECT I added it to my chain. Thanks for the help and knowledge everyone. – Darren Aug 29 '10 at 05:39
  • Well that did not work guys. I am going to have to say it is a false positive. I hope they will accept that. – Darren Aug 29 '10 at 17:42
  • If you drop the scanner's IP, you are making the scan results invalid. You are not allowed to filter the external scanners traffic as per the PCI requirements. – Warner Aug 29 '10 at 18:56
  • We have contacted Trust Guard and are thinking it is a false positive. Even our hosting company's system admins think it is a false positive because they cannot reproduce the problem. – Darren Sep 01 '10 at 16:29
  • Hey sysadmin, it turns out it was a false positive. – Darren Sep 02 '10 at 20:10
1

Just an extension to @sysadmin1138 but you need to find the CVE number they provided for the vulnerability (likely CVE-200something-numbers). Google for that vulnerability and click on any link that says "RedHat", "CentOS" or even at a push "Fedora". That page will tell you if it was resolved, and in which versions it was resolved. Check your version of Exim against this and then explain your findings to the ASV who will mark it was a false positive.

You might be unlucky with it being CPanel (and not using standard repositories if I remember rightly).

James L
  • 6,025
  • 1
  • 22
  • 26
1

Likely a false positive based only on the version string returned in the connection response. It has likely already been patched in your particular version. You haven't mentioned which scanner you use, but it likely didn't actually try to exploit a buffer overflow - it's just basing what it sees on a database of versions and vulnerabilities.

** EDIT: THIS IS INCORRECT - SORRY: Also - the last time I read the specs (about 3 years ago) PCI compliance does not mean that you must pass any particular vulnerability scanning tool's tests - it only requires that you have procedures in place to do regular scanning and address issues, and the management controls to ensure that happens. **

I just reviewed the latest documents, and scanning by a compliant ASV appears to now be required. I may have misremembered, or it may have changed, either way, you're stuck with an outside company.

Did you actually fail a PCI audit, or is this just a service that claims to be a "PCI Compliant" scanner. Side note - have you read the revelant sections of PCI? If not, you should - it's not that bad.

Whatever scanner is telling you this, it should be giving you a vulnerability reference number from some publicly accessible vulnerability database. Give that a read, and then verify whether the package you have installed has that particular vulnerability patched or not, and then document that fact, and move on.

If you're paying an outside auditing firm to prepare you for a PCI audit and they aren't giving you these details, you should ask for them - and if they won't give them, run nessus yourself, it will tell you.

The open relay is correct - the external scanner service assumes it has the same view of your network as the rest of the internet. If you whitelist it, it's allowed to relay, and is going to assume everyone else is too. If port 25 is normally blocked to the public, then you should leave it blocked for the purposes of the scan - it's part of your security.

gabbelduck
  • 329
  • 1
  • 3
0

Wait which error are you getting, and what scanner is being used against your mail server? eEye Retina? Nessus?

In one sentence you say: "This is the error: The remote SMTP server is vulnerable to a buffer overflow."

...later in your question you say "I have tried white listing the IP in Exim but the scanner still gives the server and says the server is vulnerable to open relay."

Those are two completely different scanner findings... whitelisting the scanner IP in Exim would actually make your problem worse, not better. If you whitelist the IP of the scanner, it will think it can open relay through SMTP, which is a common problem with SMTP servers that spammers take advantage of.

Eric Gearhart
  • 191
  • 2
  • The error through the Trust Guard PCI service is The remote SMTP server is vulnerable to a buffer overflow. – Darren Aug 28 '10 at 23:51
0

A buffer overflow more often than not result in account compromise for the user running the daemon in question. Buffer overflows are sometimes Denial of Service but typically not and often end up being system level compromise after further research is done. If actually an issue, this can be a big deal. I would rank it between medium and high depending where it touches my infrastructure and the size of the footprint.

You are going to need to verify two core things:

  • The scanner should identify the exact vulnerability in question. Research it and attempt to reproduce/verify the vulnerability.
  • The scanner should identify the exact method used to determine the vulnerability, which is typically the easiest way to determine the legitimacy. If a false positive, it should be quite clear in the methods used versus what vulnerability is allegedly in scope.

I have found with Scan Alert (now McAfee) rarely produce false positives. Unless your Approved Scanner Vendor has a history of false positives, I would assume that it is a legitimate vulnerability until you prove otherwise.

If vulnerable, it should be easy enough to locate a supported patch for your distribution.

Warner
  • 23,756
  • 2
  • 59
  • 69
  • Yes I have checked my distribution and I have updated everything. I am now checking with our host to see if they have an answer. – Darren Aug 29 '10 at 23:16
  • Do you think switching my mail system from Exim to Postfix would correct it? – Darren Aug 29 '10 at 23:28
  • Most distributions backport security patches to older versions of software, which can sometimes cause false positives. If you research the vulnerability further, you should be able to confirm this. Changing software would eliminate any bugs specific to the software you're running now, yes. Probably not the best approach, however. – Warner Aug 29 '10 at 23:42