PCI compliance vulnerabilities

General discussions and other topics.
3 posts Page 1 of 1
by mollynelson » Mon Dec 10, 2018 3:38 pm
Hello! We're a Sonic internet customer going through the PCI (Payment Card Industry) compliance process for the first time. When we did the required scan of our network, it returned four "vulnerabilities" - below is the information provided about each one. Sonic phone support wondered if the items flagged on the scan might be to do with Sonic's remote access to our equipment, in which case the remote access could be turned off.

Thank you!

1. server is susceptible to SSL POODLE attack

Risk: High (3)
Port: 50001/tcp
Protocol: tcp
Threat ID: misc_tls_poodle

Details: SSL POODLE Attack
12/22/14
CVE 2014-8730
Only the SSLv3 protocol, and not the TLS protocol, is affected by this vulnerability. However, some TLS implementations, most notably in F5 and A10 devices, are known to be affected due to failure to enforce the protocol.
Furthermore, even those clients and servers which correctly support TLS may still allow sessions to be downgraded to SSLv3 to allow compatibility with older peers. An attacker may be able to force this downgrade to occur by intercepting and modifying packets during the protocol negotiation phase, thus facilitating the POODLE attack.
10/15/14
CVE 2014-3566
The SSLv3 protocol, when used with CBC ciphers, is susceptible to an attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE). The vulnerability arises because the padding is not deterministic and is not covered by the Message Authentication Code (MAC) and therefore cannot be verified during decryption. This may allow an invalid, specially crafted stream of ciphertext to have a one in 256 chance of being accepted. Each time such a stream is accepted, one byte of the plaintext data can be inferred.
An attacker who is able to intercept SSL sessions (as in a man-in-the-middle attack) can exploit this vulnerability using javascript code which forces a user's browser to send HTTPS requests to a server, and then modifying these requests such that the desired plaintext byte is aligned with the end of a block. If this is done repeatedly, the desired plaintext byte will eventually become known, and the attacker can move on to the next byte, and then the next, until the desired plaintext (for example, the user's session ID) is known in its entirety.

Information From Target:
Service: 50001:TCP
Server accepted SSLv3 CBC cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA

2. Server supports TLS 1.0 protocol

Risk: High (3)
Port: 50001/tcp
Protocol: tcp
Threat ID: misc_tls_tls10

Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
man-in-the-middle attacks, such as
BEAST and
POODLE.

Information From Target:
Service: 50001:TCP
Server accepted TLS 1.0 handshake with TLS_RSA_WITH_RC4_128_MD5 cipher

3. SSL/TLS server supports RC4 ciphers

Risk: High (3)
Port: 50001/tcp
Protocol: tcp
Threat ID: misc_tls_rc4

Details: Ciphertext Bias Weakness
CVE 2013-2566
The encrypted stream which is output by the RC4 cipher contains small biases. This results in ciphertext which isn't truly random when the same plaintext is encrypted with different RC4 keys. This could make it easier for an attacker who can view network traffic to decrypt parts of the plaintext which are typically encrypted many types, such as browser cookies, ultimately leading to session hijacking.
Invariance Weakness and Bar Mitzvah attack
04/28/15
CVE 2015-2808
Some RC4 keys contain a pattern which causes part of the state permutation to remain intact throughout the initialization process, resulting in leakage of plaintext bytes. This is known as the Invariance Weakness. This weakness can be used to partially decrypt TLS/SSL sessions which use affected keys in an attack known as Bar Mitzvah. An attacker would need to be able to sniff network traffic in order to exploit this vulnerability, and most RC4 keys do not have this weakness.

Information From Target:
Service: 50001:TCP
Server accepted SSLv3 RC4 cipher: TLS_RSA_WITH_RC4_128_MD5

4. Server supports SSLv3 protocol

Risk: High (3)
Port: 50001/tcp
Protocol: tcp
Threat ID: misc_tls_ssl3

Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
man-in-the-middle attacks, such as
BEAST and
POODLE.

Information From Target:
Service: 50001:TCP
Server accepted SSLv3 handshake with TLS_RSA_WITH_RC4_128_MD5 cipher
by mollynelson » Mon Dec 10, 2018 3:44 pm
I'm not sure how best to ask to be contacted back about this or how to tell you what account this is for securely... the phone support rep instructed me to post here, if this would be better emailed in I'm happy to do that!
by m.harmon » Mon Dec 10, 2018 4:54 pm
PCI stuff can be a bit complex. Take a look at this other thread and it might give you a better idea.

viewtopic.php?f=10&t=3072&p=30048&hilit=PCI+compliance#p30048
M. Harmon
Sonic Customer Support
3 posts Page 1 of 1

Who is online

In total there are 6 users online :: 1 registered, 0 hidden and 5 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: apl and 5 guests