Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » PCI DSS compliance with 8.3.2 failing (SysNet scan returns failure for BEAST and POODLE even with custom CFG)
  •  
Abramax

Messages: 13
Karma: 0
Send a private message to this user
Running the Sysnet vulnerability scan, accessed from the website of our smartcard terminal provider, returns a load of warnings and some failures. I've already set the two CFG tweaks:
- <variable name="SSLDontInsertEmptyFragments">0</variable>
- <variable name="DisableRC4SHA">0</variable>
and restarted KC but the scan still reports:
- vulnerable Kerio MailServer version: 8.3.2 25/tcp / Kerio Mailserver Vulnerabilities / CVE ID: CVE 2014-3566
- server is susceptible to BEAST attack 465/tcp (and 8843/tcp) / Browser Exploit against SSL TLS / CVE ID: CVE 2011-3389

Does anyone have a recommendation for this, please? I don't think 8.3.4 will help.
  •  
ComputerBudda

Messages: 106
Karma: 5
Send a private message to this user
Try this tool.

https://www.nartac.com/Products/IISCrypto/ I ran that on my Windows host server

also you do need to go to 8.3.4
  •  
Pavel Dobry (Kerio)

Messages: 5239
Karma: 251
Send a private message to this user
ComputerBudda wrote on Wed, 12 November 2014 19:06
Try this tool.

https://www.nartac.com/Products/IISCrypto/ I ran that on my Windows host server

also you do need to go to 8.3.4


This tool is useless for Kerio Connect customers. It changes IIS configuration, not Kerio Connect.

You need to disable both SSL 3.0 and TLS 1.0 in order to mitigate Both BEAST and Poodle vulnerabilities. Both can be done in mailserver.cfg file when Kerio Connect is stopped (see http://tinyurl.com/KerioPoodle). It is worth to mention that some clients using SSL 3.0 or TLS 1.0 only (with no support for TLS 1.1 or 1.2) may not be able to communicate with Kerio Connect after this.

[Updated on: Wed, 12 November 2014 20:05]

  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
Abramax wrote on Wed, 12 November 2014 18:59
- vulnerable Kerio MailServer version: 8.3.2 25/tcp / Kerio Mailserver Vulnerabilities / CVE ID: CVE 2014-3566
You should either upgrade Connect to version 8.3.4p1 or disable SSL 3.0 altogether (stop Connect and set "DisableSSLv3" to 1 in mailserver.cfg).

Quote:
- server is susceptible to BEAST attack 465/tcp (and 8843/tcp) / Browser Exploit against SSL TLS / CVE ID: CVE 2011-3389
The setting you made should suffice, see http://kb.kerio.com/product/kerio-connect/server-configurati on/security/pci-dss-compliance-1301.html . I think that some scanning tools are imprefect. Smile
Previous Topic: Moving emails out of account
Next Topic: How to update Outlook 2003 to Outlook 2010 without losing KOF settings ?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue May 23 01:15:31 CEST 2017

Total time taken to generate the page: 0.00835 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.