Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » PCI Compliance on 9.0.2 (Unable to pass PCI compliance)
  •  
Todeasa

Messages: 4
Karma: -1
Send a private message to this user
HI,

I have just upgraded to 9.0.2 without issues, but ports 993 and 995 are failing PCI compliance.

The message is

"Sever is susceptible to POODLE attack over TLS".

Only the SSLv3 protocol, and not the TLS protocol, is affected by this vulnerability.
However, some TLS implementations, most notably in F5 and A10 devices, are known to be affected due to
failure to enforce the protocol.

Anyone have any ideas?

Thanks
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
Normally SSLv3 is disabled by default. You can disable it in the configuration file. Instructions are in this KB http://kb.kerio.com/product/kerio-connect/server-configurati on/security/configuring-ssl-tls-in-kerio-connect-1753.html

Brian Carmichael
Instructional Content Architect
  •  
ComputerBudda

Messages: 113
Karma: 4
Send a private message to this user
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
ComputerBudda wrote on Fri, 04 March 2016 17:58
I apply this app on all my servers.

https://www.nartac.com/Products/IISCrypto


And it has absolutely no effect on Kerio Connect services. For SSL/TLS services in Kerio Connect please refer to the KB article mentioned above.
  •  
Todeasa

Messages: 4
Karma: -1
Send a private message to this user
I referenced the KB article and double checked my settings. All were set to default.

If you notice on the message, the fail point is not SSLv3 being turned on, but the failure of A5 and F10 (????) devices to enforce TLS. I understand that by having SLv3 turned off entirely, Kerio cannot implement SSLv3, making this failure incorrect (I hope). However, it still fails PCI compliance scanning with the default settings.

Anyone have anything else?

Thanks again,

Corey
  •  
Todeasa

Messages: 4
Karma: -1
Send a private message to this user
Hello again,

I found more info on the fail point:



THREAT REFERENCE

Summary:
server is susceptible to POODLE attack over TLS

Risk: High (3)
Port: 993/tcp
Protocol: tcp
Threat ID: misc_tls_poodletls

Details: SSL POODLE Attack
12/22/14
CVE 2014-8730
Only the SSLv3 protocol, and not the TLS protocol, is affected by this vulnerability. However, some TLS implementations, most notably in F5 and A10 devices, are known to be affected due to failure to enforce the protocol.
Furthermore, even those clients and servers which correctly support TLS may still allow sessions to be downgraded to SSLv3 to allow compatibility with older peers. An attacker may be able to force this downgrade to occur by intercepting and modifying packets during the protocol negotiation phase, thus facilitating the POODLE attack.
10/15/14
CVE 2014-3566
The SSLv3 protocol, when used with CBC ciphers, is susceptible to an attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE). The vulnerability arises because the padding is not deterministic and is not covered by the Message Authentication Code (MAC) and therefore cannot be verified during decryption. This may allow an invalid, specially crafted stream of ciphertext to have a one in 256 chance of being accepted. Each time such a stream is accepted, one byte of the plaintext data can be inferred.
An attacker who is able to intercept SSL sessions (as in a man-in-the-middle attack) can exploit this vulnerability using javascript code which forces a user's browser to send HTTPS requests to a server, and then modifying these requests such that the desired plaintext byte is aligned with the end of a block. If this is done repeatedly, the desired plaintext byte will eventually become known, and the attacker can move on to the next byte, and then the next, until the desired plaintext (for example, the user's session ID) is known in its entirety.

Information From Target:
Service: imaps
Sent:
TLSv1 request with invalid padding
Received:
* OK Kerio Connect 9.0.2 IMAP4rev1 server ready


Hope this helps. I can always submit a false positive, but I want to make sure it is in face false before submitting it.

Thanks
  •  
Johan Gunverth

Messages: 15
Karma: 1
Send a private message to this user
SSL Labs Testing tool does not indicate any issues with POODLE TLS. The test went from A- for 9.0.1 to A for 9.0.2

https://www.ssllabs.com/ssltest
  •  
Todeasa

Messages: 4
Karma: -1
Send a private message to this user
Hi Johan,

The SSL Labs test is not what is failing compliance, it the the controlscan.com PCI-DSS test, which tests all ports (e.g. 993 and 995, the ones failing), not just port 443 (which passes just fine).

Does anyone else here need to pass PCI compliance? Has anyone run a scan themselves to test?

Thanks
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It is a false result. Your server is not using SSLv3 on IMAPS or POP3S ports and therefore is not vulnerable. You can test it for example here: https://pentest-tools.com/network-vulnerability-scanning/ssl -poodle-scanner

SSL 3 is disabled:
~ pdobry$ openssl s_client -connect mail.xxxxxxxxx.xxx:993 -ssl3
CONNECTED(00000003)
1101:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake  failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Open SSL098/OpenSSL098-59/src/ssl/s3_pkt.c:1145:SSL alert number 40
1101:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake  failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/Open SSL098/OpenSSL098-59/src/ssl/s3_pkt.c:566:

[Updated on: Mon, 07 March 2016 22:28]

Previous Topic: Local Domain to Relay Server
Next Topic: License move from a Windows to a Linux based version
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Oct 20 03:23:09 CEST 2017

Total time taken to generate the page: 0.00484 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.