• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved How to fix the TLS Poodle PCI Compliance issue

Edi Duluman

Edi Duluman

Basic Pleskian
Hello!

As the title suggests, I'm having trouble achieving a PCI Compliance scan from ControlScan, given they have partnered now with a payment processor that we use, PayVision.

I have dealt with all the other issues, and this would be the last one.

Code: 
IP Address: 136.243.78.229
Host: www.agency.as
Path: 

THREAT REFERENCE

Summary: 
server is susceptible to POODLE attack over TLS

Risk: High (3)
Port: 465/tcp
Protocol: tcp
Threat ID: misc_tls_poodletls

Details: SSL POODLE Attack
12/22/14
CVE 2014-8730
Only the SSLv3 protocol, and not the TLS protocol, is affected by this vulnerability. However, some TLS implementations, most notably in F5 and A10 devices, are known to be affected due to failure to enforce the protocol. 
Furthermore, even those clients and servers which correctly support TLS may still allow sessions to be downgraded to SSLv3 to allow compatibility with older peers. An attacker may be able to force this downgrade to occur by intercepting and modifying packets during the protocol negotiation phase, thus facilitating the POODLE attack.
10/15/14
CVE 2014-3566
The SSLv3 protocol, when used with CBC ciphers, is susceptible to an attack known as Padding Oracle On Downgraded Legacy Encryption (POODLE). The vulnerability arises because the padding is not deterministic and is not covered by the Message Authentication Code (MAC) and therefore cannot be verified during decryption. This may allow an invalid, specially crafted stream of ciphertext to have a one in 256 chance of being accepted. Each time such a stream is accepted, one byte of the plaintext data can be inferred.
An attacker who is able to intercept SSL sessions (as in a man-in-the-middle attack) can exploit this vulnerability using javascript code which forces a user's browser to send HTTPS requests to a server, and then modifying these requests such that the desired plaintext byte is aligned with the end of a block. If this is done repeatedly, the desired plaintext byte will eventually become known, and the attacker can move on to the next byte, and then the next, until the desired plaintext (for example, the user's session ID) is known in its entirety.

Information From Target:
Service: urd
Sent:
TLSv1 request with invalid padding
Received:
220 mobilselskapet.no ESMTP Postfix (Debian/GNU)

I have done all the changes in the main.cf file, disabled SSLv2 and SSLv3 ( took a peek at ssl_v3_disable.sh ) from Plesk KB.

It is weird that COMODO's SSL Analyzer results into the following:

Code: 
TLS v1.1 Supported   Immune to TLS POODLE
TLS v1.0 Supported   Immune to TLS POODLE
SSL v3.0 Not Supported   Immune to SSLv3 POODLE
SSL v2.0 Not Supported   Immune to DROWN

Then, Qualys SSL Test returns the following:

Code: 
POODLE (SSLv3) No, SSL 3 not supported
POODLE (TLS) No
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported

But then, ControlScan's Compliance test reuslts into:

Code: 
server is susceptible to POODLE attack over TLS

Risk: High (3)
Port: 465/tcp
Protocol: tcp
Threat ID: misc_tls_poodletls

Information From Target:
Service: urd
Sent:
TLSv1 request with invalid padding
Received:
220 mobilselskapet.no ESMTP Postfix (Debian/GNU)

Any suggestions ? I know it's not Plesk's fault but it's worth asking.

Cheers!
 
Thank you very much! I did not know what else to do in order to overcome that issue. I'm running the last scan now and we should be good to go! Will update this with the result. Thank you

LE: This fixed the issue, thank you!
 
Last edited:
You must log in or register to reply here.

Similar threads

U
Issue Could not issue/renew Let`s Encrypt
Replies
6
Views
4K
phungkha
P
Mark12345
Issue A+ SSL/TLS Test - PCI Compliance - Ciphers - Oh My
Replies
8
Views
4K
Mark12345
Mark12345
K
Resolved Poodle fix for Plesk Onyx 17.5 / Debian 8?
Replies
2
Views
1K
King555
K
Mark12345
Resolved Failed SSL Report - Disable SSL v2 and v3???
Replies
6
Views
5K
Mark12345
Mark12345
Edi Duluman
Question How to fix cleartext IMAP / FTP
Replies
3
Views
3K
UFHH01
U
Back
Top