lighttpd (aka sw-cp-server) security and PCI compliance issues

[HostaHost]

Does anyone know what actual version of lighttpd the sw-cp-server is based on? The version output it spits out always says 1.0.0 while the Plesk rpm will be 1.0.6 or 1.0.7 (plesk 9 vs 10). However, I can't imagine those are the actual versions of lighttpd because there hasn't been a 1.0.x release of that in 7+ years from what I can tell.

The reason I ask is because the current Plesk lighttpd-based web server in both version 9 and 10 (haven't tried 11 yet) is vulnerable to SSL renegotiation attacks CVE CVE-2011-1473 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473) and the SSL BEAST attack (https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls). Several PCI scanning companies are starting to fail sites over either, or both, of these alerts due to port 8443 having the vulnerabilities.

lighttpd versions 1.4.30 and newer from late 2011 resolve this issue:

http://redmine.lighttpd.net/versions/28

ssl: disable client initiated renegotiations
ssl: support mitigating BEAST attack


Has Parallels customized lighttpd in any way beyond the config files or could we potentially drop a copy of 1.4.31 on top of the sw-cp-server binary to close the vulnerability?

 

[HostaHost]

Parallels; any update on this? Plesk 9 and 10 FAIL PCI because of this issue. The issue has already been fixed in later versions of lighttpd. Can we overwrite, or do we have to wait for you to fix it? And if we have to wait, will you ever fix it?

 

[HostaHost]

This is not a difficult question; can I please get an answer Parallels?

 

[OlegN]

Hello, Hostasaurus.Com

think I can provide you binary files of sw-cp-serverd.
could you please provide OS version and arch (x32/x64) of plesk 10.4.4 instance which have to be PCI compliance?

 

[HostaHost]

That would be very helpful; we need it for centos 5 in 32bit and 64bit, and centos 6 in only 64bit.

 

[mouse Jerry]

I too need thid fix for PCI complience

This is my current server info


OS Linux 2.6.18-194.17.1.el5
Panel version 10.4.4 Update #41, last updated at Aug 6, 2012 04:04 AM

as you can see I can't upgrade cleanly to 11 because lack of support for this version of linux. or at least that is what the upgrade process is telling me. Please help us here!

this is the PCI report from trustwave.com
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses that can lead to the compromise of data
encrypted during the SSL session. Secure web applications should
only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996
with numerous security enhancements over SSLv2. TLSv1 was
introduced in 1999 as an enhancement to the security features of
SSLv3. All modern browsers have support for both SSLv3 and TLSv1,
and often disable support for SSLv2 in the interests of security. The
PCI ASV Operational Requirements requires that if SSLv2 is used in
the transmission of cardholder data, this must result in a failure. This
was clarified in the PCI "Assessor Update: November 2008" (see the
reference link in this finding).
CVSSv2: AV:N/AC:L/Au:N/C/I:N/A:N(5.00)
Reference: http://support.microsoft.com/kb/187498,
http://httpd.apache.org/docs/2.2/ssl/, http://www.schneier.com/paperssl.
pdf
Service: https
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
Jerry Daub
[email protected]

Nantucket.net

 

[HostaHost]

This is my current server info


OS Linux 2.6.18-194.17.1.el5
Panel version 10.4.4 Update #41, last updated at Aug 6, 2012 04:04 AM

as you can see I can't upgrade cleanly to 11 because lack of support for this version of linux. or at least that is what the upgrade process is telling me. Please help us here!

this is the PCI report from trustwave.com
SSLv2 Supported

SSLv2 has nothing to do with this thread, this is about PCI failures for SSL renegotiation. See http://forum.parallels.com/showthread.php?t=261825 for the appropriate cipher.lst file for fixing the SSLv2 issue.

 

[OlegN]

sw-cp-serverd have to be stopped by command:

/etc/init.d/sw-cp-server stop

Following files have to be backuped and than replaced:

/usr/sbin/sw-cp-serverd

for x32:
/usr/lib/sw-cp-server/modules/

for x64:
/usr/lib64/sw-cp-server/modules/


Start sw-cp-serverd by command:
/etc/init.d/sw-cp-server start


Now default cipher will be DHE-RSA-AES256-SHA

 

[HostaHost]

Oleg, this update appears to be incompatible with Plesk Billing 10. I installed it on our billing system and it turns the login screen into an endless redirect back to itself. The regular servers appear to work correctly after the update, just Plesk Billing (i.e. https://xyz:8443/plesk-billing/admin/login.php) no longer works.

 

[HostaHost]

Any update for those using the billing system?