• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

PCI Compliance - courier imap,netqmail

S

snowfire

Guest
Hi,
I'm new to plesk, and php/linux, and I need some guidance regarding two pci issues a client has.
first, I have read and implemented the plesk pci guide.
my server is as follows (media temple hosted, new dv 4.0 server):

Version Parallels Plesk Panel v10.3.1_build1012110812.15 os_CentOS 5
OS Linux 2.6.18-028stab093.2
I have two outstanding issues that Security metrics has identified:
1. Description: possible format string vulnerability in Courier IMAP Severity:
Resolution: Upgrade to Courier IMAP 3.0.4 or higher, or set DEBUG_LOGIN equal to the default value of 0 in the IMAP configuration file, which is typically located in /usr/lib/courier-imap/etc/imapd
2. Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515:
Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available.


for 1, I looked in the specified location, that folder (etc/imapd) did not exist. I found this folder: /etc/courier-imap/imapd.cnf, but in the Debug_Login was set to 0 there. can anyone tell me where to find the configuration file, or how to resolve this issue?
2. how do I find out what version of qmail I am running, and how would I upgrade it to netqmail?

thank you for reading
Debbie Wright
 
Hi Debbie,

For number 1, run the following two commands on your server and send the output to SecurityMetrics :

Command 1 : yum list installed | grep courier-imap
Command 2 : grep DEBUG_LOGIN /etc/courier-imap/imapd

This should be sufficient to prove mitigation.

For number 2, try this (I honestly don't know if this will work, but could do with finding out!) :

Command : yum list installed | grep qmail
Send the output along with the info below :

Qmail is labelled version 1.03 but is a Plesk patched version of qmail, the following links provide the info on the patches applied :
Parallels KB article which contains the link to the archive of patches : http://kb.parallels.com/en/1161
Link to archive of applied qmail patches : http://kb.parallels.com/Attachments/806/Attachments/plesk93_qmail_patches.tgz

We regularly have to provide mitigation for your first issue, but for the 2nd, we've only seen it once before and we've yet to get back confirmation that its mitigation from SecurityMetrics.

If its not then I've got a lot of Plesk's to convert to Postfix :(

Paul.
 
Paul

That worked. they accepted the documentation for both issues without question.
 
Excellent, thanks for letting me know, we're starting to see both of these come up with depressing regularity in the last week or so.
 
Yeah thats just a bad vulnerablity scanner there for the 2nd issue. Its working off a pure banner grab to determine the version.
 
Yeah, I don't like doing it because its against the spirit of compliance but I'm going to see if there's a way to block giving out the versions for both, in which case they'll just pass. We know (at least as of right now) that the issue is not there, and its additional work for all involved to have to submit mitigation.

Still... I find SecurityMetrics to be one of the better PCI Compliance scanners simply because their notifications are not deliberately vague or incomprehensible.
 
PCI compliance

Hi All, I have the following issue, have you been able to resolve this?

Protocol Port Program Risk Summary
TCP 25 smtp 5 Description: possible vulnerability in Qmail Severity: Potential Problem CVE: CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 Impact: The vulnerability can be exploited to crash the current SMTP process and cause denial of service by consuming resources. It is theoretically possible, though considered unlikely, that an attacker could execute arbitrary code. Background: Qmail is an open-source SMTP server. It was designed to be a secure replacement for sendmail/binmail. Resolution On 32-bit platforms, [http://www.qmail.org] upgrade to [http://www.qmail.org/netqmail/] netqmail 1.05 or later. netqmail consists of Qmail 1.03 and important patches. On 64-bit platforms, upgrade to netqmail 1.06 or later, which will presumably contain a fix, when available. Vulnerability Details: Service: smtp
 
Hello, Gents.

Mentioned in #2 vulnerabilities have been fixed in qmail shipped by Plesk for many years ago.

Updated qmail with hidden version will be delivered with further Plesk updates soon.
 
As a follow up suggestion there, referencing the CVE inside the %changelog of the rpm package is the standard for documenting backported fixes. Additionally doing that allows you to can directly reference a fix using the yum security plugin with the --cve, --security, --bz, and --advisory flags.
 
You must log in or register to reply here.

Similar threads

D
PCI compliance still fails due to SSL Renegotiation DoS vulnerability in Qmail/IMAP
Replies
2
Views
3K
DragonAss
D
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
D
Help with PCI compliance | SMTP SSL | Courier IMAP | Port 3306
Replies
2
Views
4K
Deoxymono
D
Back
Top