PCI compliance and backporting

Due to the complex and sensitive environments of today world many groups of servers will require to get quarterly or annual security audits especially if they are part of PCI.

Unfortunately for Sysadmin’s most security scanning tools are blind to backports done by both redhat and novell.

backporting is where the security patches are applied to the older (current) versions of the packages that was shipped with a particular version of the operating system. So while you can have 1 major version of the package installed it will have many different versions of backports applied to it.

The process itself is better explained here https://access.redhat.com/site/security/updates/backporting/?sc_cid=3093

so how do you deal with the long long list of items that the security team comes back with stating that the version of package you have installed is old and crippled and broken and that you need to fix it.

The best thing to do is to always keep the OS current with patches however you can pull all of the patches thats done for each particular package such as openssl etc using RPM and then cross referencing with the CVE to battle the auditors.

# rpm -qa | grep openssl
[root@host1 ~]# rpm -q --changelog openssl | grep CVE
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)
- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)
environment variable is set (fixes CVE-2012-4929 #857051)
- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)
- properly initialize tkeylen in the CVE-2012-0884 fix
- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)
- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)
- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery
- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)
- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)
- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)
- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207
- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)
- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864
- fix race in extension parsing code - CVE-2010-3864 (#649304)
- fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)
- fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)
- fix CVE-2009-4355 - leak in applications incorrectly calling
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
- fix CVE-2008-0891 - server name extension crash (#448492)
- fix CVE-2008-1672 - server key exchange message omit crash (#448495)
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)
- CVE-2007-3108 - fix side channel attack on private keys (#250577)
- CVE-2006-2940 fix was incorrect (#208744)
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)

then you can goto https://access.redhat.com/security/cve/ and find the details of the patch and provide the information to the auditors.

Wouldn’t it be great if various security tools will actually automate this and look up the information itself ?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.