Ask the Community
Groups
PCI Compliance Issues - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>PCI Compliance Issues</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <p></p> <p>If Unitrends virtual backup appliances are failing to comply with some PCI requirements related to SMB/CIFS, you can update the smb.conf [GLOBAL] section to include the required parameters.</p> <p>This file is located on each appliance VM in the /etc/samba directory.</p> <p>For example, the following parameters may need to be added or uncommented in the file:</p> <ul><li>map untrusted to domain = Yes</li> <li>client schannel = yes</li> <li>client use spnego = yes</li> <li>winbind enum users = yes</li> <li>winbind enum groups = yes</li> <li>winbind nested groups = yes</li> <li>winbind use default domain = yes</li> <li>winbind nss info = rfc2307</li> <li>winbind offline logon = yes</li> <li>winbind separator = +</li> <li>winbind refresh tickets = yes</li> <li>server signing = mandatory</li> <li>guest account = nobody123</li> <li>restrict anonymous = 1</li> </ul><p> <strong>Note</strong>: Updating this file may result in issues creating CIFS file recovery objects.</p> <p> </p> <p>The following table includes Apache and SSL related vulnerabilities that may also show up in a compliance report and resolutions.</p> <table><tbody><tr><td colspan="1" rowspan="1"> <p><strong>Vulnerability</strong></p> </td> <td colspan="1" rowspan="1"> <p><strong>Resolution</strong></p> </td> </tr><tr><td colspan="1" rowspan="1"> <p>Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704)</p> </td> <td colspan="1" rowspan="1"> <p>This affects systems running mod_cgid. To disable this, log in to the appliance and use the following commands:</p> <p><br> sudo a2dismod cgid<br> service apache2 restart<br> </p> </td> </tr><tr><td colspan="1" rowspan="1"> <p>Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)</p> </td> <td colspan="1" rowspan="1">Only vulnerable if system has public facing IP (which is not recommended).<br> </td> </tr><tr><td colspan="1" rowspan="1"> <p>Apache HTTPD: XSS due to unescaped hostnames (CVE-2012-3499)</p> </td> <td colspan="1" rowspan="1">Only vulnerable if using mod_ldap (UVB does not use this).<br> </td> </tr><tr><td colspan="1" rowspan="1">Apahe HTTPD: XSS in mod_proxy_balancer (CVE-2012-4558)<br> </td> <td colspan="1" rowspan="1">Only vulnerable if using mod_proxy_balancer (UVB does not use this).</td> </tr><tr><td colspan="1" rowspan="1">OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)</td> <td colspan="1" rowspan="1">Upgrade OpenSSL to 1.0.1h.</td> </tr><tr><td colspan="1" rowspan="1"> <p>TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)</p> <p> </p> </td> <td colspan="1" rowspan="1">Only vulnerable if public facing IP and 10 to the power of 24 active connections.</td> </tr><tr><td colspan="1" rowspan="1">Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)</td> <td colspan="1" rowspan="1">Vunerability requires public IP and root.</td> </tr><tr><td colspan="1" rowspan="1">Apache HTTPD: mod_rewrite log escape filtering (CVE-2013-1862)</td> <td colspan="1" rowspan="1">Only vulnerable if using mod_rewrite and SSL enabled (SSL is not enabled on the VBA by default).</td> </tr></tbody></table><p> </p> </article> </main>