Security Metrics PCI Compliance Changes and Fixes

Back in 2015, I did a Security Metrics scan on my site for PCI compliance, and noticed I had 3 new failures when they rescanned my site in early 2016.  What I suspect is that these tests were added:

Problem 1: TLS Version 1.0 Protocol Detection (PCI DSS)

Capture

Explanation:
Security Metrics is basically saying that having TLS Version 1.0 is a security vulnerability.

The remote service encrypts traffic using a protocol with known weaknesses.  The remote service accepts connections encrypted using TLS 1.0.

Fix:
If you are running apache, you might have a configuration parameter like this.
SSLProtocol all -SSLv2 -SSLv3

If you take a look at the docs here
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

It says that ‘all’ is a shortcut for “+SSLv2 +SSLv3 +TLSv1” or – when using OpenSSL 1.0.1 and later – “+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2”, respectively.

Change your apache config to
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Restart your server and run
sudo service apache2 reload
https://www.ssllabs.com/ssltest/

Verify TLS 1.0 says ‘no’ and you are good to go
Capture

Problem 2: SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)Rest

Capture

Overview:
Security Metrics is saying here that your server connection is accepting SSH connections with a diffie-hellman group 1 of 1024 bits.

The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits

Fix:
First run this command on your server to verify the problem

nmap –Pn [domain/ip] –p [port] –script ssh2-enum-algos

 ssh2-enum-algos:
|   kex_algorithms (8)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1

Note here that the server is returning

  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1

You can read these two links for more info
https://stribika.github.io/2015/01/04/secure-secure-shell.html

To fix it go into
/etc/ssh/sshd_config

Add

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

and run sudo restart ssh

Outside the box rerun the command and note that the kex algorithms are returning a smaller set.

 

nmap –Pn [domain/ip] –p [port] --script ssh2-enum-algos
| kex_algorithms (2)
| curve25519-sha256@libssh.org
| diffie-hellman-group-exchange-sha256

Problem 3: Web Application Potentially Vulnerable to Clickjacking

Synopsis:
The remote web server may fail to mitigate a class of web application vulnerabilities.

Impact:
The remote web server does not set an X-Frame-Options response header in all content responses

Fix:
The fix for this is pretty easy as specified by https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/

In apache put in apache2.conf

Header append X-FRAME-OPTIONS "SAMEORIGIN"

restart your server, and verify by going to
http://web-sniffer.net/

Ensure X-Frame-Options gets returned
Capture

Rescan your site and you should be good to go for security metrics pci compliance!