PaulDotCom mailing list archives

CVE-2009-3555 and PCI Compliance

From: jackadaniel at gmail.com (Jack Daniel)
Date: Mon, 21 Dec 2009 08:27:06 -0500

AAAAAAAUUUUGGGGHHH!

<RANT>
If anyone "fails" you on an assessment without providing guidance on
resolution/remediation/mitigation, your payment to them should "fail"
to appear.  Who was this, those (in my personal *opinion*) monkey
sodomizing rat bastards at Security Metrics?  Or just another Qualys
scan pusher without a clue or care?

I believe the appropriate questions are things like "what is exposed
by this", "what are the likelihood and impacts of compromise", "can we
mitigate a fundamental flaw in the protocol with additional
processes", etc?

I'm still explaining to idiots like this why TCP 587 is listening on
mail servers.
</RANT>

As far as mitigation, maybe a patched proxy in front of the SSL/TLS
device(s) could handle it?  Or maybe nothing significant is actually
exposed by this?

<SHAMELESS SELF PROMOTION>
This kind of crap is what led me to get involved in an ongoing PCI DSS
conversation with a bunch of people- podcasts, articles, and talks to
come.  I'll be on a panel at Shmoocon with some folks who actually
know what they're talking about, we'll be discussing the realities of
PCI and its impact on our industry.
</SHAMELESS SELF PROMOTION>

Who, me, too much caffeine? Nah.

Jack


-- 
______________________________________
Jack Daniel, Reluctant CISSP
http://twitter.com/jack_daniel
http://www.linkedin.com/in/jackadaniel
http://blog.uncommonsensesecurity.com




On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon
<monkeywebdaemon at googlemail.com> wrote:

Hi All,

I've been speaking to a family member over the weekend who works in a
similar line of work to myself and we got to talking about PCI
Compliance.

He's just had a quarterly scan performed and he failed it owing to the
issues with Session Negotiation when using SSL/TLS. ?The problem he
has is that he's running Linux and not only has his distro not
released packages for OpenSSL 0.9.8l but the distro vendor is refusing
to issue a patch stating that as its an issue with the underlying
protocol there is no point.

Does anyone have a fix to this other than "compile your own SSL with
negotiation switched off and hope nothing breaks"?

I'm now concerned that when our scan comes around early next year we
will also fail.

Cheers,

MWD.

Current thread:

CVE-2009-3555 and PCI Compliance Monkey Daemon (Dec 21)
- CVE-2009-3555 and PCI Compliance Jack Daniel (Dec 21)
  - CVE-2009-3555 and PCI Compliance genesiswave at gmail.com (Dec 21)
- CVE-2009-3555 and PCI Compliance Tim Krabec (Dec 21)
- CVE-2009-3555 and PCI Compliance Erik Harrison (Dec 21)