This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

SO MANY SECURITY ISSUES!! Sentora needs serious updates!
#1
[Not Solved] SO MANY SECURITY ISSUES!! Sentora needs serious updates!
So, I've just had the plugged pulled by Braintree because apparently my server configuration doesn't meet the PCI (Payment Card Industry) standards.

MOST of this is due to outdated services running Sentora.. For example, here's one of the reasons.. which I DO NOT understand a word of.



Quote:ISC BIND 9 < 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2 Multiple Vulnerabilities

Synopsis:
The remote name server is affected by multiple vulnerabilities.

Impact:
According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.x prior to 9.9.10-P2 or 9.9.10-S3, 9.10.x prior to 9.10.5-P2 or 9.10.5-S3, or 9.11.x prior to 9.11.1-P2. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling received messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request packet, to circumvent TSIG authentication of AXFR requests. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name. (CVE-2017-3142) - A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling messages. An unauthenticated, remote attacker can exploit this to manipulate BIND into accepting an unauthorized dynamic update. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name for the zone and service being targeted. (CVE- 2017-3143) Note that SecurityMetrics has not tested for these issues but has instead relied only on the application's self-reported version number. See also : https://kb.isc.org/article/AA-01503 https://kb.isc.org/article/AA-01504 https://kb.isc.org/article/AA-01505 https://kb.isc.org/article/AA-01506 https://kb.isc.org/article/AA-01507 https://kb.isc.org/article/AA-01508 https://kb.isc.org/article/AA-01509

Resolution:
Upgrade to ISC BIND version 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5- S3 / 9.11.1-P2 or later.

Data Received: Installed version : 9.9.5-3ubuntu0.18-Ubuntu Fixed version : 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2

or what about this:
Quote:ProFTPD < 1.3.5b / 1.3.6x < 1.3.6rc2 weak Diffie-Hellman key

Synopsis:

The remote FTP server is affected by a Denial of Service vulnerability.

Impact:
The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is prior to 1.3.5b or 1.3.6x prior to 1.3.6rc2 and is affected by an issue in the mod_tls module, which might cause a weaker than intended Diffie-Hellman key to be used. See also : http://bugs.proftpd.org/show_bug.cgi?id=4230

Resolution:
Upgrade to ProFTPD version 1.3.5b / 1.3.6rc2 or later.

Data Received:
Version source : 220 ProFTPD 1.3.5rc3 Server (Sentora FTP Server) [::ffff:162.212.158.34] Installed version : 1.3.5rc3 Fixed version : 1.3.5b / 1.3.6rc2

Here's another example:

Quote:FTP Supports Cleartext Authentication

Synopsis:

Authentication credentials might be intercepted.

Impact:
The remote FTP server allows the user's name and password to be transmitted in cleartext, which could be intercepted by a network sniffer or a man-in-the-middle attack.

Resolution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.

Data Received:
This FTP server does not support 'AUTH TLS'.

The results of this security scan provided by "Security Metrics" totalled a 41 page PDF file with TOO many vulnerabilities so they blocked my ability to make any transactions using my website(s).

You guys at Sentora seem so caught up in this issue with Suhosin, to the point where you're happy enough to just let us sit on an old OS with multiple out of date issues with no updates or support for years... what's going on guys? Are you even working on getting this service up and running again or not?

I need an answer, I cannot waste time waiting for this damn suhosin to get compiled which is CLEARLY is not going to happen, just sounds like an excuse to me.

If a "developer" from here wants the PDF let me know.. but you guys need to get this together, otherwise it's just a insecure, messy platform.
Reply
Thanks given by:


Messages In This Thread
SO MANY SECURITY ISSUES!! Sentora needs serious updates! - by aaronlroberts - 11-15-2018, 06:21 AM

Possibly Related Threads...
Thread Author Replies Views Last Post
Security issue urgent johnnyp 7 265 02-27-2020, 06:19 PM
Last Post: johnnyp
Sentora Stability aroiz 1 133 02-16-2020, 12:15 PM
Last Post: Nigel
Sentora 2020? zustudios 5 770 01-27-2020, 03:32 AM
Last Post: Jettaman

Forum Jump:


Users browsing this thread: 1 Guest(s)