PCI Certification Network Vulnerability Fail

[yellowbellys]

I've attached my Trustwave PCI Certification Network Vulnerability scan, and as you can, I'm failing it based on five (5) "Unencrypted Communication Channel Accessibility" issues and one (1) "Web Application Transmits Login

Credentials Without Encryption" issue. The full PDF contains more information, what needs to be fixed?

trustwave_asv_report.pdf

[bellini13]

unfortunately this report is useless, since it does not state what is unencrypted.  I would suggest you contact them and ask them to provide the detail as to what files or resources they have discovered that are unencrypted

[yellowbellys]

Right, I have found all of the details, here they are:

 

 

Web Application Transmits Login Credentials Without Encryption

 

Description: There is a web application running on this host that transmits login credentials over HTTP, which is a clear-text protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.

 

Remediation:  All web application communications containing sensitive information should be transmitted using SSL/TLS (HTTPS). If re-direction from HTTP to HTTPS is utilized in an attempt to remediate this finding, please ensure that such redirection occurs on the server side of the system (for example via the use of the HTTP "Location" header element) and that redirection is not reliant upon the client (browser) side.

 

 

Unencrypted Communication Channel Accessibility

On ports: 21, 25, 26, 110, 143

Description: The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

 

Remediation:  Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.

 

 

Edited April 6, 2015 by yellowbellys (see edit history)

[bellini13]

for the first one, you need to ensure you have an SSL certificate installed, and that all your page requests are using it.  Again, they are not providing exactly what resource so I cannot say that this is Prestashop or some other web application you might have installed.

 

For the second one, that is not related to Prestashop in anyway.  you should speak with your hosting company about remediating those ports.

[yellowbellys]

Here is the "evidence" of each test:

 

Unencrypted Communication Channel Accessibility

Port 21:

Port 25: 

Port 26: 

Port 110: 

Port 143: 

 

Web Application Transmits Login Credentials Without Encryption

Port 2077:

 

Does any of this pertain to Prestashop?

[bellini13]

as I said before, take up the port issues with your hosting provider, that has nothing to do with Prestashop

 

port 2077 also has nothing to do with Prestashop, you have something else installed (perhaps the servers control panel?) that is listening on that port.  again, this is an issue for your hosting provider to resolve.

[yellowbellys]

Okay thanks, I'll let them know Prestashop is ruled out.