1. Unitrends
  2. Unitrends Virtual Backup
  3. Unitrends Virtual Backup

PCI Compliance Issues

SUMMARY

PCI Compliance Issues

ISSUE

If Unitrends virtual backup appliances are failing to comply with some PCI requirements related to SMB/CIFS, you can update the smb.conf [GLOBAL] section to include the required parameters.

This file is located on each appliance VM in the /etc/samba directory.

For example, the following parameters may need to be added or uncommented in the file:

  • map untrusted to domain = Yes
  • client schannel = yes
  • client use spnego = yes
  • winbind enum users = yes
  • winbind enum groups = yes
  • winbind nested groups = yes
  • winbind use default domain = yes
  • winbind nss info = rfc2307
  • winbind offline logon = yes
  • winbind separator = +
  • winbind refresh tickets = yes
  • server signing = mandatory
  • guest account = nobody123
  • restrict anonymous = 1

 Note: Updating this file may result in issues creating CIFS file recovery objects.

 

The following table includes Apache and SSL related vulnerabilities that may also show up in a compliance report and resolutions.

Vulnerability

Resolution

Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704)

This affects systems running mod_cgid. To disable this, log in to the appliance and use the following commands:


sudo a2dismod cgid
service apache2 restart
 

Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)

Only vulnerable if system has public facing IP (which is not recommended).
 

Apache HTTPD: XSS due to unescaped hostnames (CVE-2012-3499)

Only vulnerable if using mod_ldap (UVB does not use this).
 
Apahe HTTPD: XSS in mod_proxy_balancer (CVE-2012-4558)
 		Only vulnerable if using mod_proxy_balancer (UVB does not use this).
OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)Upgrade OpenSSL to 1.0.1h.

TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)

 

Only vulnerable if public facing IP and 10 to the power of 24 active connections.
Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)Vunerability requires public IP and root.
Apache HTTPD: mod_rewrite log escape filtering (CVE-2013-1862)Only vulnerable if using mod_rewrite and SSL enabled (SSL is not enabled on the VBA by default).

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us

Browse this section

See more