PCI Compliance Issues
If Unitrends virtual backup appliances are failing to comply with some PCI requirements related to SMB/CIFS, you can update the smb.conf [GLOBAL] section to include the required parameters.
This file is located on each appliance VM in the /etc/samba directory.
For example, the following parameters may need to be added or uncommented in the file:
- map untrusted to domain = Yes
- client schannel = yes
- client use spnego = yes
- winbind enum users = yes
- winbind enum groups = yes
- winbind nested groups = yes
- winbind use default domain = yes
- winbind nss info = rfc2307
- winbind offline logon = yes
- winbind separator = +
- winbind refresh tickets = yes
- server signing = mandatory
- guest account = nobody123
- restrict anonymous = 1
Note: Updating this file may result in issues creating CIFS file recovery objects.
The following table includes Apache and SSL related vulnerabilities that may also show up in a compliance report and resolutions.
Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704)
This affects systems running mod_cgid. To disable this, log in to the appliance and use the following commands:
Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)
|Only vulnerable if system has public facing IP (which is not recommended).|
Apache HTTPD: XSS due to unescaped hostnames (CVE-2012-3499)
|Only vulnerable if using mod_ldap (UVB does not use this).|
|Apahe HTTPD: XSS in mod_proxy_balancer (CVE-2012-4558)||Only vulnerable if using mod_proxy_balancer (UVB does not use this).|
|OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)||Upgrade OpenSSL to 1.0.1h.|
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
|Only vulnerable if public facing IP and 10 to the power of 24 active connections.|
|Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)||Vunerability requires public IP and root.|
|Apache HTTPD: mod_rewrite log escape filtering (CVE-2013-1862)||Only vulnerable if using mod_rewrite and SSL enabled (SSL is not enabled on the VBA by default).|