CentOS - Oct 2015 - Re: Security implications of openssl098e on CentOS 7

On 10/21/2015 1:55 PM, Andrew Holway wrote:
> Personally I would go round to that particular vendors office with a pipe
> wrench and encourage them to do better however, unless this software is
> transmitting credit card information then it seems that you could be
> safe(ish) from the regulation standpoint. It really depends on the location
> of the machine. Is it deep in the bowels of your high security nuclear
> bunker on an air gap network or is is merrily accepting incoming traffic
> from China? Is the software is using an appropriate SELinux policy or is it
> running unconfined or with SELinux turned off?
>
> It seems the PCI-DSS describe a set of simple rules to get IT managers
> thinking but they are somewhat open to interpretation. Are you abiding to
> the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the 
system to a remote data center.

My concern is that, with the compatibility package installed, could this 
present vulnerabilities or compliance problems in Apache?

-- 
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

This email message and any attachments are intended solely for the use of the
addressees hereof. This message and any attachments may contain information that
is confidential, privileged and exempt from disclosure under applicable law. If
you are not the intended recipient of this message, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating or otherwise using
this transmission. If you have received this message in error, please promptly
notify the sender by reply E-mail and immediately delete this message from your
system.

I would guess the only way to ascertain that is with some rigorous testing.
Personally I find an alternative backup method.

On 21 October 2015 at 13:58, Nick Bright <nick.bright at valnet.net>
wrote:
> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>
>> Personally I would go round to that particular vendors office with a
pipe
>> wrench and encourage them to do better however, unless this software is
>> transmitting credit card information then it seems that you could be
>> safe(ish) from the regulation standpoint. It really depends on the
>> location
>> of the machine. Is it deep in the bowels of your high security nuclear
>> bunker on an air gap network or is is merrily accepting incoming
traffic
>> from China? Is the software is using an appropriate SELinux policy or
is
>> it
>> running unconfined or with SELinux turned off?
>>
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding
to
>> the spirit of the regulations?
>>
> The particular software requiring 0.9.8 is performing backups of the
> system to a remote data center.
>
> My concern is that, with the compatibility package installed, could this
> present vulnerabilities or compliance problems in Apache?
>
>
> --
> -----------------------------------------------
> -  Nick Bright                                -
> -  Vice President of Technology               -
> -  Valnet -=- We Connect You -=-              -
> -  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
> -  Web http://www.valnet.net/                 -
> -----------------------------------------------
> - Are your files safe?                        -
> - Valnet Vault - Secure Cloud Backup          -
> - More information & 30 day free trial at     -
> - http://www.valnet.net/services/valnet-vault -
> -----------------------------------------------
>
> This email message and any attachments are intended solely for the use of
> the addressees hereof. This message and any attachments may contain
> information that is confidential, privileged and exempt from disclosure
> under applicable law. If you are not the intended recipient of this
> message, you are prohibited from reading, disclosing, reproducing,
> distributing, disseminating or otherwise using this transmission. If you
> have received this message in error, please promptly notify the sender by
> reply E-mail and immediately delete this message from your system.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Nick Bright wrote:
> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>> Personally I would go round to that particular vendors office with a
>> pipe wrench and encourage them to do better however, unless this
<snip>
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding
>> to the spirit of the regulations?
> The particular software requiring 0.9.8 is performing backups of the
> system to a remote data center.
>
> My concern is that, with the compatibility package installed, could this
> present vulnerabilities or compliance problems in Apache?
Question: is the b/u software pulling, or pushing? If the latter, I think
you could run it for the one IP that they back up to, and not as a daemon,
and outbound only.

And then I'd tell them that the backup site was insecure, and not meeting
requirements, and that you'd stand 5cm in front of your manager's desk,
and tell him that y'all needed to look for a new vendor, one that wasn't
helping crackers get into your backup data.

       mark

On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright at ...> wrote:
> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>> Personally I would go round to that particular vendors office with a
pipe
>> wrench and encourage them to do better however, unless this software is
>> transmitting credit card information then it seems that you could be
>> safe(ish) from the regulation standpoint. It really depends on the
location
>> of the machine. Is it deep in the bowels of your high security nuclear
>> bunker on an air gap network or is is merrily accepting incoming
traffic
>> from China? Is the software is using an appropriate SELinux policy or
is it
>> running unconfined or with SELinux turned off?
>> 
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding
to
>> the spirit of the regulations?
> The particular software requiring 0.9.8 is performing backups of the system
to
> a remote data center.
>
> My concern is that, with the compatibility package installed, could this 
> present vulnerabilities or compliance problems in Apache?
TL;DR: Preload openssl from non-standard location for closed-source app only.

Hmm, how about taking the content of the openssl098e package, put
it into a directory relative to the closed source software (e.g. /opt),
and create a wrapper script, similar to the following example:

[code]
#!/usr/bin/bash
# This is a wrapper for app to use openssl 0.9.8 (unsafe)
# app is in /opt/app/
# app starter is /opt/app/bin/starter
# ssl098e libs are in /opt/openssl098/

export LD_LIBRARY_PATH=/opt/openssl098/
exec /opt/app/bin/starter ${1+"$@"}
# ${1+"$@"} expands only if at least $1 is present
[/code]

  YMMV

  - Yamaban.

On 10/21/2015 11:58 AM, Nick Bright wrote:
> My concern is that, with the compatibility package installed, could 
> this present vulnerabilities or compliance problems in Apache? 
No.  openssl098e libraries have a distinct path.  Apache's mod_ssl will 
not load them.

On 10/21/2015 12:20 PM, Yamaban wrote:
> TL;DR: Preload openssl from non-standard location for closed-source 
> app only.
>
> Hmm, how about taking the content of the openssl098e package, put
> it into a directory relative to the closed source software (e.g. /opt), 
Totally unnecessary.  The openssl098e libraries do not conflict with the 
libraries in openssl-libs.  They will not be used by anything except 
binaries that were linked against openssl 0.9.8e at compile time.

On Wed, 2015-10-21 at 21:20 +0200, Yamaban wrote:
> TL;DR:
TL;DQ?


-- 
mount -t life -o ro /dev/dna /genetic/research