Exim PCI scan false positive

In this article we’ll discuss why a PCI scan could have possibly failed as a false positive, stating an outdated version of Exim which is the service that handles sending e-mail on the server. If you have read our previous article on how to pass PCI compliance scans, the Exim service being outdated is a common false positive that we see.

The reason for this is because we run cPanel on our servers, and cPanel utilizes backporting for their software updates instead of simply installing the latest version of the service each time it’s updated. So to a PCI vendor it might seem that the version is outdated and subject to a known exploit, but in reality the service is secure because it has been patched against the exploit already.

If you failed a PCI scan and the reason stated was your server was running an old version of Exim that is exploitable, you can follow these steps to report the issue as a false positive back to your PCI vendor.

  1. Login to your server via SSH
  2. Run the following command:rpm -q exim && rpm -q –changelog exim | head -10You should get back text similar to:

    exim-4.80-3.x86_64
    * Thu Oct 25 2012 brian m. carlson <brian.carlson@cpanel.net> – 4.80-3
    – Fixes CVE-2012-5671
    – Rebuild to revert ALTPORT logic to original state.

    * Thu Oct 25 2012 brian m. carlson <brian.carlson@cpanel.net> – 4.80-2
    – Fixes CVE-2012-5671

    * Tue Sep 11 2012 Rikus Goodell <rikus.goodell@cpanel.net> – 4.80-1
    – Remove ALTPORT logic from init script (now reverted).</rikus.goodell@cpanel.net></brian.carlson@cpanel.net></brian.carlson@cpanel.net>

    You should notice the latest patch applied to Exim was on Thu Oct 25 2012. So if your PCI scanning vendor has failed your website due to the Exim version, provide them with this information so they can mark it as a false positive.

    In this example we used head -10 to only show 10 lines from the full changelog, you can adjust that number to see updates going further back in time.

You should now understand how to retrieve the changelog of the Exim service on your server, to show a PCI vendor that it should be reported as a false positive.

Leave a Reply

Your email address will not be published. Required fields are marked *