1

A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically:

Description: SSL Certificate with Wrong Hostname

Synoposis: The SSL certificate for this service is for a different host.

Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine.

The mail server uses sendmail (patched) and provides email service for a number of domains. The server itself has a valid SSL certificate, but it does not match each domain (as we add/remove domains all the time as clients move around).

Seems SecurityMerics is the only ASV that marks this as failing PCI. Trustwave, McAfee, etc... do not see this as failing PCI.

Is this issue truly a PCI failure? Or is it just SecuritMetrics being wrong?

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Rob Mangiafico
  • 151
  • 1
  • 1
  • 6
  • 3
    Have you tried speaking to SecuritMetrics ? These sorts of misunderstandings and special considerations are fairly common, in my experience at least. Assuming it really isn't a security issue. – Sirex Aug 29 '12 at 02:52
  • It it much easier for you to go and fix the certificate, perhaps buy a wildcard SSL so that you can use it on many of your servers with the same domain. It's not easy for SecuritMetrics to go and update their tests to make an exception. OTOH, I'd also advice to fix your domain and SSL certificate since it usually comes back and bites in other ways (email clients) and could be a PCIDSS violation in the strictest sense. Imagine your bank send you a certificate for another domain than the one you are on? – Chida Aug 29 '12 at 02:57
  • 2
    Why are you running email services on the same server as your web sites? – Michael Hampton Aug 29 '12 at 02:57
  • Same issue applies to FTPS and a non-matching SSL certificate, so it's not just SMTP (yes I understand the separation of services for PCI compliance). SecurityMetrics just points to the Nessus CVSS results, but other ASVs do not mark this as a failing hit, as it is not actually a vulnerability. – Rob Mangiafico Aug 29 '12 at 13:35
  • Rob, did you ever get anywhere with this as I'm having the same debate with Security Metrics at the moment!? My web host has assured me that other ecommerce sites they host on the same setup (except using other ASV's like Mcafee and Trustwave) do not have this marked as a "failure" yet Security Metrics don't seem to want to budge. Wondered what your outcome was? Ben –  Sep 18 '12 at 13:42
  • Ben, Unfortunately, I did not. We had to firewall off services, and provide the client with different hostnames to use to connect to other services like FTP. We're looking into some better workarounds, but nothing solid yet. Seems it's only SecurityMetrics, as no other ASVs have marked this as failing PCI. – Rob Mangiafico Sep 18 '12 at 17:33

1 Answers1

1

This is what they call a false positive. We are using a wild card certificate so therefore the host name and certificate will not match. The certificate name will be the wild card name and the host would be domain.yourdomain.com and the SSL being a wild card will be *.yourdomain.com

Simply ask security metrics to whitelist that specific error if you are using a wild card cert.

You will have to get that to be the only error for the specific IP address. They can omit false positives.

Ryan
  • 11
  • 1
  • Agree. I've passed PCI scans several times - email certificate validation is not required by PCI. – GioMac May 05 '13 at 02:57