Reply
Highlighted
Established Member
Posts: 1,539
Registered: ‎03-23-2013
Kudos: 220
Solutions: 51
Accepted Solution

PCI Compliance weak ciphers - UCRM

Checking our UCRM server for PCI Compliance and I'm only getting an A, not A+. 

 

"The server supports cipher suites that are not approved by PCI DSS requirements, NIST guidelines and HIPAA guidance."

TLS not compliant.png

 

So I took the liberty to scan ucrm-demo.ubnt.com and it comes up good A+.  If you include the HIPAA compliance test it has two minor gripes but still A+.

 

Is there something I can change to fix this?


Accepted Solutions
Ubiquiti Employee
Posts: 3,528
Registered: ‎12-10-2015
Kudos: 1255
Solutions: 272

Re: PCI Compliance weak ciphers - UCRM

@Trendal, this is from IPpay configuration doc (/help/setting-up-ippay), which is the only exception. Sorry for not being exact.
In this case, the data are sent by UCRM server to IPpay, but it's not stored in UCRM in any way.

Regarding your previous issue, note that we will include the most up-to-date ciphers in UCRM nginx server. Follow the release notes.

View solution in original post


All Replies
Ubiquiti Employee
Posts: 3,528
Registered: ‎12-10-2015
Kudos: 1255
Solutions: 272

Re: PCI Compliance weak ciphers - UCRM

We will look into it.

However, note that sensitive data like CC info is never stored in UCRM. It's not even handled by UCRM, the data goes directly from client's browser to the payment gateway. This minimizes the need for strong PCI compliance the ISP should meet.
Established Member
Posts: 1,539
Registered: ‎03-23-2013
Kudos: 220
Solutions: 51

Re: PCI Compliance weak ciphers - UCRM

What about this note in the help documentation included in UCRM?

 

ippay PCI compliance.png

Ubiquiti Employee
Posts: 3,528
Registered: ‎12-10-2015
Kudos: 1255
Solutions: 272

Re: PCI Compliance weak ciphers - UCRM

@Trendal, this is from IPpay configuration doc (/help/setting-up-ippay), which is the only exception. Sorry for not being exact.
In this case, the data are sent by UCRM server to IPpay, but it's not stored in UCRM in any way.

Regarding your previous issue, note that we will include the most up-to-date ciphers in UCRM nginx server. Follow the release notes.
New Member
Posts: 12
Registered: ‎11-11-2017
Kudos: 1

Re: PCI Compliance weak ciphers - UCRM

so running latest UCRM version the vulnerable SSL protocols are still enabled.   This has to pass since credit card numbers are input via the SSL page (even though only passed in ram to the processor).   I can go change this in nginx directly but that would probably get blown away in an upgrade.     Can the base configuration just be changed to no support TLSv1.0, SSLv2 and SSLv3?   The session cookie thing is really just a housekeeping issue by comparison.

 

)
TLSv1.0 Supported High 10.00 Fail Note to scan customer:
This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.

)
Non-Secure Session Cookies
Identified
Medium 5.00 Fail Note to scan customer:
This vulnerability is not recognized in the National Vulnerability
Database.

SSLv2, SSLv3 and TLS v1.0
Vulnerable to CBC Attacks via
chosen-plaintext (BEAST), CVE-
2011-3389
Medium 4.30 Fail

Ubiquiti Employee
Posts: 3,528
Registered: ‎12-10-2015
Kudos: 1255
Solutions: 272

Re: PCI Compliance weak ciphers - UCRM

@jwvo SSLv2 and SSLv3 are not enabled for some time. TLSv1.0 will be removed in UCRM 2.14.2
New Member
Posts: 12
Registered: ‎11-11-2017
Kudos: 1

Re: PCI Compliance weak ciphers - UCRM

awesome, thanks.

Reply