DirectAdmin OpenSSL vulnerability?

S

spork

Verified User
Joined
Mar 30, 2007
Messages
7
One of my customers has subscribed to a security scanning service geared towards verifying PCI compliance for his domains (ControlScan). The only thing it has found that actually appears serious is something it claims is an OpenSSL vulnerability on port 2222, supposedly indicating an ancient version of OpenSSL (lower than 0.9.7-beta3).

Running `openssl version` on the server returns OpenSSL 0.9.8e and this is not a vulnerability that turns up on any of the other web ports on the box. If DirectAdmin is using OpenSSL would there be a way for me to recompile it with the updated libraries or is this just a false positive?
 
The OpenSSL library is integrated in DirectAdmin, since "directadmin" is a static program. Upgrade DirectAdmin constantly and you won't have to worry about OpenSSL vulnerabilities.
Anyway, with any chance the scanner is wrong; DirectAdmin doesn't publish its OpenSSL version and the scanner probably got confused by the weird server reply header ("Server: DirectAdmin Daemon v1.33.7 Registered to FADATEC"), expecting something like "Server: Apache/2".
 
It's only a recommendation from control scan IIRC, just tell them it's a false positive and they will clear it.
 
Hello,

I'd like to check our build box anyway.
Can you tell me which OS version that binary is compiled on?

John
 
I have not ran the scanner on my da box yet but I only use centos 5.3 on all of them and they all come back with this issue.
 
Thank you, my next box for a client is going to be using control scan too, this should be done in the next week or two. I will report back to ensure there are no issues with this on a new install.
 
Also for the record my latest da box is running below as well

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 
You must log in or register to reply here.
Back
Top