PCI Compliance Clear Text Authentication problem

[cjcoulson]

Hi, I'm having difficulty resolving a PCI Compliance issue that McAfee's scan has identified.

They writer: "On 31 May 2011 the CVSS2 score for FTP Server Clear Text Authentication was raised to 7.5. FTP supports clear text authentication' vulnerability is considered as critical according to PCI council.

This is a high level issue in PCI compliance. Please consider the following options:

1. Disable FTP and use SFTP
2. If you have multiple users, or are on a shared server FTP/SSL is the easiest to configure. "

However, the Bluehost response is that they can't enforce secure FTP.

I know I can configure my FTP client to be secure but that's not going to meet the compliance need. I notice many hosting companies have gone to SFTP.

Any ideas anyone? I really like Bluehost and don't want to have to move. I have another site with ICDsoft and they simply told me they don't guarantee PCI Compliance so that one will have to go . . .

Christopher

[chendrickson]

I do not believe all PCI scan companies would consider this a failing vulnerability. Have you considered trying a different PCI company? Also if you can please make a ticket again and provide us with the pdf of the pci report. If you have already done this. Just PM your domain name to me and I can look up the ticket and the scan so I can look into this particular vulnerability further.

-Corbin

[rylord]

All approved (authorized) PCI scanning vendors must use the exact same national CVSS v2.0 (Common Vulnerability Scoring System v2) database scoring system for their PCI scanning compliance checks in scoring found vulnerabilities. Therefore, it doesn't matter which PCI scanning vendor you select, the finding of a clear-text FTP server will result in the same CVSS v2.0 scoring, and therefore fail the required PCI scanning compliance checks.

The FTP Supports Clear Text Authentication vulnerability was first reported in December 2008 with Severity Level of 1.

On May 31, 2011 the CVSS2 (Common Vulnerability Scoring System v2) score for this issue was raised to 7.5 by the PCI consortium. This is now Critical with a Severity Level of 4 in PCI. This generally means a valid exploit has been made available and sites are being compromised.

The FTP Supports Clear Text Authentication vulnerability means the login Username and Password are sent in the clear; this information can be intercepted and used to log into your site. SSH and sFTP are encrypted and better suited for this use. Both SSH and sFTP are free to users and are easy to install and use.

For a Bluehost employee to not know this is somewhat disturbing - since you are a large hosting provider, and most likely have several hundred/thousand customers who are conducting credit card transactions through your datacenters/networks. The PCI non-compliance CVE is "FTP Supports Clear Text Authentication", that has a CVSS Score of 7.5, Severity 4 which is a "critical level" according to the PCI standard. FTP is an old, clear-text protocol, and is rightly flagged as being insecure.

Bluehost should provide its credit-card processing customers with a means of conducting secure file transfers using SFTP or FTPS - instead of directing its customers to use another authorized PCI scanning vendor, because the scanning results will be the same - PCI non-compliance until clear-text FTP is disabled, and the use of either SFTP or FTPS is utilized.

[chendrickson]

My apologies, We do offer Secure ftp over port 22. Also over the last couple of weeks we have now the capability of disabling ports for users with dedicated ip addresses. Simply opening up a chat, calling in, or submitting a ticket we can disable port 21 for you which should clear up your issue.

-Corbin