My most recent PCI Compliance scan for my site (Altfree.com) from my payment processor (Electronic Merchant Systems) via pciapply.com is failing due to “TLS Padding Oracle Vulnerability (Zombie POODLE and GOLDENDOODLE)”. This appears to be an issue with the version of the version of TLS that Shopify runs.
Any advice on how to resolve this issue?
More info from the PCI Scan:
"TLS Padding Oracle Vulnerability (Zombie POODLE and GOLDENDOODLE)
Description
A TLS padding oracle vulnerability is detected.
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.
QID Detection Logic:
This QID sends the multiple tls padding payloads to determine the vulnerability.
Note: Qualys scanner version 11.1.24-1 or later is required to use this QID.
Please refer to official github page TLS Padding Oracles for affected products and patch links.
Patch: Following are links for downloading patches to fix the vulnerabilities:
OpenSSL Security Advisory: OpenSSL"
Hi Elitwilliams!
Zombie POODLE, GOLDENDOODLE (port 443, port 2053, port 2083, port 2087, port 2096, port 8443)
This finding should be reported as a false positive to the ASV company with the following explanation:
Explanation to ASV company:
The service is not vulnerable to Zombie Poodle, GoldenDoodle or any other known TLS vulnerability.
All TLS connections are terminated at the Cloudflare CDN. Cloudflare has confirmed that they are not vulnerable to zombie poodle and goldendoodle in this article: https://support.cloudflare.com/hc/en-us/articles/4422920018317-Cloudflare-and-CVE-2019-1559
Shopify’s applications and services run on separate TLS connections between Cloudflare and Shopify. The available ciphers for all Shopify applications and services includes ONLY the following list as shown in screenshot from Shopify web configuration:
The available cipher list does not include AES CBC ciphers.
If you believe that this information is in error, you should report a security bug through Shopify’s bounty program page at HackerOne. https://hackerone.com/shopify?type=team
Cloudflare’s bounty program is available at: https://hackerone.com/cloudflare?type=team
Thanks Shawn for the quick and thorough reply! I will pass along this info - hopefully that makes them happy.
1 Like
Ok - they are being persistent, and long story short they are not accepting this response. Please see below:
"The reason we require evidence from the scan target system is for this very scenario. The statement you provided does not align with manual testing nor the scanner results. The blanket statement contains a list of ciphers accepted, however the weak cipher is conveniently left off that list. Manual testing shows the ciphers from the blanket statement accepted/configured, but so is the vulnerable cipher being flagged by our scanner. See attachments for manual testing confirming the blanket statement is inaccurate.
NOTE: Removed all items for high numbered ports as they will need their own EC to pursue an exception.
Regards"
Any advice on a response? Thanks again Shawn.
My issue is still not resolved, but here’s some more from my most recent communications with Tommy Teague at Aperia, the lovely ASV provider:
Me: You also did not address the fact included in my prior message that Shopify is behind CloudFlare, who says they are not vulnerable.
Aperia: I did address this. A third party company stating they are not vulnerable or are compliant is not sufficient. You/your hosting provider/or other company involved in hosting your PCI compliant environment are required to provided evidence outlined in my previous replies.
Me: As you may suspect, I do not have the ability to configure CloudFlare on my end since that is a service Shopify provides, but that shouldn’t matter anyway since they’re not vulnerable.
Aperia: We do not expect you to re-configure or alter Cloudflare or Shopify settings. This the entities task, not your. As both the PCI-DSS and ASV program dictates/works, evidence needs to be supplied backing up their claim they are not vulnerable, As the ASV program states, if you are unable to make changes to your environment to meet PCI requirements you need to work with the entities you employ to do so for you.
Me: So are you explicitly disputing CloudFlare’s public docs? Please see quote from Shopify support below, and please visit the CloudFlare URL and read it.
Aperia: Yes.
Hi again @PCI-Shawn - I am still fighting with them. They’ve escalated me to a manager and, despite this being a “known issue”, this is his latest reply:
"I’m sorry that this has been a difficult situation and I’m sympathetic that you have little control over your hosting provider. I am the ASV manager and I will handle your exception requests going forward. Here is our position on this situation:
- Our scan solution confirms that the potentially vulnerable cipher is allowed.
- Our scan solution confirms that the scan target is failing the check for a vulnerable OpenSSL version.
If you can convince Shopify/Cloudflare to show you that they are using a non-vulnerable OpenSSL version then we could give a false positive. As per the PCI-ASV Program Guide we need evidence from the scan target showing the version number in use. We have asked Shopify for this in the past and they have not provided it. We have also asked them to stop using the potentially vulnerable cipher (in which case the OpenSSL check would not be needed) and they have also not done that."
So they are blaming Shopify and/or Cloudflare. As previously mentioned, the name of the scan company is Aperia, and this particular person is Chip Lewis in case you can find any previous contact from him regarding the matter. Boggles my mind that this issue is not being resolved directly, but then again when your entire business model is predicated on the product (ASV scans) failing, it’s not exactly shocking that nobody has a fire lit underneath them to resolve the issue.
Hi @elitwilliams
Cloudflare updated some documentation a couple weeks back that I dont think we have referenced yet.
This cloudflare article:
https://support.cloudflare.com/hc/en-us/articles/4422920018317-Cloudflare-and-CVE-2019-1559
Specifically says: “Cloudflare does not use the affected version of openssl at its edge.Even though your application is not vulnerable to CVE-2019-1559, some security scanners may flag your application erroneously.”
I suggest try another False Positive resubmission referencing that.
Thanks @PCI-Shawn - the latest request I’ve gotten from them is:
“Your best bet for quick resolution is continuing to push for Shopify & Cloudflare to provide the version number of OpenSSL that is used.”
Can you please provide that?
Hi Elitwilliams!
Another idea I have is submission of following:
As per the ASV Program Guide, there are two options for ASV scanning of hosting providers (Shopify) that host scan customer infrastructures or components. The hosting provider (Shopify) can undergo ASV scans on its own and provide evidence to its customers to demonstrate their compliant scans. Shopify’s PCI External ASV Vulnerability Scan Attestation of Scan Compliance (AoSC) is attached and is available. Shopify attests that these scans includes all components which should be in scope for PCI DSS and that scoping is accurate and complete for the services it provides. at: https://help.shopify.com/en/questions/compliance#/reports.
@PCI-Shawn Thank you - can you also please provide the OpenSSL versions used by Shopify and Cloudflare, per their request?
Hi Elitwilliams!
Was the report from SecurityMetrics helpful?
Shawn
