Failing PCI Scans because of outdated jQuery in User Portal - Is there a fix?

We are failing our PCI compliance scans on every XG firewall we have that has the user portal enabled.  Our PCI compliance scanning company is telling us this:

 

Description:  "jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed.  This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 3.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain."

Evidence: jQuery appears to be '2.1.3' and needs to be at '3.0.0' or higher

 

This is ONLY happening on the port used by the User Portal.  To verify this we changed the port to another number, had a host rescanned, and the vulnerability was found on that new port.

 

Is there anything I can do to get this fixed or do I have to wait for Sophos to update the jQuery version they are using?  Is there a bug report place I can put this if that's the case or who do I contact?

 

  • Hi,

    a number of things to look at

    1/. what is your current XG version?

    2/. have you talked to your reseller/partner?

    3/. you could experiment with v17.5 beta-2 while waiting for answers

     

    Ian

  • I'm in the same boat.  Did you find a solution yet?

  • In reply to rfcat_vk:

    rfcat_vk

    1/. what is your current XG version?

    2/. have you talked to your reseller/partner?

    3/. you could experiment with v17.5 beta-2 while waiting for answers

    1) Mix of 17.1 MR 3 and I tried one at MR4 with no change

    2) No, not much they can do if its a Sophos problem.

    3) These are production networks hosting Exchange, multiple websites, a bunch of B2B VPN's, etc.  Don't really want to try beta software although if its fixed in the next version then I guess I can wait.

  • In reply to AllanD:

    I'm running SFOS 17.1.3 MR-3

  • Apparently this is patched.  Just dispute the finding with Trustwave. 

    See KB from Sophos here:

    https://community.sophos.com/kb/en-us/132741

  • In reply to rfcat_vk:

    Maybe somebody with 17.5 can check with Firefox. Open the console using the built-in web developer tools and enter

    jQuery.fn.jquery

  • In reply to JonathanP:

    so it is fixed but still reporting wrong? Bad fix I'd say...

  • In reply to JonathanP:

    Well I don't have a lot of faith that the problem wasn't reintroduced in MR3.  It wouldn't be the first time I've seen something fixed in a MR then come right back in the next one.

     

    I'll send the KB link to the scanning company and see if they'll pass it.

  • In reply to JonathanP:

    I sent the link to the scanning company and they don't like it.  They asked me to provide the current version of jQuery actually running on the box.  So I opened our user portal in Chrome then opened up the developer tools.  On the console tab I typed in jQuery.fn.jQuery and it returned "2.1.3".

     

    Not sure how they are mitigating the problem but their explanation isn't going to work for my PCI scanning company.  Anyone running 7.5 that can try doing the same?

  • In reply to AllanD:

    SFOS 17.5 is running 2.1.3 according to jQuery.fn.jQuery

  • In reply to AllanD:

    I just installed 17.5 last night and getting:

    jQuery.fn.jquery
    "2.1.3"

    I also got the same comment back from scanning company.

  • In reply to JonathanP:

    Thanks for checking guys.

    Well this is no good....I can't exactly disable my user portal.  Although if Sophos would fix it so it didn't show up on every external IP address at least I would have less violations (currently being flagged 5 times for the same thing since it seems we can't lock down the user portal to a single IP address).

    How do we get Sophos to take action on this?  Submit a bug to support?

     

    Edit: I'm opening a support case, suggest others do the same.

  • In reply to AllanD:

    It doesn't seem like Sophos really understands this issue from the client's perspective.  PCI compliance isn't optional if you take credit cards and disputing scan results can be near impossible to win depending on what it is.  

  • In reply to Bill Roland:

    What I don't understand is they put out a advisory that says its a false positive with no information about how they mitigated the vulnerability while still running the old version.  If they actually described what they did I might be able to get the scanning company to pass it but their article leaves a lot to be desired.

  • In reply to AllanD:

    i did not dig to deep into this issue/challange but as far as i know, the product is harden. So basically if the PCI Scan only checks for the version, which i assume, it will most likely point out the "FP". But we fixed the "capability" of using this CVE. 

    So what i would like to know, how did the PCI-DSS audit point out, that CVE is still be affected? 

    Most likely, because it is fast and simply, they only scan the version, not the "real capability of using the vulnerability"