Failing PCI Scans because of outdated jQuery in User Portal - Is there a fix?

Apparently this is patched.  Just dispute the finding with Trustwave. 

See KB from Sophos here:

https://community.sophos.com/kb/en-us/132741

I sent the link to the scanning company and they don't like it.  They asked me to provide the current version of jQuery actually running on the box.  So I opened our user portal in Chrome then opened up the developer tools.  On the console tab I typed in jQuery.fn.jQuery and it returned "2.1.3".

Not sure how they are mitigating the problem but their explanation isn't going to work for my PCI scanning company.  Anyone running 7.5 that can try doing the same?

The problem is you are the one providing the firewall, you are running the outdated jQuery software, you should be the ones that can provide what you did to make it secure or at least some information.  It shouldn't be up to me or the PCI scanning company.  They identified you are running a outdated version with a specific vulnerability and are asking you for information on how it was fixed other then "its a false positive".  For all they know you did nothing and just put up a article saying its a false positive.

And the reason this is important is because this XG product suffers from lots of other vulnerabilities that need manual intervention to fix.  Like the fact it supports 3DES encryption, TLS1.0, TLS1.1, and HTTP Track/Trace all by default and all that fail PCI compliance scans.  All these things need to be manually turned off through the console and get re-enabled every time there is a firmware update.

You should talk to your Sales Rep about this to get a proper answer to this topic. 

LuCar Toni said:

You should talk to your Sales Rep about this to get a proper answer to this topic. 

Please don't take this wrong but I came to these forums for a answer.  When that wasn't looking very positive I put in a support request.  So if you, a Sophos staff member, cannot answer the question here and your support people (case #8496846) can't answer the question through their channels then the only reason I would be contacting my sales rep is to find alternatives to your product.

With that said it is not something I want to do, especially after investing in 3 XG's and 12 - 14 REDs.  I like the product overall but for a security appliance it seems to have a decent amount of security related issues.

I am here in my free time without any relation to the support and product management. Just trying to help people in getting some answers. 

PS: The point about sales rep is to follow up the Support Case to get a proper "official" answer. 

Here's the response I got back from my scanning company after I filed the dispute:

In order for us to properly process this dispute, we require the full jQuery version currently running on this system.

I opened a support ticket and got the following email this morning as well which doesn't help. :

I have confirmed with our global escalations team (GES) that the XG is patched since MR2 however the detection will falsely be detected. 

It it scheduled to be fixed in 18.5, however this may change and we do not have a set date for when this will be released. 

Please let me know if you have any further questions, or if you are happy for the case to be archived?

Hi Allen ,

Please private message me such cases with Case# so we would track this and link these issues.

Hey AllanD,

This thread seems to have de-railed somewhat. Let me try to put some tracks under it again.

As you should expect, this report was already known to us, and some of the confusion comes from there being multiple CVEs reported in the initial reports we received, and this wasn't a simple case of "critical vuln found, fix immediately".  

CVE-2016-10707 was found to be a false positive on XG, because the version of jquery we use is not affected, despite early reports to the contrary. You can find some comments on this buried here: https://github.com/jquery/jquery/issues/3133  Specifically: "The range in the database is incorrect, the only affected version is 3.0.0-rc.1. Both the earlier 2.1.x, 2.2.x & 3.0.0-beta1 and the later 3.0.0 don't exhibit the issue."

Originally, a range of affected versions were reported, but later, this was reduced to just one version, which is not the version XG is using. If this cve is being flagged, it is a false positive on the part of your auditor, likely because it is using the originally mis-reported list of affected versions. The link above should help with supporting material for this.

The other item is CVE-2015-9251, does affect the version XG is using, and that library is potentially vulnerable to a XSS attack - depending on implementation. XG's implementation does not allow it to access any external content, thus the risk has always been fully mitigated, lowering the priority to update. We will eventually upgrade to a newer version of jquery, but we're not ready for that effort just yet, so as a further interim step, in v17.1 MR2, we back-ported the fix from a later version, to the version we are running. As of v17.1 MR2, XG is not even theoretically affected, though because the version number remains the same, this will likely need to be addressed explicitly in your audits. 

Hopefully that clarifies things a bit, and I'll follow up internally, to make sure that our KB articles are adequately detailed, to cover what I've said above. 

One final note, though..

AllanD said:

And the reason this is important is because this XG product suffers from lots of other vulnerabilities that need manual intervention to fix.  Like the fact it supports 3DES encryption, TLS1.0, TLS1.1, and HTTP Track/Trace all by default and all that fail PCI compliance scans.

That info is outdated. I'm not sure when this changed, but it's been a while, and doing a quick sanity check, my firewalls all report an A ('T' actually, but 'A' if certificate trust issues are ignored) on qualys ssl test site. None of the issues you mention are present in their report. you might want to have another look at that.

(snip bunch of tech stuff)

Thank you for the additional information.  I will submit this to our scanning company and go from there.  This is what they want to know, the KB article is extremely vague...they read it and said there is nothing substantial in the article to change my failing grade.  And your support people just keep pointing me to the KB article or telling me it will be upgraded to 3.* with version 18.0 and they have no ETA.

I'm sorry but you are incorrect on this.  The reason none of these things are in the report is because I keep manually fixing them.  For example I just upgraded a XG310 from 17.1 MR3 -> MR4:

I then re-run a PCI compliance scan.  Here is the results.  The IP address in question ends in .98:

I highlighted the failures on 3DES and TLS 1.0.  So I telnet in and check the appache httpd.conf file and this is whats in it:

Sure enough all those protocols are reenabled on each firmware upgrade.  I then have to manually edit that file to remove 3DES, TLSv1, TLSv1.1, and TraceTrack so it looks like this:

and restart the services (per the instructions your support people gave me and I blogged about here). I then rescan and I no longer fail due to those items:

So this issue has been around since v16.01 and has required a manual editing of that file for every firmware upgrade on every XG box we have.  This has been going on for at least two years now.  So I stand by my "this XG product suffers from lots of other vulnerabilities that need manual intervention to fix" comment.  If you have a better solution I'd love to hear it because I purposely don't do firmware updates as often as I should because I know I have to do this afterward every time.  And I'm not the only one this is affecting based on my previous forum post about it.

(Side note:  My other failures stem from the scanning company not liking our SSL with multiple subject alternative names....they are going to allow us to dispute those.  The RED devices on port 3400 are taking some arguing since you guys are using a self signed certificate for those).

hmm.. there's definitely something wrong on your system. I'll post the un-edited contents of my httpd.conf below, and you can see that only TLS 1.2 is allowed, and only a limited set of ciphers. I'm running 17.5 GA, but I went back and checked, and we removed TLS 1.0 and 1.1, and a bunch of ciphers in 16.01, MR2 (NC-8116). You can see it mentioned in the release notes here: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-3-mr2-released. 

If you spin up a new VM, you should be able to see the same thing I'm seeing. I can't explain why your system is behaving differently, but if you can confirm that what you're seeing, and what I'm seeing are in fact the same thing, then open a support case, and PM me the case number. I'll make sure it's escalated and we look into it. 

Here's the settings from my systems:

<VirtualHost _default_:${userportal_listen_port}>
Include /_conf/httpd/conf/userportal_alias.conf
SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!EXP:!NULL:!ADH
SSLEngine on
SSLCertificateFile "${SSLCertificateFileWithPath}"
SSLCertificateKeyFile "${SSLCertificateKeyFileWithPath}"
SSLCACertificatePath "/conf/certificate/cacerts"
Include /_conf/httpd/conf/userportal-static.conf
</VirtualHost>

hmm.. there's definitely something wrong on your system. I'll post the un-edited contents of my httpd.conf below, and you can see that only TLS 1.2 is allowed, and only a limited set of ciphers. I'm running 17.5 GA, but I went back and checked, and we removed TLS 1.0 and 1.1, and a bunch of ciphers in 16.01, MR2 (NC-8116). You can see it mentioned in the release notes here: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-3-mr2-released. 

If you spin up a new VM, you should be able to see the same thing I'm seeing. I can't explain why your system is behaving differently, but if you can confirm that what you're seeing, and what I'm seeing are in fact the same thing, then open a support case, and PM me the case number. I'll make sure it's escalated and we look into it. 

Here's the settings from my systems:

<VirtualHost _default_:${userportal_listen_port}>
Include /_conf/httpd/conf/userportal_alias.conf
SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!EXP:!NULL:!ADH
SSLEngine on
SSLCertificateFile "${SSLCertificateFileWithPath}"
SSLCertificateKeyFile "${SSLCertificateKeyFileWithPath}"
SSLCACertificatePath "/conf/certificate/cacerts"
Include /_conf/httpd/conf/userportal-static.conf
</VirtualHost>

I'm having the same issue.  I've got an xg 450.  I recently updated to 17.5.  After the update I had to edit httpd config as well.

For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

I'm sorry AlanT but I don't believe this is an isolated issue. And the fact that JonathanP is having the same issue should be some confirmation.  I have had this issue, again, for two years. It affects my XG310 which is what I just demonstrated above and also both of my XG125w's.  One of the 125 was just purchased last September so it probably started with a late version of 16 or a very early version of 17.  three different firewalls, all installed at different times, all having the same exact issue. This is not a bug with my hardware but something wrong with your software or the upgrade process.

I'm wondering if the hardware appliances only have the issue with editing httpd?  Maybe the VM's don't have the same issue. 

FYI:

I just did the Qualsys SSL check with our XG210 and 17.5 GA:

TLS seems to be ok

But some weak cipher suites are enabled

Overall rating is T but would be A if trust issues are ignored.

I did not change anything in config files etc.

Regards, Jelle

AlanT of course spinning up a new VM is going to work, because it's not dragging around legacy configuration from successive upgrades since AllenD installed his XG with whatever version it came with.

There seems to be a common misconception that client systems like AllenD are broken. They aren't. Their state is merely different from a clean install due to all those state changes made during each version upgrade.

What's really needed is a full configuration export that allows for full configuration import to be performed from a clean install, which would help prevent artefacts from affecting configuration, make fault repeatability achievable (ideally) and enable fault analysis to be conducted on a non-production system.

Until that's in place all these XGs are essentially sacred cow pets, rather than the cattle they should be. 

The real issue I see is on each firmware upgrade its going back to a non-secure configuration which to me means that's the default config within the firmware.  If it defaulted to what AlanT posted that would be great but it doesn't and has never done so.  It also should be noted that when I contacted support, again almost two years ago, they were aware of the issue and gave me the instructions on changing it manually.  So it's not like this isn't a known issue.

AllanD I believe what you are saying but how come that I don't see this? So it can't be a default config as it should be the same here then.

I'd say there is more to this than only a default config. Maybe different configs in the firmware based upon some prerequisites?

We are talking about the WAF? 

AllanD can you show us, which TLS Version you select in GUI?

TLS v1.2:

AllanD I believe what you are saying but how come that I don't see this? So it can't be a default config as it should be the same here then.

I'd say there is more to this than only a default config. Maybe different configs in the firmware based upon some prerequisites?

I don't know.  But I can tell you, with two of my firewalls starting around 16.01 and the third starting around 17.00, and all the firmware upgrades in between, I've had to manually make this change around 30 times.  The httpd file gets reset every time to that old insecure version.

FYI - We are way off topic from the original jQuery issue but this is definitely another issue that needs to be fixed.  I wonder how many other people have the same problem but just don't know since they arn't subject to PCI compliance scans and are assuming their firewall "just works".

FYI:

I just did the Qualsys SSL check with our XG210 and 17.5 GA:

TLS seems to be ok

But some weak cipher suites are enabled

Overall rating is T but would be A if trust issues are ignored.

I did not change anything in config files etc.

Regards, Jelle

I saw the same results when I tested my XG135.  Haven't tested my XG210 yet, but I may later.