Failing PCI Scans because of outdated jQuery in User Portal - Is there a fix?

Apparently this is patched.  Just dispute the finding with Trustwave. 

See KB from Sophos here:

https://community.sophos.com/kb/en-us/132741

I sent the link to the scanning company and they don't like it.  They asked me to provide the current version of jQuery actually running on the box.  So I opened our user portal in Chrome then opened up the developer tools.  On the console tab I typed in jQuery.fn.jQuery and it returned "2.1.3".

Not sure how they are mitigating the problem but their explanation isn't going to work for my PCI scanning company.  Anyone running 7.5 that can try doing the same?

You should talk to your Sales Rep about this to get a proper answer to this topic. 

LuCar Toni said:

You should talk to your Sales Rep about this to get a proper answer to this topic. 

Please don't take this wrong but I came to these forums for a answer.  When that wasn't looking very positive I put in a support request.  So if you, a Sophos staff member, cannot answer the question here and your support people (case #8496846) can't answer the question through their channels then the only reason I would be contacting my sales rep is to find alternatives to your product.

With that said it is not something I want to do, especially after investing in 3 XG's and 12 - 14 REDs.  I like the product overall but for a security appliance it seems to have a decent amount of security related issues.

I am here in my free time without any relation to the support and product management. Just trying to help people in getting some answers. 

PS: The point about sales rep is to follow up the Support Case to get a proper "official" answer. 

Here's the response I got back from my scanning company after I filed the dispute:

In order for us to properly process this dispute, we require the full jQuery version currently running on this system.

I opened a support ticket and got the following email this morning as well which doesn't help. :

I have confirmed with our global escalations team (GES) that the XG is patched since MR2 however the detection will falsely be detected. 

It it scheduled to be fixed in 18.5, however this may change and we do not have a set date for when this will be released. 

Please let me know if you have any further questions, or if you are happy for the case to be archived?

Hi Allen ,

Please private message me such cases with Case# so we would track this and link these issues.

Hey AllanD,

This thread seems to have de-railed somewhat. Let me try to put some tracks under it again.

As you should expect, this report was already known to us, and some of the confusion comes from there being multiple CVEs reported in the initial reports we received, and this wasn't a simple case of "critical vuln found, fix immediately".  

CVE-2016-10707 was found to be a false positive on XG, because the version of jquery we use is not affected, despite early reports to the contrary. You can find some comments on this buried here: https://github.com/jquery/jquery/issues/3133  Specifically: "The range in the database is incorrect, the only affected version is 3.0.0-rc.1. Both the earlier 2.1.x, 2.2.x & 3.0.0-beta1 and the later 3.0.0 don't exhibit the issue."

Originally, a range of affected versions were reported, but later, this was reduced to just one version, which is not the version XG is using. If this cve is being flagged, it is a false positive on the part of your auditor, likely because it is using the originally mis-reported list of affected versions. The link above should help with supporting material for this.

The other item is CVE-2015-9251, does affect the version XG is using, and that library is potentially vulnerable to a XSS attack - depending on implementation. XG's implementation does not allow it to access any external content, thus the risk has always been fully mitigated, lowering the priority to update. We will eventually upgrade to a newer version of jquery, but we're not ready for that effort just yet, so as a further interim step, in v17.1 MR2, we back-ported the fix from a later version, to the version we are running. As of v17.1 MR2, XG is not even theoretically affected, though because the version number remains the same, this will likely need to be addressed explicitly in your audits. 

Hopefully that clarifies things a bit, and I'll follow up internally, to make sure that our KB articles are adequately detailed, to cover what I've said above. 

One final note, though..

AllanD said:

And the reason this is important is because this XG product suffers from lots of other vulnerabilities that need manual intervention to fix.  Like the fact it supports 3DES encryption, TLS1.0, TLS1.1, and HTTP Track/Trace all by default and all that fail PCI compliance scans.

That info is outdated. I'm not sure when this changed, but it's been a while, and doing a quick sanity check, my firewalls all report an A ('T' actually, but 'A' if certificate trust issues are ignored) on qualys ssl test site. None of the issues you mention are present in their report. you might want to have another look at that.

(snip bunch of tech stuff)

Thank you for the additional information.  I will submit this to our scanning company and go from there.  This is what they want to know, the KB article is extremely vague...they read it and said there is nothing substantial in the article to change my failing grade.  And your support people just keep pointing me to the KB article or telling me it will be upgraded to 3.* with version 18.0 and they have no ETA.

I'm sorry but you are incorrect on this.  The reason none of these things are in the report is because I keep manually fixing them.  For example I just upgraded a XG310 from 17.1 MR3 -> MR4:

I then re-run a PCI compliance scan.  Here is the results.  The IP address in question ends in .98:

I highlighted the failures on 3DES and TLS 1.0.  So I telnet in and check the appache httpd.conf file and this is whats in it:

Sure enough all those protocols are reenabled on each firmware upgrade.  I then have to manually edit that file to remove 3DES, TLSv1, TLSv1.1, and TraceTrack so it looks like this:

and restart the services (per the instructions your support people gave me and I blogged about here). I then rescan and I no longer fail due to those items:

So this issue has been around since v16.01 and has required a manual editing of that file for every firmware upgrade on every XG box we have.  This has been going on for at least two years now.  So I stand by my "this XG product suffers from lots of other vulnerabilities that need manual intervention to fix" comment.  If you have a better solution I'd love to hear it because I purposely don't do firmware updates as often as I should because I know I have to do this afterward every time.  And I'm not the only one this is affecting based on my previous forum post about it.

(Side note:  My other failures stem from the scanning company not liking our SSL with multiple subject alternative names....they are going to allow us to dispute those.  The RED devices on port 3400 are taking some arguing since you guys are using a self signed certificate for those).

hmm.. there's definitely something wrong on your system. I'll post the un-edited contents of my httpd.conf below, and you can see that only TLS 1.2 is allowed, and only a limited set of ciphers. I'm running 17.5 GA, but I went back and checked, and we removed TLS 1.0 and 1.1, and a bunch of ciphers in 16.01, MR2 (NC-8116). You can see it mentioned in the release notes here: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-3-mr2-released. 

If you spin up a new VM, you should be able to see the same thing I'm seeing. I can't explain why your system is behaving differently, but if you can confirm that what you're seeing, and what I'm seeing are in fact the same thing, then open a support case, and PM me the case number. I'll make sure it's escalated and we look into it. 

Here's the settings from my systems:

<VirtualHost _default_:${userportal_listen_port}>
Include /_conf/httpd/conf/userportal_alias.conf
SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!EXP:!NULL:!ADH
SSLEngine on
SSLCertificateFile "${SSLCertificateFileWithPath}"
SSLCertificateKeyFile "${SSLCertificateKeyFileWithPath}"
SSLCACertificatePath "/conf/certificate/cacerts"
Include /_conf/httpd/conf/userportal-static.conf
</VirtualHost>

I'm having the same issue.  I've got an xg 450.  I recently updated to 17.5.  After the update I had to edit httpd config as well.

For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

I'm having the same issue.  I've got an xg 450.  I recently updated to 17.5.  After the update I had to edit httpd config as well.

For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1