Sophos XG v18 MR1-396 Failing SecurityMetrics PCI Compliance Scans

Question

I recently upgraded my XG from v17.5 MR12 to v18.1 MR1-396. Everything went mostly fine other then some clean up. However I just had my PCI compliance scan done and it's failing due to "CPU Based Vulnerabilities for Linux 3.0":

I asked them if there was a port open or not and they said it looks like it's coming from the firewall itself. I asked what I can do and they said upgrade the firmware to the latest version to which I told them I already have. Now I'm kinda stuck because they can't pass me with the issue but I also really don't want to wipe and go back to 17.5 MR12. 
 
 Any options? Is anyone else having this issue on 18 that wasn't on 17?

FormerMember · Accepted Answer

Hi AllenD 
 Thank you for reaching out to the Community! 
 You can check the Linux kernel version by running the following commands on your firewall: uname -a or uname -r from the advanced shell. 
 XG125_XN03_SFOS 18.0.1 MR-1-Build396# uname -a Linux localhost 4.14.38 #2 SMP Fri Jun 5 22:28:42 UTC 2020 x86_64 GNU/Linux 
 XG v18 does not use Linux kernel 3.0, as you can see in the above result. 
 I would advise you to contact your PCI compliance auditor to check how they have got this result? 
 Thanks,

Prism · Answer

I'm almost sure it's a false positive. 
 Doing a tcp/ip fingerprint scan with nmap shows my XG box as: 
 
 Device type: phone Running: Google Android 7.X, Linux 3.X OS CPE: cpe:/o:google:android:7.1.2 cpe:/o:linux:linux_kernel:3.10 
 
 Also, as shown before by , XG v18 MR-1 uses Linux 4.14.38. 
 
 Thanks!

Sophos XG v18 MR1-396 Failing SecurityMetrics PCI Compliance Scans

Top Replies