Balance failing PCI compliance scans

PCI compliance is a requirement for our business and most businesses that accept credit cards. We are required to pass a quarterly scan. The Peplink Balance router is causing the scan to fail. Surely this is impacting other customers. Please update the firmware to use jQuery 3.0 or later.

THREAT REFERENCE

Summary:
vulnerable jQuery version: 1.12.4

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_lib_jquery

Details: Two vulnerabilities fixed in jQuery 3.0.0
01/23/18
CVE 2015-9251
CVE 2016-10707
Two vulnerabilities were fixed in jQuery 3.0.0.
First, jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Second, jQuery 3.0.0-rc.1 and before 3.0.0 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names.
Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.

Information From Target:
Service: https
Sent:
GET /MANGA/jquery.js?$Name: HTTP/1.0
Host: c-73-2-195-8.hsd1.tn.comcast.net

Received:
/*! jQuery v1.12.4 ? (c) jQuery Foundation ? License | jQuery */

1 Like

Which Balance Model and Firmware version did this fail against?

2 Likes

Model Peplink Balance One
Hardware Revision 3
Serial Number 192C-2AFE-9A99
Firmware 7.1.0 build 3433
PepVPN Version 7.0.0

Thanks

1 Like

Hello Cover,

About CVE-2015-9251:
This affects cross-site request but our firmware didn’t do cross-site requests for unknown 3rd party requests.
It should also be noted that we are using jQuery 1.x, so our code shouldn’t be affected by this vulnerability as this affects jQuery2 & jQuery3.

About CVE-2016-10707:
This is from jQuery 3.0.0 rc1, so it expects jQuery 3.x. However, as we are using jQuery 1.x we shouldn’t be affected by this vulnerability either.

2 Likes

Hi Zach,

Thanks for looking into this. I am happy to accept your answers regarding the CVEs. The trouble is convincing the PCI compliance scan vendors, in our case https://www.controlscan.com
that the CVEs should not be flagged or an exception should be allowed for Peplink routers.

From a business standpoint, we need to “pass” their PCI scan and this flag on the Balance router is the only thing standing in the way. We do not have the expertise to effectively argue with them about jQuery.

I have to think that other Peplink customers have or will be affected by this. Google quickly turns up the same issue for users of Magento and other products.

Can you contact ControlScan to explain why the CVEs don’t apply in this case? Or give us something official on paper (PDF?) that we can send to them?

Thanks,
MIchael

2 Likes

Hi Michael,

Zach’s response is posted on Peplink’s forum and so you can consider this as official. Please forward this page to someone at ControlScan and connect the two teams so that we can have a direct dialog. Thanks.

You can copy us at [email protected].

2 Likes

I am not sure if this issue was ever resolved by putting the two teams in touch…but we had a similar issue recently with all of our clients using Peplink Surf SoHo routers. Specifically, the automated scan was failing with the same two jQuery version vulnerabilities being reported. For us at least, changing the web admin page port to 1313 was enough to hide these vulnerabilities (whether they actually exist or not) from the scanner and receive a PASS. Upon speaking with ControlScan after the fact to try and garner some more info on why they were reported in the first place, no one seemed to really care one way or the other if the scan was generating false positives. The only response we got was essentially “If we cant see it, it doesn’t exist”. Regardless, that’s been our experience. Hope it helps someone out there.

1 Like

Thanks for that tip. We worked around the scan by turning off remote administration on the router. With remote admin off, the scan no longer failed with this issue.

1 Like

The local service firewall rules added in 8.01B2 also solve this issue, as you can block general remote access but allow specific IPs easily. This is for pepVPN handshake and data ports, remote admin and DNS server. I just passed a trustwave PCI scan on 70+ units I upgraded over the weekend.

2 Likes