Balance failing PCI compliance scans


#1

PCI compliance is a requirement for our business and most businesses that accept credit cards. We are required to pass a quarterly scan. The Peplink Balance router is causing the scan to fail. Surely this is impacting other customers. Please update the firmware to use jQuery 3.0 or later.

THREAT REFERENCE

Summary:
vulnerable jQuery version: 1.12.4

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_lib_jquery

Details: Two vulnerabilities fixed in jQuery 3.0.0
01/23/18
CVE 2015-9251
CVE 2016-10707
Two vulnerabilities were fixed in jQuery 3.0.0.
First, jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Second, jQuery 3.0.0-rc.1 and before 3.0.0 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names.
Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.

Information From Target:
Service: https
Sent:
GET /MANGA/jquery.js?$Name: HTTP/1.0
Host: c-73-2-195-8.hsd1.tn.comcast.net

Received:
/*! jQuery v1.12.4 ? © jQuery Foundation ? jquery.org/license */


#2

Which Balance Model and Firmware version did this fail against?


#3

Model Peplink Balance One
Hardware Revision 3
Serial Number 192C-2AFE-9A99
Firmware 7.1.0 build 3433
PepVPN Version 7.0.0

Thanks


#4

Hello Cover,

About CVE-2015-9251:
This affects cross-site request but our firmware didn’t do cross-site requests for unknown 3rd party requests.
It should also be noted that we are using jQuery 1.x, so our code shouldn’t be affected by this vulnerability as this affects jQuery2 & jQuery3.

About CVE-2016-10707:
This is from jQuery 3.0.0 rc1, so it expects jQuery 3.x. However, as we are using jQuery 1.x we shouldn’t be affected by this vulnerability either.


#5

Hi Zach,

Thanks for looking into this. I am happy to accept your answers regarding the CVEs. The trouble is convincing the PCI compliance scan vendors, in our case https://www.controlscan.com
that the CVEs should not be flagged or an exception should be allowed for Peplink routers.

From a business standpoint, we need to “pass” their PCI scan and this flag on the Balance router is the only thing standing in the way. We do not have the expertise to effectively argue with them about jQuery.

I have to think that other Peplink customers have or will be affected by this. Google quickly turns up the same issue for users of Magento and other products.

Can you contact ControlScan to explain why the CVEs don’t apply in this case? Or give us something official on paper (PDF?) that we can send to them?

Thanks,
MIchael


#6

Hi Michael,

Zach’s response is posted on Peplink’s forum and so you can consider this as official. Please forward this page to someone at ControlScan and connect the two teams so that we can have a direct dialog. Thanks.

You can copy us at support@peplink.com.