New Medium severity TLS 1.1 deprecated Nessus plugin and SSL detection Nessus plugin severity increase

Rationale

Tenable will be publishing a new Medium severity Nessus plugin 157288 "TLS Version 1.1 Protocol Deprecated" to help users identify TLS servers that support TLS 1.1 which is now considered deprecated. This new plugin will allow our users to identify the servers in their environment that support this deprecated TLS protocol. They are then enabled to make informed risk decisions about upgrading, retiring, or strengthening protections around these TLS servers with a defense in depth architecture.

This new plugin will be functionally identical to Nessus plugin 121010 except it will be Medium severity instead of Informational. At some point in the future Tenable will be deprecating plugin 121010 as this new plugin will effectively replace it.

Tenable will also be updating the severity of Nessus plugin 20007 "SSL Version 2 and 3 Protocol Detection" from the existing CVSSv2 7.1 (High) and CVSSv3 7.5 (High) to new severity CVSSv2 10.0 (Critical) and CVSSv3 9.8 (Critical).

Impact

Plugin 157288 "TLS Version 1.1 Protocol Deprecated" - Tenable Research has identified that approximately 49% of servers that support SSL/TLS have support for TLS 1.1 enabled. This will manifest in a new Medium severity plugin firing for the majority of users scanning SSL/TLS servers.

Plugin 20007 "SSL Version 2 and 3 Protocol Detection" - Tenable Research has identified that approximately 5% of servers that support SSL/TLS have support for SSL enabled. This will manifest in existing findings from this plugin with a High severity increasing to Critical severity for approximately half of users scanning SSL/TLS servers.

New Nessus plugins

• 157288 TLS Version 1.1 Protocol Deprecated | CVSSv2 6.1 (Medium) | CVSSv3 6.5 (Medium)

Updated Nessus plugins

• 20007 SSL Version 2 and 3 Protocol Detection | CVSSv2 10.0 (Critical) | CVSSv3 9.8 (Critical)

Target Release Date

Monday, April 4th, 2022