Forum Discussion
Scanning with Nessus DCOM Hardening Tenable is updating...
Scanning with Nessus DCOM Hardening
Tenable is updating Nessus plugins libraries to allow customers to harden their servers against a Microsoft DCOM authentication bypass vulnerability without impacting scan coverage.
In June of this year (2021), Microsoft published KB5004442 in response to CVE-2021-26414, an authentication bypass vulnerability in Windows DCOM components. Microsoft’s knowledge base article describes upcoming changes to the default DCOM authentication level and how users can protect themselves from this vulnerability using a new Windows registry value.
Tenable is upgrading the authentication level used by DCOM based plugins so that they will work when targeting servers that are hardened to protect against CVE-2021-26414. With this change, these plugins will continue to work after the default DCOM authentication level has changed.
Potential Impacts:
Customers may experience slightly longer scan times against Windows targets. Our tests indicate that for these targets, scans may take a little over 2% longer.
Only plugins that use WMI for vulnerability detection or to gather information about the host or the scan will be affected. This change will also have a minimal effect on Windows malware scanning.
Tenable Plugins
Plugin ID Script Name
================================================================================
69556 Active Directory - Enumerate User Account Policy
60023 ActiveSync Data Collect
150713 Adobe Premiere Elements Installed (Windows)
90427 Amazon Web Services EC2 Instance Metadata Enumeration (Windows)
141262 Apache HTTP Server Installed (Windows)
34096 BIOS Info (WMI)
136761 BitDefender Endpoint Security Tools Detection (Windows)
140578 CBS Removed Package Enumeration (Windows Event Log Tool)
24270 Computer Manufacturer Information (WMI)
24282 Data Execution Prevention (DEP) is Disabled
152357 Detect Unmanaged Software Install Location (Windows)
55472 Device Hostname
139785 DISM Package List (Windows)
71246 Enumerate Local Group Memberships
72684 Enumerate Users via WMI
108711 ESXi Detection via VMWare Tools CMD execution
52668 F-Secure Anti-Virus Detection and Status
138853 F-Secure PSB Computer Protection (Windows)
99170 Google Cloud Platform Compute Engine Instance Metadata Enumeration (Windows)
102992 Intel Active Management Technology (AMT) detection
118238 JAR File Detection for Windows
148499 Java Detection and Identification (Windows)
143590 JFrog Artifactory Installed (Windows)
56467 Last Boot Time (WMI)
24871 Logical Drive Insecure Filesystem Enumeration (WMI)
59275 Malicious Process Detection
87955 McAfee Agent Detection
87923 McAfee Application Control / Change Control Installed
148846 McAfee MVISION Endpoint Security Installed (Windows)
100131 McAfee Security Scan Plus Detection
99172 Microsoft Azure Instance Metadata Enumeration (Windows)
51902 Microsoft System Center Configuration Manager Database Information
137565 Microsoft Windows 7 / Server 2008 R2 ESU Status Check
92370 Microsoft Windows ARP Table
70625 Microsoft Windows AutoRuns Scheduled Tasks
92375 Microsoft Windows Current Sessions
92377 Microsoft Windows Current Users Last Password Change
92371 Microsoft Windows DNS Cache
92372 Microsoft Windows NetBIOS over TCP/IP Info
70329 Microsoft Windows Process Information
70331 Microsoft Windows Process Module Information
70330 Microsoft Windows Process Unique Process Name
34252 Microsoft Windows Remote Listeners Enumeration (WMI)
92373 Microsoft Windows SMB Sessions
40477 Modem Enumeration (WMI)
147021 MySQL Server Installed (Windows)
34220 Netstat Portscanner (WMI)
24272 Network Interfaces Enumeration (WMI)
142481 NVIDIA CUDA Toolkit Installed (Windows)
123686 Oracle Glassfish Installed (Windows)
124651 Oracle Java File Detection for Windows (deprecated)
124175 Oracle MySQL Connectors Installed (Windows)
148845 Palo Alto Cortex XDR Agent Installed (Windows)
57030 Patch Management: Missing updates from SCCM
73636 Patch Management: SCCM Computer Info Initialization
58186 Patch Management: SCCM Report
57029 Patch Management: SCCM Server Settings
146386 PsTools File Detection for Windows
97666 Siemens SIMATIC Logon Authentication Bypass
97667 Siemens SIMATIC Logon Detection
124650 Slack Installed (Windows)
55438 SMB : Disable the C$ and ADMIN$ shares after the scan (WMI)
55437 SMB : Enable the C$ and ADMIN$ shares during the scan (WMI)
42897 SMB Registry : Start the Registry Service during the scan (WMI)
42898 SMB Registry : Stop the Registry Service after the scan (WMI)
24271 SMB Shares File Enumeration (via WMI)
134050 Spring Projects Windows Detection
144455 Start disabled Server Service during the scan (WMI)
144456 Stop the Server Service after the scan (WMI)
50658 Stuxnet Worm Detection (uncredentialed check)
118226 Super Micro Detection (Windows)
101160 Telerik UI for ASP.NET AJAX Installed
24274 USB Drives Enumeration (WMI)
133843 VMware Carbon Black Cloud Endpoint Standard Installed (Windows)
48337 Windows ComputerSystemProduct Enumeration (WMI)
100994 Windows Credential Guard Disabled
131023 Windows Defender Installed
72482 Windows Display Driver Enumeration
24273 Windows OS Not Activated (WMI)
63619 Windows OS Partial Product Key (WMI)
139239 Windows Security Feature Bypass in Secure Boot (BootHole)
152100 Windows SeriousSAM HiveNightmare Registry Read Vulnerability
85736 Windows Store Application Enumeration
25197 Windows Wireless SSID (WMI)
45050 WMI Anti-spyware Enumeration
45051 WMI Antivirus Enumeration
24269 WMI Available
43830 WMI Bluetooth Network Adapter Enumeration
73437 WMI EMET Configuration Enumeration
51187 WMI Encryptable Volume Enumeration
45052 WMI Firewall Enumeration
61797 WMI Firewall Rule Enumeration
71637 WMI IIS ISAPI Extension Enumeration
135860 WMI Not Available
52001 WMI QuickFixEngineering (QFE) Enumeration
51186 WMI Trusted Platform Module Enumeration
44871 WMI Windows Feature Enumeration
Target Release Date
Immediate
1 Reply
Thank you!
