Forum Discussion
Security End-of-Life Plugins Target Release Date Immediate...
Security End-of-Life Plugins
Target Release Date
Immediate
Change
Tenable Research is releasing a new dynamic and well-defined framework for detecting Security End-of-Life (SEoL) vulnerabilities. It abstracts various terminologies, such as End of Life, Unsupported, End of Support, etc., and provides a clear definition that serves as the basis for SEoL detection plugins. The new framework defines SEoL as the state in Security Maintenance Lifecycle when a product no longer receives security updates.
Impact
Tenable Research is implementing a new policy that informs the SEoL plugin framework design. To better inform the impact of SEoL products in our customer environments, Tenable is adopting a strategy that allows plugin severity to be more flexible and encourages scaling up instead of down. For this reason, net-new SEoL plugins will default to the INFO severity value.
The new SEoL plugins can be identified by the Plugin Name attribute - it will contain “SEoL”, such as “Apache httpd SEoL (2.1.x <= x <= 2.2.x)”. Alternatively, they can be identified through the “unsupported_by_vendor: true” plugin attribute.
Additional Notes
Please note that any existing plugins for the SEoL use case containing “Unsupported” in the plugin name will be converted according to the new “SEoL” plugin specification or enter the deprecation process. Plugin severity will retain its originating value during these conversions.
A public Knowledge Article was published to help answer any questions regarding the new plugins. For a more detailed description of the problem and Tenable’s solution, please refer to the blog - What Security Leaders Need to Know About Security End of Life: How Tenable is Leading the Way.
12 Replies
This is going to cause us a lot of issues and will greenwash our environment - i.e. make our vulnerability state look much better than it would otherwise be.
Especially because individual vulnerabilities will get rolled up into a single SEoL plugin.
I don't understand why the severities are going to default as informational? If a product is out of support the community has to assume the worst - i.e. the product is vulnerable to unknown vulnerabilities.
I'm going to have to now continually work out any new SEoL plugins and recast them to Critical, I wouldn't be annoyed if I could do a filter on recasts such as any plugin name that contains SEoL recast as critical, but I can't even do that...
Please give us an opt out option or invest in the recast usability, this is such an awful update
Thank you for your input. As a trusted partner, we are aware of the impact our products can have on customer operations and hence are extremely mindful when making any updates. Please be assured that current EoL (“Unsupported”) plugins will remain at the same severity in the new framework. For net-new SEoL coverage that we will add in the future, defaulting to an INFO level severity is a step towards providing data-driven risk guidance for this vulnerability category. Plugins will start off with INFO severity, but Tenable will update severities as we deem appropriate based on various factors.
We are exploring a future state where SEoL plugin severities scale proportional to their real-time risk, powered by Tenable’s rich vulnerability intelligence capabilities. For more information, please refer to the blog post accompanying this release.
The goal of publishing SEoL detection plugins by version branch, where applicable, is to provide more granular visibility into their timeliness and allow for atomic risk assessment.
Please open a Suggestion in Tenable’s Suggestion portal for enhanced recast functionality. Depending on your product, there may be related topics with other customer sponsorship, such as Suggestion ID IOCORE-I-63. Doing so will empower you to track Suggestions as they progress through their status lifecycle.
We are not changing our strategy for coverage of CVEs as they relate to the SEoL plugin.
Just having old software is not a vulnerability, until it's vulnerable, so INFO as default is not so bad idea
How do you know if it is vulnerable or not if the vendor doesn't acknowledge vulnerabilities in its end of life software?
I don't see the dashboards mentioned in the blog post. Should they be available to customers yet?
@Ziga Cerkovnik hoping you can help with this question?
Many thanks.
From what I have found out there are no dashboards or modules for this. I asked various engineers, support, and other Tenable representatives. I think this announcement may have went out before it was suppose to. What I have done with feedback from engineer on Tenable Live Hour call, was is create a dashboard component based on filter for plugin name contains "SEoL"
This should return all current known and future EoL software plugins as they are released
We've been informed that these dashboards are only available to customers who have migrated over to the new dashboard platform, so I believe customers with fewer than 1000 assets have been migrated and should have these widgets available. I would ask your contacts when your account is due to be migrated to give you an idea of when these should show up for you.
Unsupported was Critical.. SEOL is showing as Critical but you're saying it should be info.
I have a few questions.
Will Cisco EOL plugins be re-named as SEOL and recast to INFO?
We have a very strict workflow, that identifies "Unsupported" issues and pressures case holders to address the issues without delay. If you're changing the severity to default as 'info', this needs to be a setting/preference in the tool to set that IAW our own internal policies. Manually recasting plugins is not an acceptable workflow as it is labor intensive, and prone to mistakes.
I understand that some organizations either don't care to address EOL software/hardware. Those who do however, rely on this information to be enumerated properly.
