Nessus now has Entra LAPS Support Summary: Nessus now has...
Nessus now has Entra LAPS Support Summary: Nessus now has the ability to leverage accounts managed by Microsoft Entra LAPS. How LAPS works: Since LAPS managed accounts have their passwords rotated routinely, users cannot just directly provide the credentials in their Scan Policy. Before this change, users would instead have to make an additional privileged account on each LAPS enabled Host to provide to Nessus. Now that Nessus can communicate with an Entra LAPS setup, customers no longer need to have or provide those extra privileged accounts. This means less exposure and less redundancy in a customer’s environment. Change: With this LAPS support change, during the startup phase of a scan, Nessus will reach out to a Microsoft Entra Tenant and pull a list of all Local Admin Accounts managed by LAPS. Nessus will then attempt to use these Entra provided LAPS managed accounts as credentials when attempting to access a target host. The LAPS credentials found are not stored or kept in the scanner configuration any way and only exist in memory at runtime. Each time a Scan is initiated with LAPS support enabled, it will do a fresh pull of credentials. How to enable it: To make use of Nessus’ Entra LAPS support, customers need a Registered App in their Entra Tenant with the DeviceLocalCredential.Read.All permission. These Registered App permissions are what allows an App to access the LAPS managed accounts. Customers with an existing Registered App can configure them for use in Nessus by simply granting the Registered App the DeviceLocalCredential.Read.All permission, allowing Nessus to access LAPS data. Customers without a Registered App will need to create a new one, and provide it as a [Cloud Services Microsoft Azure/Entra Credential] in your Scan Policy. For additional information see: https://docs.tenable.com/identity-exposure/3_x/Content/Admin/entra_id_support.htm#Configure-Microsoft-Entra-ID-settings and https://docs.tenable.com/vulnerability-management/Content/Settings/Credentials/CreateManagedCredential.htm Impact: Customers using Rotating Host passwords managed through Microsoft Entra LAPS can now leverage these credentials in their Nessus scans for more secure scanning configurations. Target Release Date: Immediate
Tenable InTune MDM Integration: Application Authentication...
Tenable InTune MDM Integration: Application Authentication Summary In order to modernize our authentication standards, Tenable is announcing a new authentication option for the InTune Mobile Device Management (MDM) integration, called “application” authentication. Details When configuring an InTune Mobile credential, it is now possible to select between “user” and “application” authentication types. With user authentication, a user account is required as well as application credentials. With application authentication, the scanner requests API data on behalf of the application and not a user, therefore application credentials are required but user credentials are not. Please note that the application authentication type requires a specific permissions configuration, specifically permissions must be of type “Application” rather than “Delegated”. Updates have been made to the Tenable and Microsoft Intune Mobile Device Management Integration Guide to provide steps to configure authentication. For more information on the differences between user and application access scenarios, please refer to the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview#access-scenarios Impact Customers are not required to update configurations at this time; existing scans will continue to use user authentication. We encourage customers to review the updated documentation. Customers who plan to enforce mandatory multi-factor authentication (MFA) for user accounts may wish to change to application authentication. Release Date 7 April 2025 for Nessus and TVM, TBD for SecurityCenterNessus can now use Kerberos for DCOM Authentication Summary...
Nessus can now use Kerberos for DCOM Authentication Summary Nessus scans that are provided with Windows Kerberos credentials will now use the Kerberos protocol for authentication in plugins that use DCOM or WMI. Kerberos authentication has been available for a long time in Nessus for plugins that only use SMB. Prior to this change the DCOM/WMI plugins would authenticate using NTLM even if only a Kerberos credential was provided. Microsoft Windows is abandoning NTLM due to security concerns and has recommended host and domain configuration that excludes the use of NTLM. Change This implementation of Kerberos for DCOM/WMI only supports the packet integrity authentication level (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) which is the minimum required since Microsoft hardened DCOM to address CVE-2021-26414. If a server or service requires packet privacy (RPC_C_AUTHN_LEVEL_PKT_PRIVACY), Nessus will not be able to scan it. Following the deprecation of SHA1 hashes, Kerberos will slowly be updated to use SHA2 hashes on Windows and other platforms. At this time the Nessus implementation does not support SHA2 based checksums or encryption. Future Tenable plans include upgrading the Nessus DCOM implementation to use packet privacy and upgrading the Nessus Kerberos implementation to use SHA2 based cryptography. Target Release Date Immediate
Unsupported Internet Explorer detection refinement Summary...
Unsupported Internet Explorer detection refinement Summary Further refinement of this plugin will align detection of unsupported Internet Explorer installations with updated vendor guidance. Change Before this update, in accordance with vendor advisory KB5022834 from February 2023, if the registry key HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions was not present or configured, the Unsupported Internet Explorer detection plugin would report as an unsupported installation of the product on versions of Windows prior to 11, and on Windows Server. Windows 11 machines could still report this plugin if paranoia was enabled in the scan configuration. After this update, to align detection logic with Microsoft’s Internet Explorer Lifecycle FAQ, the check for this registry key has been removed, as it has been determined that it will only impact whether a user is notified that Internet Explorer is disabled. As a result, the plugin will no longer report on Windows 11 devices, or on Windows 10 and Windows Server devices that have a cumulative update superseding the original update that disabled Internet Explorer. Impact Fewer reports of unsupported installations of Internet Explorer will show in scan results with the registry check no longer triggering them. Plugins 22024 - Microsoft Internet Explorer Unsupported Version Detection Target Release Date August 1, 2024Updates to Detection of Microsoft Internet Explorer...
Updates to Detection of Microsoft Internet Explorer Unsupported Version Plugin 22024 - Microsoft Internet Explorer Unsupported Version Detection Target Release Date May 23, 2023 Change Microsoft recently released an update, KB5022834, that disables Internet Explorer 11 on Windows 10, redirecting users to Microsoft Edge. Nessus plugin 22024, which detects an unsupported version of Internet Explorer on the target host, will no longer fire when the target has this patch installed. Previously, the plugin would fire on all versions of Windows, but would not fire on a Windows machine if Internet Explorer had been redirected to Edge via Group Policy (“Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Disable Internet Explorer 11 as a standalone browser”.) or a registry setting (\HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions). This aspect of the plugin’s behavior will not change in this new release - three additional conditions to prevent the plugin from firing are being added: The machine is running Windows 11 The machine is running Windows 10 and has KB5022834 installed The machine has “Reload sites in IE mode“ disabled via Edge Browser Policy. Impact Customers will no longer see this vulnerability associated with Windows 11, or Windows 10 machines that have KB5022834 installed, or any machine with redirection to IE Mode disabled through Edge Browser Policy. Customers should note that files that traditionally would be associated with Internet Explorer are still present on the filesystem of Windows machines.
New CIS Microsoft Windows Server 2022 v1.0.0 Audit Files...
New CIS Microsoft Windows Server 2022 v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Microsoft Windows Server 2022 Benchmark from CIS with the new CIS Microsoft Windows Server 2022 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Microsoft Windows Server 2022 v1.0.0 - Level 1 Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Level 2 Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Level 1 Member Server CIS Microsoft Windows Server 2022 v1.0.0 - Level 2 Member Server CIS Microsoft Windows Server 2022 v1.0.0 - Next Generation Windows Security - Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Next Generation Windows Security - Member Server Target Release Date ImmediateIntegration Status Plugin Summary Tenable is announcing the...
Integration Status Plugin Summary Tenable is announcing the release of a new plugin named Integration Status. The purpose of this plugin is to provide users with helpful information regarding the success or failure when using one of Tenable’s currently supported PAM, MDM, and/or Patch Management Integrations. This gives users a simple way to check on the status of the integration success without having to enable plugin debugging on a per-host basis. Additionally, it improves scan review and performance. In the event that integration status failed, the user can enable plugin debugging, re-scan, and review logs associated with a particular integration for more detail. Tenable will release this plugin feature in two separate releases. This is based on user demand. Integrations in the initial release include the following. PAMs Arcon BeyondTrust Password Safe CyberArk (this includes Legacy, non-Legacy, and Dynamic Scanning). Delinea Secret Server HashiCorp Vault QiAnXin SenhaSegura WALLIX Bastion MDMs AirWatch Blackberry UEM IBM MaaS360 Microsoft InTune Workspace ONE Patch Management VMware ESX SOAP API VMware vCenter API Integrations that will be released after the initial release include the following. Nutanix RedHat Satellite Server HCL BigFix Microsoft SCCM Microsoft WSUS Scope This plugin reports the success or failure of an integration, based on the intent of the integration. This varies between PAMs, MDM, and Patch Management integrations. Here is a synopsis of each integration type. Tenable’s PAM integrations retrieve account credentials for one or more targets specified in a scan policy and credential. Tenable determines the success or failure of retrieving the credential from a specific PAM within the scope of the Integration Status plugin. NOTE: This plugin does not include authentication success or failure to the target within scope. There are other plugins in existence for this purpose. Tenable’s MDM integrations retrieve mobile devices and data associated with those devices. Tenable determines success or failure of an MDM integration based on whether devices were retrieved or not. Tenable Patch Management integrations retrieve patch data from a specific host. In Tenable’s initial release, we’ve included our VMware integrations (ESXi and vCenter). Here are some details regarding the scope of our VMware Integrations as it relates to the new plugin. Users that configure one or more VMware vCenter API credentials can expect to see integration success or failure on a per host basis. If the target is a vCenter host, Tenable determines whether or not authentication to the API was successful. By adding a vCenter host to the target list, users can get a better perspective on the status of the integration's success or failure. If the target is an ESX host, Tenable determines success or failure based on our ability to retrieve VIBs for this host based on data we retrieve from the vCenter host that manages it. In addition, we report the associated vCenter host that manages it. Users that configure one or more VMware ESX SOAP API credentials can expect to see success or failure based on Tenable’s ability to gather VIBs directly from the specific ESXi host in the target settings. Impact There is no impact to existing scans. If users encounter issues, please open a ticket with Technical Support. Initial Release Date July 31, 2024 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security Center Remaining Integrations Release Date 2024 Q3 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security Center
Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs (CV
Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs (CVE-2022-41073) Microsoft patched 62 CVEs in the November 2022 Patch Tuesday update, including nine rated as critical, and 53 rated as important. Four of the vulnerabilities patched this month have been observed exploited in the wild as zero days. Microsoft also released patches for the two zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. CVE-2022-41049 is a security feature bypass vulnerability affecting Windows Mark of the Web that has been exploited in the wild and for which exploit code is publicly available. Microsoft also patched CVE-2022-41073, an elevation of privilege vulnerability affecting the Windows Print Spooler service. The vulnerability carries a CVSSv3 score of 7.8 and discovery was credited to Microsoft Threat Intelligence Center. For more information about this month's Patch Tuesday release, including Tenable product coverage, please visit our blog.Microsoft’s June 2020 Patch Tuesday Addresses 129 CVEs...
Microsoft’s June 2020 Patch Tuesday Addresses 129 CVEs Including Newly Disclosed SMBv3 Vulnerability (CVE-2020-1206) Microsoft continues its streak of patching over 100 CVEs, addressing 129 CVEs in June, including a fix for a new SMBv3 vulnerability dubbed SMBleed. For the fourth month in a row, Microsoft has patched over 100 CVEs, addressing 129 in the June 2020 Patch Tuesday release. The updates this month include patches for Microsoft Windows, Microsoft Edge, ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps and Adobe Flash Player. For more information, including a list of some of the most notable CVEs this month, please check out our blog.Windows Patch Chain Improvements What’s happening? Tenable...
Windows Patch Chain Improvements What’s happening? Tenable is releasing an update for Windows vulnerability patch chains in order to increase accuracy of recommended solutions. More accurate solutions will empower teams to make efficient and complete updates to remediate the active vulnerabilities. Why is this necessary? Before 2018, the Windows plugins would be written for a particular bulletin. From 2018 going forward, the plugins are very specific to a target OS. If patching is significantly out-of-date, long patch chains may be created for any hosts as part of a bulletin. These hosts may have different solutions and so rolling them up together results in inaccuracies. How does it work? Tenable will be introducing a filter to constrain the Windows bulletin patch chains to only the Windows bulletin plugin families. This prevents checks that are less specific from creating bridges between unrelated OS. Additionally, we will be improving the grouping of our plugins to ensure that the chains we create are specific to a particular OS bundle or product. This will split up chains in certain cases but the resulting separate chains will individually be more accurate. How does this update affect me? Customers with findings from plugins for Microsoft Windows Bulletins may see some of those chains broken up into 2 or more chains. As an example, our “Windows 2022 / Azure Stack HCI 22H2” plugins will be grouped into one single chain that will no longer include older versions of Windows or Azure Stack HCI. The older versions will show up in a separate chain or separate set of chains. This change is specific to the Solutions view and does not impact findings. For example, before the change, customers could see many Windows hosts that are not related to the Windows 2022 / Azure Stack HCI Security Update recommended solution. After the change, customers will only see the hosts related to the Windows 2022 / Azure Stack HCI Security Update. When is Tenable releasing the update? The target release date is March 18, 2024. What products does this change affect? Any Tenable product that uses the Solutions view. This includes: Tenable Security Center Tenable Lumin What changes do I need to make? For SC customers, ensure both the plugin feed and SC feed has been updated from the date March 19, 2024 or later. For Lumin customers, no action is required. After the update, the patch chains would be updated on your next scan. Does Tenable anticipate making additional changes to the patch chains? We will continue to evaluate the accuracy of the patch chains and make improvements where necessary. Share feedback with your Tenable Customer Success Manager (CSM) if you have concerns or encounter any issues. Future updates will be announced via the same communication channels as this update.
