Nessus now has Entra LAPS Support Summary: Nessus now has...
Nessus now has Entra LAPS Support Summary: Nessus now has the ability to leverage accounts managed by Microsoft Entra LAPS. How LAPS works: Since LAPS managed accounts have their passwords rotated routinely, users cannot just directly provide the credentials in their Scan Policy. Before this change, users would instead have to make an additional privileged account on each LAPS enabled Host to provide to Nessus. Now that Nessus can communicate with an Entra LAPS setup, customers no longer need to have or provide those extra privileged accounts. This means less exposure and less redundancy in a customer’s environment. Change: With this LAPS support change, during the startup phase of a scan, Nessus will reach out to a Microsoft Entra Tenant and pull a list of all Local Admin Accounts managed by LAPS. Nessus will then attempt to use these Entra provided LAPS managed accounts as credentials when attempting to access a target host. The LAPS credentials found are not stored or kept in the scanner configuration any way and only exist in memory at runtime. Each time a Scan is initiated with LAPS support enabled, it will do a fresh pull of credentials. How to enable it: To make use of Nessus’ Entra LAPS support, customers need a Registered App in their Entra Tenant with the DeviceLocalCredential.Read.All permission. These Registered App permissions are what allows an App to access the LAPS managed accounts. Customers with an existing Registered App can configure them for use in Nessus by simply granting the Registered App the DeviceLocalCredential.Read.All permission, allowing Nessus to access LAPS data. Customers without a Registered App will need to create a new one, and provide it as a [Cloud Services Microsoft Azure/Entra Credential] in your Scan Policy. For additional information see: https://docs.tenable.com/identity-exposure/3_x/Content/Admin/entra_id_support.htm#Configure-Microsoft-Entra-ID-settings and https://docs.tenable.com/vulnerability-management/Content/Settings/Credentials/CreateManagedCredential.htm Impact: Customers using Rotating Host passwords managed through Microsoft Entra LAPS can now leverage these credentials in their Nessus scans for more secure scanning configurations. Target Release Date: Immediate
Tenable InTune MDM Integration: Application Authentication...
Tenable InTune MDM Integration: Application Authentication Summary In order to modernize our authentication standards, Tenable is announcing a new authentication option for the InTune Mobile Device Management (MDM) integration, called “application” authentication. Details When configuring an InTune Mobile credential, it is now possible to select between “user” and “application” authentication types. With user authentication, a user account is required as well as application credentials. With application authentication, the scanner requests API data on behalf of the application and not a user, therefore application credentials are required but user credentials are not. Please note that the application authentication type requires a specific permissions configuration, specifically permissions must be of type “Application” rather than “Delegated”. Updates have been made to the Tenable and Microsoft Intune Mobile Device Management Integration Guide to provide steps to configure authentication. For more information on the differences between user and application access scenarios, please refer to the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview#access-scenarios Impact Customers are not required to update configurations at this time; existing scans will continue to use user authentication. We encourage customers to review the updated documentation. Customers who plan to enforce mandatory multi-factor authentication (MFA) for user accounts may wish to change to application authentication. Release Date 7 April 2025 for Nessus and TVM, TBD for SecurityCenterNessus can now use Kerberos for DCOM Authentication Summary...
Nessus can now use Kerberos for DCOM Authentication Summary Nessus scans that are provided with Windows Kerberos credentials will now use the Kerberos protocol for authentication in plugins that use DCOM or WMI. Kerberos authentication has been available for a long time in Nessus for plugins that only use SMB. Prior to this change the DCOM/WMI plugins would authenticate using NTLM even if only a Kerberos credential was provided. Microsoft Windows is abandoning NTLM due to security concerns and has recommended host and domain configuration that excludes the use of NTLM. Change This implementation of Kerberos for DCOM/WMI only supports the packet integrity authentication level (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) which is the minimum required since Microsoft hardened DCOM to address CVE-2021-26414. If a server or service requires packet privacy (RPC_C_AUTHN_LEVEL_PKT_PRIVACY), Nessus will not be able to scan it. Following the deprecation of SHA1 hashes, Kerberos will slowly be updated to use SHA2 hashes on Windows and other platforms. At this time the Nessus implementation does not support SHA2 based checksums or encryption. Future Tenable plans include upgrading the Nessus DCOM implementation to use packet privacy and upgrading the Nessus Kerberos implementation to use SHA2 based cryptography. Target Release Date Immediate
Scanning with Nessus DCOM Hardening Tenable is updating...
Scanning with Nessus DCOM Hardening Tenable is updating Nessus plugins libraries to allow customers to harden their servers against a Microsoft DCOM authentication bypass vulnerability without impacting scan coverage. In June of this year (2021), Microsoft published KB5004442 in response to CVE-2021-26414, an authentication bypass vulnerability in Windows DCOM components. Microsoft’s knowledge base article describes upcoming changes to the default DCOM authentication level and how users can protect themselves from this vulnerability using a new Windows registry value. Tenable is upgrading the authentication level used by DCOM based plugins so that they will work when targeting servers that are hardened to protect against CVE-2021-26414. With this change, these plugins will continue to work after the default DCOM authentication level has changed. Potential Impacts: Customers may experience slightly longer scan times against Windows targets. Our tests indicate that for these targets, scans may take a little over 2% longer. Only plugins that use WMI for vulnerability detection or to gather information about the host or the scan will be affected. This change will also have a minimal effect on Windows malware scanning. Tenable Plugins Plugin ID Script Name ================================================================================ 69556 Active Directory - Enumerate User Account Policy 60023 ActiveSync Data Collect 150713 Adobe Premiere Elements Installed (Windows) 90427 Amazon Web Services EC2 Instance Metadata Enumeration (Windows) 141262 Apache HTTP Server Installed (Windows) 34096 BIOS Info (WMI) 136761 BitDefender Endpoint Security Tools Detection (Windows) 140578 CBS Removed Package Enumeration (Windows Event Log Tool) 24270 Computer Manufacturer Information (WMI) 24282 Data Execution Prevention (DEP) is Disabled 152357 Detect Unmanaged Software Install Location (Windows) 55472 Device Hostname 139785 DISM Package List (Windows) 71246 Enumerate Local Group Memberships 72684 Enumerate Users via WMI 108711 ESXi Detection via VMWare Tools CMD execution 52668 F-Secure Anti-Virus Detection and Status 138853 F-Secure PSB Computer Protection (Windows) 99170 Google Cloud Platform Compute Engine Instance Metadata Enumeration (Windows) 102992 Intel Active Management Technology (AMT) detection 118238 JAR File Detection for Windows 148499 Java Detection and Identification (Windows) 143590 JFrog Artifactory Installed (Windows) 56467 Last Boot Time (WMI) 24871 Logical Drive Insecure Filesystem Enumeration (WMI) 59275 Malicious Process Detection 87955 McAfee Agent Detection 87923 McAfee Application Control / Change Control Installed 148846 McAfee MVISION Endpoint Security Installed (Windows) 100131 McAfee Security Scan Plus Detection 99172 Microsoft Azure Instance Metadata Enumeration (Windows) 51902 Microsoft System Center Configuration Manager Database Information 137565 Microsoft Windows 7 / Server 2008 R2 ESU Status Check 92370 Microsoft Windows ARP Table 70625 Microsoft Windows AutoRuns Scheduled Tasks 92375 Microsoft Windows Current Sessions 92377 Microsoft Windows Current Users Last Password Change 92371 Microsoft Windows DNS Cache 92372 Microsoft Windows NetBIOS over TCP/IP Info 70329 Microsoft Windows Process Information 70331 Microsoft Windows Process Module Information 70330 Microsoft Windows Process Unique Process Name 34252 Microsoft Windows Remote Listeners Enumeration (WMI) 92373 Microsoft Windows SMB Sessions 40477 Modem Enumeration (WMI) 147021 MySQL Server Installed (Windows) 34220 Netstat Portscanner (WMI) 24272 Network Interfaces Enumeration (WMI) 142481 NVIDIA CUDA Toolkit Installed (Windows) 123686 Oracle Glassfish Installed (Windows) 124651 Oracle Java File Detection for Windows (deprecated) 124175 Oracle MySQL Connectors Installed (Windows) 148845 Palo Alto Cortex XDR Agent Installed (Windows) 57030 Patch Management: Missing updates from SCCM 73636 Patch Management: SCCM Computer Info Initialization 58186 Patch Management: SCCM Report 57029 Patch Management: SCCM Server Settings 146386 PsTools File Detection for Windows 97666 Siemens SIMATIC Logon Authentication Bypass 97667 Siemens SIMATIC Logon Detection 124650 Slack Installed (Windows) 55438 SMB : Disable the C$ and ADMIN$ shares after the scan (WMI) 55437 SMB : Enable the C$ and ADMIN$ shares during the scan (WMI) 42897 SMB Registry : Start the Registry Service during the scan (WMI) 42898 SMB Registry : Stop the Registry Service after the scan (WMI) 24271 SMB Shares File Enumeration (via WMI) 134050 Spring Projects Windows Detection 144455 Start disabled Server Service during the scan (WMI) 144456 Stop the Server Service after the scan (WMI) 50658 Stuxnet Worm Detection (uncredentialed check) 118226 Super Micro Detection (Windows) 101160 Telerik UI for ASP.NET AJAX Installed 24274 USB Drives Enumeration (WMI) 133843 VMware Carbon Black Cloud Endpoint Standard Installed (Windows) 48337 Windows ComputerSystemProduct Enumeration (WMI) 100994 Windows Credential Guard Disabled 131023 Windows Defender Installed 72482 Windows Display Driver Enumeration 24273 Windows OS Not Activated (WMI) 63619 Windows OS Partial Product Key (WMI) 139239 Windows Security Feature Bypass in Secure Boot (BootHole) 152100 Windows SeriousSAM HiveNightmare Registry Read Vulnerability 85736 Windows Store Application Enumeration 25197 Windows Wireless SSID (WMI) 45050 WMI Anti-spyware Enumeration 45051 WMI Antivirus Enumeration 24269 WMI Available 43830 WMI Bluetooth Network Adapter Enumeration 73437 WMI EMET Configuration Enumeration 51187 WMI Encryptable Volume Enumeration 45052 WMI Firewall Enumeration 61797 WMI Firewall Rule Enumeration 71637 WMI IIS ISAPI Extension Enumeration 135860 WMI Not Available 52001 WMI QuickFixEngineering (QFE) Enumeration 51186 WMI Trusted Platform Module Enumeration 44871 WMI Windows Feature Enumeration Target Release Date Immediate
Database Audit Plugin Decomposition Summary In an effort to...
Database Audit Plugin Decomposition Summary In an effort to simplify plugin operation and support for auditing database systems, the Database Compliance Checks plugin are being separated into individual database system plugins: IBM DB2 DB Compliance Checks Microsoft SQL Server DB Compliance Checks MySQL DB Compliance Checks Oracle DB Compliance Checks PostgreSQL DB Compliance Checks Sybase DB Compliance Checks By placing the support for specific databases in their own plugin, we are able to better support required system prerequisites, communication, and troubleshooting during the scanning process. The new database plugins will continue to use the current database credentials and will not require the creation of new credentials. The syntax of the audit files that the new plugins run has been standardized and aligned with other content. Potential Impacts: The current Database Compliance Checks plugin will continue to be supported until July 1, 2024, and will be decommissioned after that time. All active content for the Database Compliance Checks Plugin has been converted to the new plugins, and the legacy content display name has been renamed to include the term “Sunset” . No new audit content will be published for the Database Compliance Checks Plugin. New audit content will be published for the technology specific plugins and not backported to the Database Compliance Checks Plugin. With the new plugins having a different audit file format, for any customer that uses custom audit files, it is recommended to convert the content to the new plugin format. This will ensure the custom audit content uses a supported compliance plugin for the database being audited. A script that can assist in this process is available on the Tenable public GitHub site at https://github.com/tenable/audit_scripts/tree/master/db_audit_migrate. Assistance for the migration script will be available on the Tenable Communities Audit & Compliance site. Additional information can be found at: https://community.tenable.com/s/article/Database-Compliance-Plugin-Decomposition Tenable Plugins 33814 - Database Compliance Checks (Deprecation targeting December 31, 2023) 148944 - PostgreSQL DB Compliance Checks 149309 - MySQL DB Compliance Checks 149375 - Oracle DB Compliance Checks 149647 - Microsoft SQL Server DB Compliance Checks 149648 - IBM DB2 DB Compliance Checks 150080 - Sybase DB Compliance Checks Target Release Date July 31, 2023New CIS Microsoft Windows Server 2022 v1.0.0 Audit Files...
New CIS Microsoft Windows Server 2022 v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Microsoft Windows Server 2022 Benchmark from CIS with the new CIS Microsoft Windows Server 2022 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Microsoft Windows Server 2022 v1.0.0 - Level 1 Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Level 2 Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Level 1 Member Server CIS Microsoft Windows Server 2022 v1.0.0 - Level 2 Member Server CIS Microsoft Windows Server 2022 v1.0.0 - Next Generation Windows Security - Domain Controller CIS Microsoft Windows Server 2022 v1.0.0 - Next Generation Windows Security - Member Server Target Release Date ImmediateWindows Patch Chain Improvements What’s happening? Tenable...
Windows Patch Chain Improvements What’s happening? Tenable is releasing an update for Windows vulnerability patch chains in order to increase accuracy of recommended solutions. More accurate solutions will empower teams to make efficient and complete updates to remediate the active vulnerabilities. Why is this necessary? Before 2018, the Windows plugins would be written for a particular bulletin. From 2018 going forward, the plugins are very specific to a target OS. If patching is significantly out-of-date, long patch chains may be created for any hosts as part of a bulletin. These hosts may have different solutions and so rolling them up together results in inaccuracies. How does it work? Tenable will be introducing a filter to constrain the Windows bulletin patch chains to only the Windows bulletin plugin families. This prevents checks that are less specific from creating bridges between unrelated OS. Additionally, we will be improving the grouping of our plugins to ensure that the chains we create are specific to a particular OS bundle or product. This will split up chains in certain cases but the resulting separate chains will individually be more accurate. How does this update affect me? Customers with findings from plugins for Microsoft Windows Bulletins may see some of those chains broken up into 2 or more chains. As an example, our “Windows 2022 / Azure Stack HCI 22H2” plugins will be grouped into one single chain that will no longer include older versions of Windows or Azure Stack HCI. The older versions will show up in a separate chain or separate set of chains. This change is specific to the Solutions view and does not impact findings. For example, before the change, customers could see many Windows hosts that are not related to the Windows 2022 / Azure Stack HCI Security Update recommended solution. After the change, customers will only see the hosts related to the Windows 2022 / Azure Stack HCI Security Update. When is Tenable releasing the update? The target release date is March 18, 2024. What products does this change affect? Any Tenable product that uses the Solutions view. This includes: Tenable Security Center Tenable Lumin What changes do I need to make? For SC customers, ensure both the plugin feed and SC feed has been updated from the date March 19, 2024 or later. For Lumin customers, no action is required. After the update, the patch chains would be updated on your next scan. Does Tenable anticipate making additional changes to the patch chains? We will continue to evaluate the accuracy of the patch chains and make improvements where necessary. Share feedback with your Tenable Customer Success Manager (CSM) if you have concerns or encounter any issues. Future updates will be announced via the same communication channels as this update.Integration Status Plugin Summary Tenable is announcing the...
Integration Status Plugin Summary Tenable is announcing the release of a new plugin named Integration Status. The purpose of this plugin is to provide users with helpful information regarding the success or failure when using one of Tenable’s currently supported PAM, MDM, and/or Patch Management Integrations. This gives users a simple way to check on the status of the integration success without having to enable plugin debugging on a per-host basis. Additionally, it improves scan review and performance. In the event that integration status failed, the user can enable plugin debugging, re-scan, and review logs associated with a particular integration for more detail. Tenable will release this plugin feature in two separate releases. This is based on user demand. Integrations in the initial release include the following. PAMs Arcon BeyondTrust Password Safe CyberArk (this includes Legacy, non-Legacy, and Dynamic Scanning). Delinea Secret Server HashiCorp Vault QiAnXin SenhaSegura WALLIX Bastion MDMs AirWatch Blackberry UEM IBM MaaS360 Microsoft InTune Workspace ONE Patch Management VMware ESX SOAP API VMware vCenter API Integrations that will be released after the initial release include the following. Nutanix RedHat Satellite Server HCL BigFix Microsoft SCCM Microsoft WSUS Scope This plugin reports the success or failure of an integration, based on the intent of the integration. This varies between PAMs, MDM, and Patch Management integrations. Here is a synopsis of each integration type. Tenable’s PAM integrations retrieve account credentials for one or more targets specified in a scan policy and credential. Tenable determines the success or failure of retrieving the credential from a specific PAM within the scope of the Integration Status plugin. NOTE: This plugin does not include authentication success or failure to the target within scope. There are other plugins in existence for this purpose. Tenable’s MDM integrations retrieve mobile devices and data associated with those devices. Tenable determines success or failure of an MDM integration based on whether devices were retrieved or not. Tenable Patch Management integrations retrieve patch data from a specific host. In Tenable’s initial release, we’ve included our VMware integrations (ESXi and vCenter). Here are some details regarding the scope of our VMware Integrations as it relates to the new plugin. Users that configure one or more VMware vCenter API credentials can expect to see integration success or failure on a per host basis. If the target is a vCenter host, Tenable determines whether or not authentication to the API was successful. By adding a vCenter host to the target list, users can get a better perspective on the status of the integration's success or failure. If the target is an ESX host, Tenable determines success or failure based on our ability to retrieve VIBs for this host based on data we retrieve from the vCenter host that manages it. In addition, we report the associated vCenter host that manages it. Users that configure one or more VMware ESX SOAP API credentials can expect to see success or failure based on Tenable’s ability to gather VIBs directly from the specific ESXi host in the target settings. Impact There is no impact to existing scans. If users encounter issues, please open a ticket with Technical Support. Initial Release Date July 31, 2024 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security Center Remaining Integrations Release Date 2024 Q3 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security CenterUnsupported Internet Explorer detection refinement Summary...
Unsupported Internet Explorer detection refinement Summary Further refinement of this plugin will align detection of unsupported Internet Explorer installations with updated vendor guidance. Change Before this update, in accordance with vendor advisory KB5022834 from February 2023, if the registry key HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions was not present or configured, the Unsupported Internet Explorer detection plugin would report as an unsupported installation of the product on versions of Windows prior to 11, and on Windows Server. Windows 11 machines could still report this plugin if paranoia was enabled in the scan configuration. After this update, to align detection logic with Microsoft’s Internet Explorer Lifecycle FAQ, the check for this registry key has been removed, as it has been determined that it will only impact whether a user is notified that Internet Explorer is disabled. As a result, the plugin will no longer report on Windows 11 devices, or on Windows 10 and Windows Server devices that have a cumulative update superseding the original update that disabled Internet Explorer. Impact Fewer reports of unsupported installations of Internet Explorer will show in scan results with the registry check no longer triggering them. Plugins 22024 - Microsoft Internet Explorer Unsupported Version Detection Target Release Date August 1, 2024Updates to Detection of Microsoft Internet Explorer...
Updates to Detection of Microsoft Internet Explorer Unsupported Version Plugin 22024 - Microsoft Internet Explorer Unsupported Version Detection Target Release Date May 23, 2023 Change Microsoft recently released an update, KB5022834, that disables Internet Explorer 11 on Windows 10, redirecting users to Microsoft Edge. Nessus plugin 22024, which detects an unsupported version of Internet Explorer on the target host, will no longer fire when the target has this patch installed. Previously, the plugin would fire on all versions of Windows, but would not fire on a Windows machine if Internet Explorer had been redirected to Edge via Group Policy (“Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Disable Internet Explorer 11 as a standalone browser”.) or a registry setting (\HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions). This aspect of the plugin’s behavior will not change in this new release - three additional conditions to prevent the plugin from firing are being added: The machine is running Windows 11 The machine is running Windows 10 and has KB5022834 installed The machine has “Reload sites in IE mode“ disabled via Edge Browser Policy. Impact Customers will no longer see this vulnerability associated with Windows 11, or Windows 10 machines that have KB5022834 installed, or any machine with redirection to IE Mode disabled through Edge Browser Policy. Customers should note that files that traditionally would be associated with Internet Explorer are still present on the filesystem of Windows machines.
