Research Release Highlight - Updates to detection for XZ...
Research Release Highlight - Updates to detection for XZ utilities and Curl/libcurl Summary Feature and code optimization updates improve detection for XZ utilities and Curl/libcurl for Linux/UNIX and macOS. Change Before this update, the plugin that detected XZ utilities on Linux/UNIX (192709) did not detect the product on macOS. Now, the plugin will detect the product and its vulnerabilities on macOS systems. In addition, due to optimizations added to shared libraries during this update, the plugin that detects Curl and libcurl on Linux/UNIX will be more effective at locating certain installations of that product, such as those that are located in a directory that is symbolically linked. Impact Instances of XZ utilities will be detected on macOS systems. A small number of instances of Curl and libcurl that were not detected previously may be detected now. New vulnerable instances will trigger vulnerability detection plugins as usual. However, if the same vulnerability was previously detected and fixed on other Linux/UNIX machines, the "First Seen" date for the vulnerability might reflect the earlier detection. This could impact the compliance status of the vulnerability. Plugins 192709 - Tukaani XZ Utils Installed (Linux / Unix) 182774 - Curl Installed (Linux / Unix) Target Release Date June 17, 2024Python Unsupported Version Detection Change A new Nessus...
Python Unsupported Version Detection Change A new Nessus plugin is being introduced that will detect unsupported versions of Python running on web servers detected by 122364 that will also attempt to detect backported versions. This new plugin name will be “Python Unsupported Version Detection” and this post will be updated with the plugin ID once the plugin is published to the feed. Update: The plugin ID is 148367 Impact Customers should expect to see additional vulnerability findings of unsupported versions of Python running on web servers. Plugin 148367 - Python Unsupported Version Detection Target Release Date 7 April 2021 Released in feed 202104080559 --------------------------------------------------------------------------------------------------- Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
Juniper Plugin Configuration Detection Improvements Plugins...
Juniper Plugin Configuration Detection Improvements Plugins Plugin ID 121111: Junos OS: pd crash on VPLS PE upon receipt of specific BGP message (JSA10912) Plugin ID 140586: Juniper Junos DNS filtering (JSA11028) Plugin ID 151634: Juniper Junos OS Vulnerability (JSA11193) Target Release Date 18 September 2023 Change A limited scope of Juniper vulnerability detection plugins have been modified to include checks for vulnerable configurations outlined in the associated vendor advisories. Impact In an effort to improve detection accuracy, the plugins in the scope will now perform an additional check for vulnerable configurations. With this change, we anticipate a reduced false positive rate for systems with non-vulnerable configurations.D-Link DIR router detection adds DIR-615-series devices...
D-Link DIR router detection adds DIR-615-series devices Summary The plugin that detects D-Link routers has been updated to detect the DIR-615-series devices. Change Plugin 103115, which detects a D-Link DIR router’s web interface, has been updated to identify the DIR-615 series of routers. Impact This plugin will now successfully identify these assets as D-Link DIR-615 routers. Previously, the web interface would be detected, but not classified as this specific device type. DIR-class routers still remain the only device type detected by this plugin. Plugin 103115 - D-Link DIR Router Web Interface Detection Target Release Date ImmediateUpdates to Enumeration of Groups on MacOS Summary The MacOS...
Updates to Enumeration of Groups on MacOS Summary The MacOS user & group enumeration plugin has been updated to enumerate nested groups, and to collect the SMBSID for Active-Directory-created groups. Change Users and groups on a MacOS scan target are enumerated with plugin 95929. The plugin has been improved, and will now enumerate nested groups - groups that are a subset of another group. In addition, if a group was created by Microsoft Active Directory or Entra, by joining the scan target to one of these directory services, the SMBSID of the group will be collected, so that it can be used as a unique identifier to match with other assets. Impact Additional nested group and SMBSID group data will be added to the existing users and groups identified in Plugin 95929, if available. Users should see no expansion of users or groups identified in their scan output as a result of this change. Plugin 95929 - macOS and Mac OS X User List Enumeration Target Release Date August 23. 2023
RHEL Detection Changes Enhanced Detection in Plugins...
RHEL Detection Changes Enhanced Detection in Plugins Targeting RHEL Systems Plugin Applicable “Red Hat Local Security Checks” family plugins. Target Release Date 23 Jan 2023 Change Today, our RHEL vulnerability detection plugins test for the presence of officially-supported repository labels to determine whether relevant repositories are installed on a system. While this approach follows Red Hat's guidance, it is not possible to rely on it in some cases, such as where Red Hat Update Infrastructure (“RHUI”) repositories are enabled. In collaboration with Red Hat, we have developed a new approach to capture the RHUI scenario accurately. Instead of just using repository labels in the /etc/yum.repos.d/redhat.repo file, we will now determine which repositories are in use by checking the repository URLs in any repo file within the /etc/yum.repos directory. Impact Checking enabled repositories is the most accurate way to determine which plugins should run against specific configurations. Before this change, this was only possible if the /etc/yum.repos/redhat.repo file contained default repository labels. Because of environmental configurations, many scans were not able to determine which repositories were enabled. Instead, they relied on basic rpm file version checking, which can produce inaccurate results due to Red Hat's rpm version numbering practices. Customers will now see more accurate findings in configurations where custom label names are used and/or when a different file(s) in /etc/yum.repos.d/ is used to store repositories. If an internal mirror uses the same URL structure as official Red Hat mirrors, more accurate findings may occur. Otherwise, there will be no change in behavior in configurations where repositories point to internal mirrors.
Releasing NASL Plugin Changelog Summary Tenable Research is...
Releasing NASL Plugin Changelog Summary Tenable Research is releasing the NASL Plugin Changelog to bring more transparency to our plugin lifecycle. This new Tenable.com view is located at the changelog tab on the Nessus plugin pages on Tenable.com (e.g. https://www.tenable.com/plugins/nessus/166965/changelog). It notes changes made on a plugin level that matter most to our customers based on a variety of metrics gathered across Tenable. Plugin changes are released on a best-effort basis and are not guaranteed with every plugin release. Below is a dictionary of change categories currently surfacing under the Plugin Changelog. Please note that the mapping is accurate as of the time of publishing and is subject to change with future iterations. List of Change Categories Metadata changes cve - one or more CVEs were added or removed cvss metrics - one or more cvss metrics were changed cvssv2 score source - the score source for the plugin's CVSSv2 score was changed cvssv3 score source - same as v2, above, but for the CVSSv3 score source cvssv2 severity - the CVSSv2 severity changed cvssv3 severity - the CVSSv3 severity changed cvss temporal metrics - the CVSS temporal metrics changed exploit attributes - the exploitability attributes changed iavm reference - an IAVM XREF was added or removed cisa reference - a CISA XREF was added or removed stig severity - the IAVM STIG severity changed plugin metadata - script_name, synopsis, description, solution, cpe, see_also, plugin date attributes, potential vulnerability Plugin logic changes logic changes: code optimization detection: improved detection capability plugin categorization - a plugin had an agent attribute, os_inventory, or hardware_inventory attribute added or removed plugin requirements - the requirements (plugin dependencies) were changed required scan configuration - a precondition for this plugin was added or removed - 'report paranoia' is an example
Deprecation of Slack RCE Plugin 140214 Summary On 02 DEC...
Deprecation of Slack RCE Plugin 140214 Summary On 02 DEC 2021, Slack posted an update on a remote code execution (RCE) vulnerability attesting that the issue had been remediated in both the web and desktop versions of Slack. They stated, “Though it is not necessary to upgrade client versions to remediate this vulnerability, we do recommend that customers upgrade their Desktop client to at least version 4.4 in order to receive the benefits of the defense-in-depth work we have completed.” Impact As a result of this updated vendor advisory, as of THU 20 JAN 2022 we will be deprecating our Slack remote code execution (RCE) Plugin 140214. Target Release Date 20 JAN 2022Enhanced Homebrew Package Detection on macOS Change Nessus...
Enhanced Homebrew Package Detection on macOS Change Nessus plugin 83991 identifies packages including Homebrew packages on macOS hosts. Improvements have been made to this plugin to enumerate packages when the Homebrew command cannot be run. Impact Customers should expect more identifications of Homebrew packages on macOS hosts, potentially resulting in additional vulnerability reports. Plugin 83991 - List Installed Mac OS X Software Target Release Date 26 August 2020Severity Update on TLS Version 1.1 Protocol Detection...
Severity Update on TLS Version 1.1 Protocol Detection plugin Plugin 121010 - TLS Version 1.1 Protocol Detection Change Nessus Plugin 121010 had its severity updated to Info level. The previous severity level, Medium, was causing PCI scans to fail. However, PCI still considers TLS 1.1 as the minimum acceptable version (although entities are strongly encouraged to consider TLS v1.2). Impact Customers should expect plugin 121010 to show only as an informational plugin, with no vulnerabilities reported.