New Medium severity TLS 1.1 deprecated Nessus plugin and...
New Medium severity TLS 1.1 deprecated Nessus plugin and SSL detection Nessus plugin severity increase Rationale Tenable will be publishing a new Medium severity Nessus plugin 157288 "TLS Version 1.1 Protocol Deprecated" to help users identify TLS servers that support TLS 1.1 which is now considered deprecated. This new plugin will allow our users to identify the servers in their environment that support this deprecated TLS protocol. They are then enabled to make informed risk decisions about upgrading, retiring, or strengthening protections around these TLS servers with a defense in depth architecture. This new plugin will be functionally identical to Nessus plugin 121010 except it will be Medium severity instead of Informational. At some point in the future Tenable will be deprecating plugin 121010 as this new plugin will effectively replace it. Tenable will also be updating the severity of Nessus plugin 20007 "SSL Version 2 and 3 Protocol Detection" from the existing CVSSv2 7.1 (High) and CVSSv3 7.5 (High) to new severity CVSSv2 10.0 (Critical) and CVSSv3 9.8 (Critical). Impact Plugin 157288 "TLS Version 1.1 Protocol Deprecated" - Tenable Research has identified that approximately 49% of servers that support SSL/TLS have support for TLS 1.1 enabled. This will manifest in a new Medium severity plugin firing for the majority of users scanning SSL/TLS servers. Plugin 20007 "SSL Version 2 and 3 Protocol Detection" - Tenable Research has identified that approximately 5% of servers that support SSL/TLS have support for SSL enabled. This will manifest in existing findings from this plugin with a High severity increasing to Critical severity for approximately half of users scanning SSL/TLS servers. New Nessus plugins 157288 TLS Version 1.1 Protocol Deprecated | CVSSv2 6.1 (Medium) | CVSSv3 6.5 (Medium) Updated Nessus plugins 20007 SSL Version 2 and 3 Protocol Detection | CVSSv2 10.0 (Critical) | CVSSv3 9.8 (Critical) Target Release Date Monday, April 4th, 2022
MongoDB Authentication Scanning Modernization - Expanded...
MongoDB Authentication Scanning Modernization - Expanded Support for MongoDB 5.1+, SCRAM-SHA-256 authentication, and non-certificate authentications over SSL/TLS ports Overview Tenable is updating Nessus plugins libraries to allow customers to have improved scanning of MongoDB databases on their systems. For years, Tenable products have supported scanning of MongoDB databases, and we have been working on supporting newer and edge case authentication mechanisms. We have expanded our coverage for MongoDB versions 5.1 and higher with additional communications methods and query support, via OP_MSG which exists in all modern MongoDB servers. We have also added support for SCRAM-SHA-256 authentication, and SSL/TLS communication to MongoDB that doesn't use MONGODB-X509 authentication. Impact Customers currently executing MongoDB scans may now have increased ability to authenticate to MongoDB instances using newer authentication methods, with or without SSL/TLS on the MongoDB port. Changes Any customers wishing to use x509 authentication with a non-MONGODB-X509 authentication method involving passwords will need to edit their scan policies to include Credentials->Miscellaneous->X.509 in addition to their existing MongoDB password credentials. Any customers running MongoDB 3.4 or older (end of life for 3 years) will need to upgrade to a more recent version, OP_QUERY/OP_REPLY functionality has been disabled. Target Release Date Immediate Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
Fortinet Patches Zero Day in FortiOS SSL VPNs (CVE-2022-42475
Fortinet Patches Zero Day in FortiOS SSL VPNs (CVE-2022-42475) On December 12 Fortinet published an advisory for a vulnerability affecting several versions of FortiOS used in its FortiGate secure socket layer virtual private network (SSL VPN) and firewall products. This vulnerability was originally disclosed publicly on December 9 and Fortinet states that it has been exploited in the wild. CVE-2022-42475 is a heap-based buffer overflow in several versions of ForiOS that received a CVSSv3 score of 9.3. A remote, unauthenticated attacker could exploit this vulnerability with a specially crafted request and gain code execution. For more information, please visit our blog.DTLS and SSL scan preferences preserved Summary When...
DTLS and SSL scan preferences preserved Summary When importing a .nessus file into Polices, the Scan Policy setting “Search for DTLS on All UDP Ports” within Discovery > Service Discovery did not persist on import. This change supports the preservation of DTLS and SSL scan preferences. Change This changes the names of DTLS and SSL scan preferences so they may be exported in a .nessus file and reimported as a Nessus scan policy. Exporting a scan as a .nessus and reimporting it anywhere as a policy will preserve all of the settings except credentials, which aren't persisted. Impact Customers should expect to see DTLS and SSL scan preference settings preserved when exporting and then importing .nessus files after this release. Target Release Date 01 AUG 2022Support for Custom CA in SSL Libraries for upload to Tenable.
Support for Custom CA in SSL Libraries for upload to Tenable.io Summary Customer self-signed certificates can now be applied at the scan policy level in Tenable.io through the Advanced Scan Template. This support for assigning custom certificates to scan policies in T.io will allow customers to use self-signed certificates for SSL authentication without triggering plugin 51192 as a vulnerability in their environments. There is no change to the existing self-signed certificates functionality in Security Center, Nessus Manager or Nessus scanners by adding the certificates to the trusted list at the scanner level. This new functionality supports securely applying the certificate to an individual user’s scan policy, as opposed to the entire scanner. Individual customer certificates are encrypted in transit and live in memory while the scan runs, then purged when the task is complete for security. T.io users can configure custom certificates for a scan policy in the Settings >> Advanced >> General Settings >> Trusted CAs field by copying the custom CA text into the configuration setting. Please note, multiple certificates can be listed in this Trusted CAs field. Also, once the trusted CA gui element template update has been applied, it is available for the Scanner if accessed via API. Impact This will affect any customer who uses internally-signed certificates for SSL/TLS enabled services applied to scan target hosts inside their internal network and allow them to avoid triggering plugin 51192 on their T.io scans when using self-signed certificates on a scan policy. Changes T.io customers will have an additional Trusted CAs configuration setting to implement this feature. No changes to Security Center, Nessus Manager or Nessus scanners. Target Release Date ImmediateTLS Discovery Scan Template Settings Optimization Summary...
TLS Discovery Scan Template Settings Optimization Summary The default setting for SSL/TLS Service Discovery will be updated to be consistent across all scan policy templates. Background Most scan templates other than ones named "Advanced" offer a way to customize some options in each settings category. For scan templates that allow customizing Discovery settings, the default for SSL/TLS service discovery has been "Known ports" even though the default for every other named mode of Discovery settings has been "All" unless otherwise noted in the scan template's description. This has led to different SSL/TLS service discovery when a named setting was chosen or when Custom was chosen and the values were left unmodified. Solution The default value for SSL/TLS discovery will be made consistent across all scan policies created from templates that don't explicitly define a value for this setting. The new default for this setting will be "All ports". The default value for this setting will be affected for templates named "Advanced" as well. Current scan policies and scans run from those policies will not be affected. Impact Customers who are used to creating Nessus scans from templates and who often use the "custom" mode for Discovery settings or customers who use the Advanced templates will want to evaluate whether or not to change the SSL/TLS discovery setting from its new default. A setting of "None" or "Known ports" may be more desirable to reduce the impact of SSL/TLS service discovery on scan times and/or network load. Affected Components Nessus Scan Templates Tenable.io Scan Templates Target Release Date 4/15/2021 --------------------------------------------------------------------------------------------------- Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
