Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025
SSH Key Target Authentication: HashiCorp Vault Summary...
SSH Key Target Authentication: HashiCorp Vault Summary Tenable is announcing the release of updated functionality in regards to credential fetching in our HashiCorp Vault Integration. We have updated this integration to retrieve an SSH key for target authentication. This will expand functionality and usability for our customer’s use cases. Scope When using HashiCorp, customers can now retrieve an SSH key stored as a secret in their HashiCorp Vault. The customer can specify the SSH key using the same “Password Key” field in the User Interface. Previously this would only work for password authentication. Additionally, passphrase protected SSH keys can be specified with the appropriate “Password Key” and “Passphrase Key” specified. Impact There is no impact to existing scans. In Nessus and Tenable VM, a new Passphrase Key field will be present in credentials using HashiCorp Vault for SSH scans. Security Center will get the same field at a later date. If users encounter issues, please open a ticket with Technical Support. Release Date November 15th, 2024 - TVM, Nessus; TBD for Security Center.OpenSSH Private Keys for Authentication Summary Nessus can...
OpenSSH Private Keys for Authentication Summary Nessus can now use OpenSSH formatted private keys for SSH authentication in local-checks scans. OpenSSH only supports the "SSH" standard format for ED25519 keys, so when Nessus introduced support for ED25519 keys for SSH authentication, it had to support the native OpenSSH key format. The change described here extends that support to private keys of the other SSH public key algorithm types. Impact Prior to this change, customers with RSA or ECDSA keys would either have to generate their key-pairs using "ssh-keygen -m pem" or use that command to convert existing OpenSSH private keys to use with Nessus SSH credentials. Now customers can generate SSH keys with either PEM or OpenSSH formatted private keys and use them with Tenable local-checks credentials for Nessus scans. Explanation SSH private keys are packaged on the file system as a base64 encoded block sandwiched inside of a text header and footer. This is a super-encoding called "PEM". OpenSSH's "ssh-keygen" command uses the labels "pem" or "pkcs8" to refer to the PKCS#8 binary encoding of data within the base64 encoded block. When "ssh-keygen" is used to create keypairs without a specified encoding or with the tag "rfc4716", the base64 encoded block is in the binary format defined by RFC4716. PKCS8 PEM encoded private keys have a header like "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN EC PRIVATE KEY-----" with corresponding footers. RFC4716 PEM encoded private keys can be identified by a header that looks like "-----BEGIN OPENSSH PRIVATE KEY-----" with a corresponding footer. Release Date August 8, 2024Delinea Secret Server functionality for on-premises and...
Delinea Secret Server functionality for on-premises and cloud Summary Tenable has verified that our existing PAM integration with Delinea Secret Server works with both the on-premises and cloud versions. Change Minor changes were made to our integration for added Secret Server cloud compatibility. More details may be found about this integration within the product documentation for Nessus (Windows, SSH), Tenable Vulnerability Management (Windows, SSH), and Tenable Security Center (Windows, SSH). Impact If customers encounter issues with this integration, please open a ticket with Technical Support. Tenable will engage with Delinea as needed to identify and resolve any issues. Release Date April 29, 2024 - TVM, Nessus, and Security Center
Arcon Network Device Support Summary Tenable has added...
Arcon Network Device Support Summary Tenable has added support for additional types of targets when using the Arcon integration. Change There is a new optional field, “Arcon Target Type”, which can be set to one of the following: windows linux networkdevices application Depending on the version of Arcon PAM, additional values may be allowed in this field. Please refer to the Arcon PAM specifications document for a full list of valid target types. When specified, scans using the Arcon integration will query accounts of the specified type. This enables the ability to integrate with, for example, accounts of network devices accessed via SSH. For example, see the following screenshot of a credential for a network device accessed via SSH. Impact There is no impact on existing scan credentials, because the new field is optional. When not specified, the behavior will remain the same. Release Immediate for Nessus and VM, TBD for SC.Completing the Implementation of SSH Library Modernization
Completing the Implementation of SSH Library Modernization Change In mid-2017, ssh_get_info2.nasl was introduced, leveraging the sshlib library effort that streamlined new ssh connectivity for scan targets. The original SSH/RSH/RLOGIN connectivity plugin 12643 and associated ssh library had 13+ years of legacy connectivity plugins built on top of them. These legacy ssh library dependent plugins have been steadily migrated to the new ssh_get_info2 library as updates to the plugins have been needed. Over the past 12 months, there has been a push to port the few remaining plugins that rely on the legacy ssh_get_info library to the new ssh_get_info2 library and this effort will soon be complete. The current SSH detection plugin, ssh_get_info2 (97993), currently falls back to the legacy detection plugin, ssh_get_info.nasl (12634), if it encounters an error. After this change, that fall back will no longer happen. All plugin transitions from the legacy ssh_get_info to the new ssh_get_info2 calls have been thoroughly tested and closely watched via telemetry to ensure functionality has not been negatively impacted. Impact Ideally, there will be no noticeable impact from these changes. However, from time to time against certain targets the legacy library has been able to succeed in running commands and gathering results when the current library fails. Going forward, the failure of the current SSH library will appear as an error and plugins may fail to report when formerly they would succeed. Affected Plugins This change will happen for every Nessus plugin that runs SSH commands against a remote target. Compliance audits, Nessus agent scans and Tenable scans that use a sensor other than Nessus will not be impacted. Target Release Date November 27, 2023 Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
QiAnXin PAM Integration Release Summary We are proud to...
QiAnXin PAM Integration Release Summary We are proud to announce the QiAnXin Privileged Access Management (PAM) integration. The integration can gather credentials from the QiAnXin PAM solution to be used for target authentication. This will be available in Tenable Vulnerability Management and Nessus Manager, with plans to release this feature in Tenable.sc in the near future. The QiAnXin PAM integration supports SSH (with privilege escalation), SMB (Windows), and database target authentication. With this addition, customers will benefit from streamlined privileged access to use in credentialed vulnerability scans, providing a more comprehensive understanding of their cyber exposure. Supported Authentication Types SSH integration includes least privilege, privilege escalation, and SSH key authentication. SMB (Windows) integration includes domain configuration. Database integration includes the following database types: Oracle SQL Server MySQL MongoDB PostgreSQL DB2 Target Release Date 11/20/2023Delinea Integration API Key Support Summary Tenable has...
Delinea Integration API Key Support Summary Tenable has added the ability to authenticate to Delinea Secret Server PAM integration using an API key. Change A new dropdown, “Delinea Authentication Method” has been added for which there are two choices, “Credentials” and “API Key”. Credentials, the default, was previously the only option for Delinea authentication. When the “Credentials” option is selected, you supply a username and password. When “API Key” is selected, you enter an API token instead. An API token can be generated in the Delinea Secret Server web interface, under “User Preferences”. Prior to this change, there is no choice but to use login name and password: With the change, the default behavior remains to enter credentials: When “API Key” is selected, you may enter the API key instead: The Documentation has been updated to refer to the new options for Tenable Vulnerability Management and Nessus (Windows, SSH), and will be for Tenable Security Center (Windows, SSH). Impact It is optional to use an API key to authenticate, and the default authentication method will remain credentials. Existing configurations should not be affected. Release Date Immediate for Nessus and VM TBD for SCSSH Authentication - Target Priority Lists Summary Tenable...
SSH Authentication - Target Priority Lists Summary Tenable is updating many of their products to allow specific hostnames and IP addresses to be indicated for specific SSH credentials. Some customers wish to have numerous SSH credentials in a specific scan policy, against several target devices. Because of the way our SSH credential attempts were previously structured, they would each be tried in turn until a successful authentication with a credential was discovered. We have added a new field in SSH credentials for Nessus, T.io, and similar products (T.sc will add this later): a "Targets to prioritize credentials" field. Impact Any SSH credential may have a list of specific hostnames or IPs (comma or space separated) entered in this field. If any of the scan targets match a hostname or IP address within that field, then that credential will be bumped to the front of the list of credentials tried. If you have 100 credentials specified, and the successful one for a given target is the 59th set, but that credential has the target machine's hostname or IP in the targets “Targets to prioritize credentials" field, then that credential will be tried in front of every other credential that does not have that hostname or IP in that field. It could be the 59th credential specified, but it will be one of the first SSH credentials attempted against that target machine. This will save customers a lot of time if they would like credentials that they know work against a target machine to be attempted first for that machine. This feature will be available on any Tenable product that ties credentials to a specific scan policy. Products where the credentials can exist separately to the scan policy (T.sc) will have this feature implemented for those non-policy-attached credentials at a later time. Changes Any customers who have several SSH credentials and several scan targets in a single scan policy should consider entering the correct hostnames and IPs for their target machines into the appropriate SSH credential's "Targets to prioritize credentials" field to optimize their scans and make them run faster. Target Release Date ImmediateWallix SSH Key Authentication Summary SSH key support has...
Wallix SSH Key Authentication Summary SSH key support has been added to the Wallix Bastion Privileged Access Management (PAM) integration. When configuring SSH credentials in Wallix Bastion, customers can now choose to use either a password or an SSH key to authenticate to target hosts. Change This does not change the user interface for the Wallix integration. If a private key is configured for a device’s account in Wallix, then the integration will use the private key to authenticate. Impact Current configurations will not change. The new authentication method can be used if desired. Target Release Date Changes are active now
