Oracle RDBMS (Database and OJVM) Patch Mapping Improvements...
Oracle RDBMS (Database and OJVM) Patch Mapping Improvements Summary Improvements have been made to how Nessus plugins determine the active version of the Oracle RDMS’s Database and OJVM components. How Patch Mapping Works for Oracle Database Scans Prior to these improvements, the Database and OJVM versions were mapped from installed patches and their corresponding versions via a manually maintained mapping library, oracle_database_mappings.inc. Installed patches are enumerated in one of three possible ways: Linux Local Detections: oracle_enum_products_nix.bin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Direct connection to the Database via oracle_rdbms_query_patch_info.nbin (plugin ID 45642, requires Database credentials) The patch information is stored by the scanner in a temporary database known as the “scratchpad”, for later reference. Plugin ID 71644, "oracle_rdbms_patch_info.nbin", is then run and sets the patch level (version) by checking the detected patches against the mapping in "oracle_database_mappings.inc". Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As this mapping library is manually maintained, some patches were not mapped in time for vulnerability plugin releases, which is a semi-automated process. In the event that the target system has no patches installed that match a mapping from "oracle_database_mappings.inc", only the base version is reported (e.g 21.17.0.0.0), possibly resulting in False Positive findings. Improvements As we already have a complete list of installed patches and their descriptions stored in the aforementioned “scratchpad” we have added an additional layer of patch mapping over this. Plugin ID 71644, will now first attempt to parse the patch info directly from the scratchpad and map the installed patches to their corresponding versions based on the patch description. The existing mapping library is still checked, and a version comparison is performed to determine the highest patch level present. Plugin ID 71644 will now also report the patch levels (version) for the Database and OJVM components in its output. Expected Impact Improved accuracy in version detections for Oracle Database and OJVM resulting in less false positives in downstream vulnerability detection plugins Impacted plugins 71644, oracle_rdbms_patch_info.nbin 45624, oracle_rdbms_query_patch_info.nbin Targeted Release Date Monday, April 7, 2025
Netstat Portscanner Update to Use Sockstat (ss) Utility...
Netstat Portscanner Update to Use Sockstat (ss) Utility Summary The Netstat Portscanner plugin runs during credentialed scans to enumerate open ports. After authenticating to the scan target, the plugin will attempt to run the ‘netstat’ command to identify listening ports. Modern Linux and Unix distributions are providing the 'ss' utility and have removed 'netstat', while 'netstat' is still available on older distributions. The Netstat Portscanner will now attempt to use the ‘ss’ utility if the ‘netstat’ utility is not available. Thus, older distributions will continue to use the ‘netstat’ utility, while newer distributions that do not include ‘netstat’ will use the ‘ss’ utility. Impact Customers may notice credentialed scans identify additional open ports. They may also see additional vulnerability plugins and informational plugins triggered in these scans due to the newly identified open ports. Plugin Netstat Portscanner (SSH) (14272) Target Release Date April 25th, 2023
New Cisco Viptela SD-WAN Compliance Plugin and Audit Files...
New Cisco Viptela SD-WAN Compliance Plugin and Audit Files Summary Customers can now measure compliance against Cisco Viptela SD-WAN devices with new plugin ID 161408. This plugin retrieves target data via SSH using 'show' commands to evaluate actual values against a given audit policy. Four Tenable best practice audits are being released simultaneously with this plugin: - Tenable Best Practices Cisco Viptela vManage v1.0.0 - Tenable Best Practices Cisco Viptela vBond v1.0.0 - Tenable Best Practices Cisco Viptela vEdge v1.0.0 - Tenable Best Practices Cisco Viptela vSmart v1.0.0 These audits were developed against NIST 800-53 guidelines as well as Cisco documentation. They include checks that evaluate: - Reviewing user accounts - Login banners - Timeouts - Remote and disk logging - NTP - Backup settings - and more! Target Release Date The audits can be download from the Tenable Audits Portal on July 18, 2022 Additional Notes: Online (credentialed) and offline scanning is supported.
SSH Key Target Authentication: HashiCorp Vault Summary...
SSH Key Target Authentication: HashiCorp Vault Summary Tenable is announcing the release of updated functionality in regards to credential fetching in our HashiCorp Vault Integration. We have updated this integration to retrieve an SSH key for target authentication. This will expand functionality and usability for our customer’s use cases. Scope When using HashiCorp, customers can now retrieve an SSH key stored as a secret in their HashiCorp Vault. The customer can specify the SSH key using the same “Password Key” field in the User Interface. Previously this would only work for password authentication. Additionally, passphrase protected SSH keys can be specified with the appropriate “Password Key” and “Passphrase Key” specified. Impact There is no impact to existing scans. In Nessus and Tenable VM, a new Passphrase Key field will be present in credentials using HashiCorp Vault for SSH scans. Security Center will get the same field at a later date. If users encounter issues, please open a ticket with Technical Support. Release Date November 15th, 2024 - TVM, Nessus; TBD for Security Center.
Delinea Integration API Key Support Summary Tenable has...
Delinea Integration API Key Support Summary Tenable has added the ability to authenticate to Delinea Secret Server PAM integration using an API key. Change A new dropdown, “Delinea Authentication Method” has been added for which there are two choices, “Credentials” and “API Key”. Credentials, the default, was previously the only option for Delinea authentication. When the “Credentials” option is selected, you supply a username and password. When “API Key” is selected, you enter an API token instead. An API token can be generated in the Delinea Secret Server web interface, under “User Preferences”. Prior to this change, there is no choice but to use login name and password: With the change, the default behavior remains to enter credentials: When “API Key” is selected, you may enter the API key instead: The Documentation has been updated to refer to the new options for Tenable Vulnerability Management and Nessus (Windows, SSH), and will be for Tenable Security Center (Windows, SSH). Impact It is optional to use an API key to authenticate, and the default authentication method will remain credentials. Existing configurations should not be affected. Release Date Immediate for Nessus and VM TBD for SCSSH Authentication - Target Priority Lists Summary Tenable...
SSH Authentication - Target Priority Lists Summary Tenable is updating many of their products to allow specific hostnames and IP addresses to be indicated for specific SSH credentials. Some customers wish to have numerous SSH credentials in a specific scan policy, against several target devices. Because of the way our SSH credential attempts were previously structured, they would each be tried in turn until a successful authentication with a credential was discovered. We have added a new field in SSH credentials for Nessus, T.io, and similar products (T.sc will add this later): a "Targets to prioritize credentials" field. Impact Any SSH credential may have a list of specific hostnames or IPs (comma or space separated) entered in this field. If any of the scan targets match a hostname or IP address within that field, then that credential will be bumped to the front of the list of credentials tried. If you have 100 credentials specified, and the successful one for a given target is the 59th set, but that credential has the target machine's hostname or IP in the targets “Targets to prioritize credentials" field, then that credential will be tried in front of every other credential that does not have that hostname or IP in that field. It could be the 59th credential specified, but it will be one of the first SSH credentials attempted against that target machine. This will save customers a lot of time if they would like credentials that they know work against a target machine to be attempted first for that machine. This feature will be available on any Tenable product that ties credentials to a specific scan policy. Products where the credentials can exist separately to the scan policy (T.sc) will have this feature implemented for those non-policy-attached credentials at a later time. Changes Any customers who have several SSH credentials and several scan targets in a single scan policy should consider entering the correct hostnames and IPs for their target machines into the appropriate SSH credential's "Targets to prioritize credentials" field to optimize their scans and make them run faster. Target Release Date ImmediateWallix SSH Key Authentication Summary SSH key support has...
Wallix SSH Key Authentication Summary SSH key support has been added to the Wallix Bastion Privileged Access Management (PAM) integration. When configuring SSH credentials in Wallix Bastion, customers can now choose to use either a password or an SSH key to authenticate to target hosts. Change This does not change the user interface for the Wallix integration. If a private key is configured for a device’s account in Wallix, then the integration will use the private key to authenticate. Impact Current configurations will not change. The new authentication method can be used if desired. Target Release Date Changes are active nowDelinea Secret Server functionality for on-premises and...
Delinea Secret Server functionality for on-premises and cloud Summary Tenable has verified that our existing PAM integration with Delinea Secret Server works with both the on-premises and cloud versions. Change Minor changes were made to our integration for added Secret Server cloud compatibility. More details may be found about this integration within the product documentation for Nessus (Windows, SSH), Tenable Vulnerability Management (Windows, SSH), and Tenable Security Center (Windows, SSH). Impact If customers encounter issues with this integration, please open a ticket with Technical Support. Tenable will engage with Delinea as needed to identify and resolve any issues. Release Date April 29, 2024 - TVM, Nessus, and Security CenterCompleting the Implementation of SSH Library Modernization
Completing the Implementation of SSH Library Modernization Change In mid-2017, ssh_get_info2.nasl was introduced, leveraging the sshlib library effort that streamlined new ssh connectivity for scan targets. The original SSH/RSH/RLOGIN connectivity plugin 12643 and associated ssh library had 13+ years of legacy connectivity plugins built on top of them. These legacy ssh library dependent plugins have been steadily migrated to the new ssh_get_info2 library as updates to the plugins have been needed. Over the past 12 months, there has been a push to port the few remaining plugins that rely on the legacy ssh_get_info library to the new ssh_get_info2 library and this effort will soon be complete. The current SSH detection plugin, ssh_get_info2 (97993), currently falls back to the legacy detection plugin, ssh_get_info.nasl (12634), if it encounters an error. After this change, that fall back will no longer happen. All plugin transitions from the legacy ssh_get_info to the new ssh_get_info2 calls have been thoroughly tested and closely watched via telemetry to ensure functionality has not been negatively impacted. Impact Ideally, there will be no noticeable impact from these changes. However, from time to time against certain targets the legacy library has been able to succeed in running commands and gathering results when the current library fails. Going forward, the failure of the current SSH library will appear as an error and plugins may fail to report when formerly they would succeed. Affected Plugins This change will happen for every Nessus plugin that runs SSH commands against a remote target. Compliance audits, Nessus agent scans and Tenable scans that use a sensor other than Nessus will not be impacted. Target Release Date November 27, 2023 Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.QiAnXin PAM Integration Release Summary We are proud to...
QiAnXin PAM Integration Release Summary We are proud to announce the QiAnXin Privileged Access Management (PAM) integration. The integration can gather credentials from the QiAnXin PAM solution to be used for target authentication. This will be available in Tenable Vulnerability Management and Nessus Manager, with plans to release this feature in Tenable.sc in the near future. The QiAnXin PAM integration supports SSH (with privilege escalation), SMB (Windows), and database target authentication. With this addition, customers will benefit from streamlined privileged access to use in credentialed vulnerability scans, providing a more comprehensive understanding of their cyber exposure. Supported Authentication Types SSH integration includes least privilege, privilege escalation, and SSH key authentication. SMB (Windows) integration includes domain configuration. Database integration includes the following database types: Oracle SQL Server MySQL MongoDB PostgreSQL DB2 Target Release Date 11/20/2023
