Machine Learning SinFP Model Updates for OS Fingerprinting
Summary Updates have been released for the Tenable MLSinFP model, which predicts a host's OS based on SinFP fingerprints, by rebuilding it on a newer tech stack, incorporating new features, and using a larger dataset, resulting in improved accuracy of 67%. Change Before this update, plugin 132935 “OS Identification: SinFP with Machine Learning” was targeting operating systems commonly seen up to January 2021; consequently any newer OSs were not available as predictions. Additionally, the plugin solely relied on TCP header information for model features. After this update, the plugin targets operating systems commonly seen up to May 2025. Additionally the training dataset is larger (was 700K records, now 1.8M) and more varied (was 6K distinct SinFP fingerprints, now 100K), the predicted OSs names are cleaner and more consistent, and model features other than TCP header information are relied on. Ultimately these changes resulted in the plugin's balanced accuracy increasing to 67% (was 54%). Impact Remote detection of operating systems based on the MLSinFP method will have a slightly higher confidence score. Assets whose operating system was determined based on this method might have a different detected operating system. Plugins 132935 - OS Identification: SinFP with Machine Learning Target Release Date October 27, 2025Include/Exclude Path and Tenable Utils Unzip added to Log4j Detection
Summary Tenable has updated the Apache Log4j detection plugins. The Windows plugin will now honor the Include/Exclude Filepath configuration option. The Linux/UNIX plugin will now use the version of ‘unzip’ supplied with the Nessus Agent, when enabled in the Agent’s configuration, and correctly inspect the MANIFEST.MF and pom.properties files. Change Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would fail to detect Log4j in specific scan scenarios. The plugin uses several inspection methods to determine if a JAR file is a copy of Log4j. During Nessus Agent scans, as well as scans with ‘localhost’ as a target, the plugin was not properly executing the unzip command to inspect META-INF/MANIFEST.MF and pom.properties files in the JAR archive. If this method was the only option that would result in a successful detection, the copy of Log4j would not be detected properly. In addition, the plugin had failed to launch the unzip binary supplied with the Agent when inspecting files in JAR archives. Note: The Nessus Agent can be configured to use find and unzip binaries that it provides, instead of those supplied by the asset’s operating system. See https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Agent_Performance_Options for more information. Also before this update, plugin 156001, Apache Log4j JAR Detection (Windows), would fail to honor the directories included or excluded for full-disk searches configured in the Windows Include Filepath and Windows Exclude Filepath directives in the Advanced Settings of a scan config. Note: Configuration of these options is described in https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Windows_filesearchOptions. After this update, plugin 156000 will use the Agent-supplied copy of unzip when configured to do so. If this option is not enabled in the scan config, the plugin will use the existing method to find and execute an archive utility supplied by the asset’s operating system. In either case, the plugin will properly inspect Log4j’s MANIFEST.MF and pom.properties files as a version source. Plugin 156001 already properly inspects these files. Also after this update, plugin 156001’s Powershell code will now honor directories included or excluded by the Filepath directives. Plugin 156000 already supported this feature. Impact When scanning Linux / UNIX assets via 'localhost' (i.e. scanning the scanner itself) or with the Nessus Agent, additional Log4j instances from MANIFEST.MF or pom.properties sources may be reported. For Linux Nessus Agents with "Use Tenable supplied binaries for find and unzip" enabled and "Agent CPU Resource Control - Scan Performance Mode" set to Low, plugin 156000 will now properly limit CPU usage during scans. As noted in the product documentation, “Note: Setting your process_priority preference value to low could cause longer running scans. You may need to increase your scan-window timeframe to account for this value.” Customers should be aware of this configuration setting and potential changes to the results provided in the Log4J detection results. When scanning Windows targets, Log4j JAR files stored in paths specified in the Windows Exclude Filepath configuration will no longer be detected. Log4j JAR files stored in paths or drives specified in the Windows Include Filepath configuration that had not been previously scanned will now be detected, assuming they can be assessed before the plugin’s configured timeout has been reached. Plugins 156000 - Apache Log4j Installed (Linux / Unix) 156001 - Apache Log4j JAR Detection (Windows) Target Release Date September 1, 2025Excluding the SUSE Linux Snapshots directory from Language Library enumeration
Summary The “language library” enumeration plugins will now exclude SUSE Linux’s snapshots directory when searching the filesystem. Change Before the update, when enumerating “language libraries” - such as Python packages, Node.js modules, etc. - on SUSE Linux hosts that use btrfs as their filesystem, reduced scan performance was observed. This is because btrfs creates and maintains snapshots in the /.snapshots directory, which can contain multiple redundant copies of files. This caused unnecessary processing on thorough scans. After the update, this snapshots directory has been excluded from searches executed by the find command for language library enumeration plugins on SUSE Linux. Impact This change is expected to improve the performance of scans on SUSE Linux assets. If language libraries were present in snapshots directory, they will no longer show up in Tenable scan results, along with any associated vulnerabilities. If customers would like to scan the snapshots directory, the "Include Filepath" option in the Advanced Scan Settings configuration can be used to force the scanning of these paths. Plugins 178772 - Node.js Modules Installed (Linux / Unix) 190687 - NuGet Installed Packages (Linux / Unix) 164122 - Python Installed Packages (Linux / Unix) 207584 - Ruby Gem Modules Installed (Linux / Unix) Target Release Date September 3, 2025
Nutanix Prism Central PAM Support
Summary Tenable is pleased to announce the addition of another authentication method for the Nutanix Prism Central credential. We now offer Privilege Access Manager (PAM) Integration support within the Nutanix Prism Central credential. This feature allows customers to authenticate to Nutanix Prism Central using either username and password credentials or one of our PAM integrations. Scope When configuring credentials for Nutanix Prism Central under Miscellaneous credentials, customers will now find a new dropdown option ‘Nutanix Prism Central Authentication Method’. This allows them to authenticate using a username and password or by selecting a PAM and subsequently inputting the necessary credential fields for the chosen PAM. Supported PAM Integrations in this Release: Arcon BeyondTrust Password Safe CyberArk Delinea Secret Server Fudo HashiCorp Vault QiAnXin SenhaSegura WALLIX Bastion Plugin Impact For any issues related to the use of PAM authentication with Nutanix Prism Central, please refer to the new log located within the Debugging Log Report. Example If using Nutanix Prism Central with Fudo support, the file will display as “nutanix_settings.nasl~Fudo”. Release Date Tenable Vulnerability Management and Nessus Manager: July 21st, 2025 Tenable Security Center: TDBCisco Meraki Integration
Summary Tenable is proud to announce our new integration with Cisco Meraki Dashboard. Cisco Meraki Dashboard is a centralized cloud-based platform used to manage and monitor Cisco Meraki devices. It provides a web-based interface for configuring, troubleshooting, and securing global network and IoT deployments. Tenable’s integration with the Cisco Meraki Dashboard API allows users to leverage our vulnerability management solutions against devices that are managed in their Meraki environment including security appliances, switches, routers, and other supported devices. Scope Customers using Tenable Vulnerability Management and Nessus Manager will be able to configure up to a maximum of five Cisco Meraki credentials in a single scan policy. The Cisco Meraki credential can be found under the "Miscellaneous" category of credentials. Detailed information about the integration and configurations can be found by visiting our integration documentation page in the link for Cisco Meraki. https://docs.tenable.com/Integrations.htm Plugins Plugins related to the integration can be divided into two categories; integration and supporting plugins. The integration plugins gather the credential settings, collect data from the Cisco Meraki API, and store this data for usage by the supporting plugins. Whereas supporting plugins detect the presence of Cisco Meraki devices and perform vulnerability detections against the device attributes; mainly primarily firmware. Integration Plugins Cisco Meraki Settings Cisco Meraki Data Collection Integration Status Supporting Plugins Cisco Meraki Detection Tenable Research will also release 6 initial plugins to detect Cisco Meraki versions vulnerable to several different high-impact CVEs. Please note that these plugins will require a paranoia level of 2 (“Show potential false alarms”). Impact The Nessus Scan Information plugin (plugin ID 19506) will report credentialed checks for Cisco Meraki devices through the use of the Cisco Meraki integration. Customers will see credentialed checks ‘no’ if a Cisco Meraki Device was detected while using the integration and the firmware version that we collected for the device is not configured or absent. Otherwise, customers can expect to see ‘yes, via HTTPS’ if successful. Release Date Tenable Vulnerability Management and Nessus Manager: July 3rd, 2025 Tenable Security Center: TDBKerberos Authentication Support for PAMs
Summary We are proud to announce that Tenable customers can now use Kerberos Target Authentication with our Privilege Access Manager (PAM) Integrations. Support for this method of target authentication was previously only available for our CyberArk, Hashicorp Vault, Windows, and SSH based credentials. We have now broadened this capability to encompass all PAMs documented below. Scope Customers will see a new option called ‘Kerberos Target Authentication’ in the credential field for each PAM. By default, the ‘Kerberos Target Authentication’ option is disabled. If enabled, customers will see four additional fields for configuring kerberos. Supported PAM Integrations in This Release: Arcon BeyondTrust Password Safe Delinea Secret Server Fudo QiAnXin Senhasegura WALLIX Bastion Impact This has no impact on credentials configured prior to the release of this feature. In addition there are no impacts to existing plugins. Release Date 6/23/2025 for Nessus and TVM TBD for Security CenterDelinea Secret Server Auto-Discovery
Summary Tenable is proud to announce a new feature to the Delinea Secret Server Privileged Access Management (PAM) integration. This feature introduces a new authentication type, Delinea Secret Server Auto-Discovery which can be selected in Windows, SSH, or Database credentials of credentialed scans. Delinea Secret Server Auto-Discovery is available alongside the current Delinea Secret Server integration. When using Auto-Discovery, scans will collect both scan targets and their respective credentials from Delinea Secret Server, eliminating the need to manually add specific targets to the scan. Auto-Discovery also eliminates the need to create multiple credentials when the scan targets have different login usernames or passwords. How it Works Delinea Secret Server Auto-Discovery will dynamically add scan targets to a scan; however, the scan will require an initial target to be defined in the target list to begin the collection. This initial target is generally arbitrary, but it must be a valid address or hostname. Some possibilities include just one of the scan targets, the scanner’s address, hostname, or even “localhost”. During the initial collection, plugins will request accounts and their associated hostnames or addresses. Then, these plugins will inject the collected hosts along with their respective credentials for the remainder of the scan. This initial collection occurs at the beginning of the scan, in the following plugins: Database: pam_database_auto_collect.nbin SSH: pam_ssh_auto_collect.nbin Windows: pam_smb_auto_collect.nbin After these plugins successfully inject the scan targets and their credentials, the remainder of the scan completes like a normal credentialed scan. Each collected target will have its credentials automatically associated with it, which eliminates unnecessary logins with incorrect credentials. Changes and Important Notes The current Delinea Secret Server integration will remain unchanged. For Delinea Secret Server Auto-Discovery to be able to use a secret, it must have an associated address or hostname. The secret must be created with a template type that includes either a “Machine” or “Server” field. While Delinea Secret Server Auto-Discovery eliminates the need to configure multiple credentials in a single scan, it is still possible to create up to five credentials in a single scan. This can be used to combine multiple bulk queries of accounts, if desired. Users of the new Delinea Secret Auto-Discovery feature can find status-related messages in the output of the Integration Status (204872) plugin. This feature is similar to the CyberArk Auto-Discovery feature. Please refer to the documentation for more information: https://docs.tenable.com/integrations/Delinea/Content/dynamic-scanning-intro.htm Impact This change does not affect the existing Delinea Secret Server integration, so existing scans will not be affected. Users are encouraged to look into the new option and its associated documentation. Release Date Tenable Vulnerability Management and Nessus: June 3, 2025 Security Center: TBDNew procedure to submit OS fingerprints Summary Tenable is...
New procedure to submit OS fingerprints Summary Tenable is providing a new web-based method for customers to use when submitting OS fingerprinting signatures for misidentified assets. Change When Tenable Nessus is unable to positively identify a scan target’s operating system, a plugin will report the failure, along with response data collected from any successful sessions with listening services on the target. This data is aggregated into a fingerprint that Tenable can often use to develop a better profile for identification of unknown devices. Customers have traditionally submitted this data to an email address listed in the plugin output. Tenable is updating the procedure, and customers can now submit this data using a web-based form at https://www.tenable.com/research/submitsignatures. The change is to help Tenable reduce the volume of invalid or incomplete submissions, and to ensure customers know the correct information to provide when submitting a fingerprint. The email submission method will continue to function until December 31, 2024. Impact Customers will use a new procedure to submit OS fingerprint details to Tenable to improve detection when an asset cannot be positively identified. Plugin 11936 - OS Identification 50350 - OS Identification Failed Target Release Date October 1, 2024
Find & Unzip Execution Options Summary Instead of...
Find & Unzip Execution Options Summary Instead of running native OS commands of “find” and “unzip”, plugins will use binaries included within the plugin feed for agent-based scanning. This allows CPU consumption to be controlled for the Tenable Nessus Agent for the ‘find’ command. This change will not affect or limit memory consumption. An additional benefit is that if ‘find’ or ‘unzip’ are not found natively on the OS, using from the feed allows full plugin execution with these commands to continue. What is the impact? The change should be transparent to customers and no action is required to be taken except for new scans if you’d like to opt-in to this feature. New Scans Be aware if you have adjusted the Agent CPU settings of Scan Performance to a setting other than the default, which is High, the resulting scan findings may be different than previous scans with the same configuration. This is because the scan may experience timeouts in finding files due to the lower CPU resources. See the next section for how to opt-in to the change, if desired. Existing Scans This change will not apply. The native OS binaries will continue to be used and not subject to Tenable Nessus Agent CPU control settings. PCI-DSS Scans This change will not apply. The native OS binaries will continue to be used and not subject to Tenable Nessus Agent CPU control settings. Due to the PCI-DSS standard requirements, the most complete scan results are required for reporting. Audits Due to the need for thorough and complete results, Audits do not leverage the find or unzip binaries from the Tenable feed. How do I opt-in to the change? An advanced setting within the scan configuration will allow customers to opt-in to using the binaries from the feed. By default, native OS commands will run for ‘find’ and ‘unzip’ as before. Please note, these commands are not subject to agent CPU constraints. For PCI scanning and existing scans, the scan template setting will be not visible and the scanning behavior will be equivalent to opting-out. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find or unzip: Find 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Unzip 193884 - CrushFTP Server Installed (Linux / Unix) 130175 - Apache Tomcat Local Detection 166230 - Apache Commons Text JAR Detection 176069 - Potix ZK Framework Installed (Linux) 130595 - Jenkins Installed (Linux) 123005 - Spring Framework JAR Detection 156000 - Apache Log4j Installed (Linux / Unix) 192571 - Fortra FileCatalyst Direct Server Installed (Linux / Unix) 72202 - JBoss Detection 134049 - Spring Projects Linux Detection 185488 - IBM WebSphere Application Server Liberty Installed (Linux / Unix) 170106 - TIBCO JasperReports Library JAR Detection Target Release Date July 9, 2024 - Tenable Vulnerability Management and Nessus July 15, 2024 - Tenable Security Center
Updated functionality - OpenSSL local detections and...
Updated functionality - OpenSSL local detections and vulnerability plugins Background Most instances of OpenSSL are not compiled from source - rather, they are installed as part of another package or library. In such cases, it is not the responsibility of the OpenSSL Project to provide updates and/or patches directly to the end user for these installs. Rather, it is the responsibility of the vendor in question. Take for example Tenable Nessus as an application. It is Tenable’s responsibility to decide if a given vulnerability applies to its implementation of OpenSSL and to provide patches and a Security Advisory, such as TNS-2023-27, if needed. Changes 1.) Plugin 168007, "OpenSSL Installed (Linux)", will have the ability to correlate an OpenSSL package to the file or library that installed it, giving users more control over whether or not generic OpenSSL vulnerability plugins (i.e. those found in the "Web Servers" family, listed here) should fire against those installs, or if the scan should solely rely on the vendor’s specific advisory for the OpenSSL packaged with their software. Such detections will now be marked as “managed” software. 2.) Plugin 168149, "OpenSSL Installed (Windows)", will now enumerate OpenSSL installs as “managed” software. 3.) The changes outlined in the Research Release Highlight, here, will be reverted, allowing our generic OpenSSL vulnerability checks to ingest data obtained via the aforementioned local detections. Impact Users will now see the OpenSSL binary and path, its version, and its associated package (when possible) in the output of plugin 168007. There are no aesthetic changes to the output of plugin 168149, which also includes the detected version and path. The generic OpenSSL vulnerability checks found in the "Web Servers" plugin family will only fire against these locally-detected installs when a scan is launched with increased paranoia and/or the detected OpenSSL package(s) are not managed by the OS, or third party software. This will result in even more accurate findings with fewer false positives from these plugins. We expect the vast majority of OpenSSL detections to be categorized as “managed”. As a result, if you want to see all potential OpenSSL vulnerabilities in your scan result, we recommend running a separate scan with the relevant OpenSSL plugins enabled, in paranoid mode. This can be configured in the Assessment Scan Settings of your scan policy. Documentation linked below; Tenable Nessus Tenable Security Center Tenable Vulnerability Management Please note, the paranoia settings will not affect the initial detections via plugins 168007 and 168149. These will always function the same, regardless of paranoia settings. Users should always be aware of the potential impact paranoia may have on the remediations, if not all scans are run in paranoid mode. Impacted Plugins 168007 ‘OpenSSL Installed (Linux)’ 168149 ‘OpenSSL Installed (Windows)’ Downstream impact on generic OpenSSL vulnerability plugins Target Release Date January 8th, 2024