Updated functionality - OpenSSL local detections and...
Updated functionality - OpenSSL local detections and vulnerability plugins Background Most instances of OpenSSL are not compiled from source - rather, they are installed as part of another package or library. In such cases, it is not the responsibility of the OpenSSL Project to provide updates and/or patches directly to the end user for these installs. Rather, it is the responsibility of the vendor in question. Take for example Tenable Nessus as an application. It is Tenable’s responsibility to decide if a given vulnerability applies to its implementation of OpenSSL and to provide patches and a Security Advisory, such as TNS-2023-27, if needed. Changes 1.) Plugin 168007, "OpenSSL Installed (Linux)", will have the ability to correlate an OpenSSL package to the file or library that installed it, giving users more control over whether or not generic OpenSSL vulnerability plugins (i.e. those found in the "Web Servers" family, listed here) should fire against those installs, or if the scan should solely rely on the vendor’s specific advisory for the OpenSSL packaged with their software. Such detections will now be marked as “managed” software. 2.) Plugin 168149, "OpenSSL Installed (Windows)", will now enumerate OpenSSL installs as “managed” software. 3.) The changes outlined in the Research Release Highlight, here, will be reverted, allowing our generic OpenSSL vulnerability checks to ingest data obtained via the aforementioned local detections. Impact Users will now see the OpenSSL binary and path, its version, and its associated package (when possible) in the output of plugin 168007. There are no aesthetic changes to the output of plugin 168149, which also includes the detected version and path. The generic OpenSSL vulnerability checks found in the "Web Servers" plugin family will only fire against these locally-detected installs when a scan is launched with increased paranoia and/or the detected OpenSSL package(s) are not managed by the OS, or third party software. This will result in even more accurate findings with fewer false positives from these plugins. We expect the vast majority of OpenSSL detections to be categorized as “managed”. As a result, if you want to see all potential OpenSSL vulnerabilities in your scan result, we recommend running a separate scan with the relevant OpenSSL plugins enabled, in paranoid mode. This can be configured in the Assessment Scan Settings of your scan policy. Documentation linked below; Tenable Nessus Tenable Security Center Tenable Vulnerability Management Please note, the paranoia settings will not affect the initial detections via plugins 168007 and 168149. These will always function the same, regardless of paranoia settings. Users should always be aware of the potential impact paranoia may have on the remediations, if not all scans are run in paranoid mode. Impacted Plugins 168007 ‘OpenSSL Installed (Linux)’ 168149 ‘OpenSSL Installed (Windows)’ Downstream impact on generic OpenSSL vulnerability plugins Target Release Date January 8th, 2024