Updated functionality - OpenSSL local detections and...
Updated functionality - OpenSSL local detections and vulnerability plugins Background Most instances of OpenSSL are not compiled from source - rather, they are installed as part of another package or library. In such cases, it is not the responsibility of the OpenSSL Project to provide updates and/or patches directly to the end user for these installs. Rather, it is the responsibility of the vendor in question. Take for example Tenable Nessus as an application. It is Tenable’s responsibility to decide if a given vulnerability applies to its implementation of OpenSSL and to provide patches and a Security Advisory, such as TNS-2023-27, if needed. Changes 1.) Plugin 168007, "OpenSSL Installed (Linux)", will have the ability to correlate an OpenSSL package to the file or library that installed it, giving users more control over whether or not generic OpenSSL vulnerability plugins (i.e. those found in the "Web Servers" family, listed here) should fire against those installs, or if the scan should solely rely on the vendor’s specific advisory for the OpenSSL packaged with their software. Such detections will now be marked as “managed” software. 2.) Plugin 168149, "OpenSSL Installed (Windows)", will now enumerate OpenSSL installs as “managed” software. 3.) The changes outlined in the Research Release Highlight, here, will be reverted, allowing our generic OpenSSL vulnerability checks to ingest data obtained via the aforementioned local detections. Impact Users will now see the OpenSSL binary and path, its version, and its associated package (when possible) in the output of plugin 168007. There are no aesthetic changes to the output of plugin 168149, which also includes the detected version and path. The generic OpenSSL vulnerability checks found in the "Web Servers" plugin family will only fire against these locally-detected installs when a scan is launched with increased paranoia and/or the detected OpenSSL package(s) are not managed by the OS, or third party software. This will result in even more accurate findings with fewer false positives from these plugins. We expect the vast majority of OpenSSL detections to be categorized as “managed”. As a result, if you want to see all potential OpenSSL vulnerabilities in your scan result, we recommend running a separate scan with the relevant OpenSSL plugins enabled, in paranoid mode. This can be configured in the Assessment Scan Settings of your scan policy. Documentation linked below; Tenable Nessus Tenable Security Center Tenable Vulnerability Management Please note, the paranoia settings will not affect the initial detections via plugins 168007 and 168149. These will always function the same, regardless of paranoia settings. Users should always be aware of the potential impact paranoia may have on the remediations, if not all scans are run in paranoid mode. Impacted Plugins 168007 ‘OpenSSL Installed (Linux)’ 168149 ‘OpenSSL Installed (Windows)’ Downstream impact on generic OpenSSL vulnerability plugins Target Release Date January 8th, 2024
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP Stack Detection The Treck stack has been around for over 20 years and integrated into hundreds of products in many different ways. It is at the heart of the Ripple20 vulnerabilities. The stack has been modified based on each vendor / product's needs. Some products further have been acquired by other companies, End Of Life (EOL), End Of Support (EOS), etc. thereby adding to the complexity of the situation. Tenable has adopted multiple approaches to detecting the Treck stack in a vendor agnostic way while trying our best to ensure the plugins are not destructive to the assets being scanned. Using multiple approaches helps enhance coverage of the diverse Treck stacks out there. However, depending on the changes the vendors have made to the Treck stack or the way it has been integrated into their products, it may not be possible to detect all instances of the Treck stack remotely in a non-destructive way. As vendors are releasing patches for the Ripple20 vulnerabilities in their products, we are looking into adding additional coverage on a product. For the time being, using the recast functionality on vulnerability check for plugin ID 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20) can help teams to acknowledge and accept the risk on the report. Vulnerability Recast Tenable.io - https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/AboutRecastRules.htm Tenable.sc - https://docs.tenable.com/tenablesc/Content/RecastRiskRules.htm Detection Plugins 138614 Treck/Kasago Network Stack Detection 138615 Treck/Kasago Network Stack Detection With IP Option. 137703 Treck/Kasago Network Stack Detection Vulnerability Detection Plugins 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20)