Updated functionality - OpenSSL local detections and...
Updated functionality - OpenSSL local detections and vulnerability plugins Background Most instances of OpenSSL are not compiled from source - rather, they are installed as part of another package or library. In such cases, it is not the responsibility of the OpenSSL Project to provide updates and/or patches directly to the end user for these installs. Rather, it is the responsibility of the vendor in question. Take for example Tenable Nessus as an application. It is Tenable’s responsibility to decide if a given vulnerability applies to its implementation of OpenSSL and to provide patches and a Security Advisory, such as TNS-2023-27, if needed. Changes 1.) Plugin 168007, "OpenSSL Installed (Linux)", will have the ability to correlate an OpenSSL package to the file or library that installed it, giving users more control over whether or not generic OpenSSL vulnerability plugins (i.e. those found in the "Web Servers" family, listed here) should fire against those installs, or if the scan should solely rely on the vendor’s specific advisory for the OpenSSL packaged with their software. Such detections will now be marked as “managed” software. 2.) Plugin 168149, "OpenSSL Installed (Windows)", will now enumerate OpenSSL installs as “managed” software. 3.) The changes outlined in the Research Release Highlight, here, will be reverted, allowing our generic OpenSSL vulnerability checks to ingest data obtained via the aforementioned local detections. Impact Users will now see the OpenSSL binary and path, its version, and its associated package (when possible) in the output of plugin 168007. There are no aesthetic changes to the output of plugin 168149, which also includes the detected version and path. The generic OpenSSL vulnerability checks found in the "Web Servers" plugin family will only fire against these locally-detected installs when a scan is launched with increased paranoia and/or the detected OpenSSL package(s) are not managed by the OS, or third party software. This will result in even more accurate findings with fewer false positives from these plugins. We expect the vast majority of OpenSSL detections to be categorized as “managed”. As a result, if you want to see all potential OpenSSL vulnerabilities in your scan result, we recommend running a separate scan with the relevant OpenSSL plugins enabled, in paranoid mode. This can be configured in the Assessment Scan Settings of your scan policy. Documentation linked below; Tenable Nessus Tenable Security Center Tenable Vulnerability Management Please note, the paranoia settings will not affect the initial detections via plugins 168007 and 168149. These will always function the same, regardless of paranoia settings. Users should always be aware of the potential impact paranoia may have on the remediations, if not all scans are run in paranoid mode. Impacted Plugins 168007 ‘OpenSSL Installed (Linux)’ 168149 ‘OpenSSL Installed (Windows)’ Downstream impact on generic OpenSSL vulnerability plugins Target Release Date January 8th, 2024New SSH Escalation Type for Checkpoint Gaia In the spirit...
New SSH Escalation Type for Checkpoint Gaia In the spirit of Tenable's continued commitment to excellence, we are changing the way privilege escalation is specified for SSH credentials that target Checkpoint Gaia devices. When support for escalation to expert mode in Gaia scans was first introduced we reused the Cisco enable escalation credential. The difference in escalation commands causes Gaia scans to report failed escalation as device discovery tries different commands including escalated Cisco commands. This change will stop scans that target Gaia from trying Cisco escalation and will eliminate the spurious error reporting. Impact Existing scan policies with Cisco enable privilege escalation will still work with Gaia devices, but the invalid escalations will still be reported as escalation failures. To remove these messages customers will have to modify the SSH credentials for their Gaia targeting scan policies to use the new "Checkpoint Gaia 'expert'" escalation type instead. Going forward the new SSH escalation type should be used for credentials targeting Checkpoint Gaia devices. Changes The new escalation type will be available for every SSH credential type that currently offers an escalation credential. This is what the new escalation type looks like: Target Release Date 4 Oct 2021 - Nessus and Tenable.io 6 Dec 2021 - Tenable.sc
Tenable.sc: Oracle Database CSV Enumeration with CyberArk...
Tenable.sc: Oracle Database CSV Enumeration with CyberArk Introduction Currently, in Tenable.sc, users have to add each Oracle Database credential set one at a time and apply each of these credentials to a scan policy. Once the scan is started, each of these credential sets is used to authenticate against each detected Oracle Database listener possibly resulting in multiple undesirable authentication attempts. Change An option is being officially introduced to the Oracle Database Credential which will allow users to specify a CSV file with the Oracle Database authentication settings used for the scan policy. This option allows users to more easily input credentials and to associate credentials with a specific listener on a host. The authentication method supported at this time is CyberArk’s Privileged Access Security (PAS) solution. For this reason, at least one Oracle Database Credential with the CyberArk authentication method must be configured in the same scan policy to be able to retrieve the password. The Oracle Database password is retrieved from the configured CyberArk PAS when the CSV specifies an account name (Account Details Name in Tenable.sc). Otherwise, the target host and username are used to retrieve the password. Please refer to the Oracle Database credentials documentation for more information. Impact Only Tenable.sc users that have previously used the release candidate are impacted and should note the new CSV format as mentioned in the documentation. Additional Resources How-to Guide: Tenable.sc for CyberArk Tenable.sc: Database Integration with CyberArk Target Release Date 12 October 2020 Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP Stack Detection The Treck stack has been around for over 20 years and integrated into hundreds of products in many different ways. It is at the heart of the Ripple20 vulnerabilities. The stack has been modified based on each vendor / product's needs. Some products further have been acquired by other companies, End Of Life (EOL), End Of Support (EOS), etc. thereby adding to the complexity of the situation. Tenable has adopted multiple approaches to detecting the Treck stack in a vendor agnostic way while trying our best to ensure the plugins are not destructive to the assets being scanned. Using multiple approaches helps enhance coverage of the diverse Treck stacks out there. However, depending on the changes the vendors have made to the Treck stack or the way it has been integrated into their products, it may not be possible to detect all instances of the Treck stack remotely in a non-destructive way. As vendors are releasing patches for the Ripple20 vulnerabilities in their products, we are looking into adding additional coverage on a product. For the time being, using the recast functionality on vulnerability check for plugin ID 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20) can help teams to acknowledge and accept the risk on the report. Vulnerability Recast Tenable.io - https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/AboutRecastRules.htm Tenable.sc - https://docs.tenable.com/tenablesc/Content/RecastRiskRules.htm Detection Plugins 138614 Treck/Kasago Network Stack Detection 138615 Treck/Kasago Network Stack Detection With IP Option. 137703 Treck/Kasago Network Stack Detection Vulnerability Detection Plugins 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20)
