CyberArk Dynamic Scanning Feature Update Summary Tenable is...
CyberArk Dynamic Scanning Feature Update Summary Tenable is proud to announce a new feature for the CyberArk Dynamic Scanning credential to enhance customer experience and usability. Change The addition of CCP Host and CCP Port fields to Cyberark Dynamic Scanning credentials for SSH, Windows, and Database. This feature accommodates customers that have different hosts for their Password Vault Web Access (PVWA) and Central Credential Provider (CCP) applications. Impact No impact Release Date This feature will be released in TVM and Nessus Manager on January 21st, 2025. The feature release date for Tenable Security Center is TBD.CyberArk Client Certificate Authentication Issue Summary...
CyberArk Client Certificate Authentication Issue Summary Tenable has discovered an issue with our CyberArk Integration and its Client Certificate Authentication to the CyberArk CCP/AIM Web Service API. Customers that have deployed the CyberArk CCP component on Windows Server 2022+ have experienced unsuccessful attempts authenticating to the CCP/AIM Web Service API using Client Certificate Authentication with our CyberArk Integration. This is due to an issue with Windows Internet Information Services (IIS) and certificate authentication over TLS 1.3 and HTTP/2. Change Customers using a Windows Server 2022+ to host their CyberArk CCP must disable TLS v1.3 and HTTP/2 on the IIS manager in order to successfully use Tenable’s CyberArk Integrations that support Client Certificate Authentication. The following Microsoft article describes the issue. https://techcommunity.microsoft.com/blog/iis-support-blog/windows-server-2022-iis-web-site-tls-1-3-does-not-work-with-client-certificate-a/4129738 Impact There are no changes to the integration. Release Date IMMEDIATERelease Highlight: CyberArk Query by hostname or FQDN...
Release Highlight: CyberArk Query by hostname or FQDN Summary Tenable has added an enhancement to the CyberArk PAM integration. The integration can now query for accounts associated with target hostnames in addition to target IP addresses. Prior to this change, querying for a credential by username or by address would require the target account to be associated with the resolved IP address of the target. Now, users can associate accounts in CyberArk with the host name or fully qualified domain name (FQDN) of the target instead of just the IP address. In CyberArk, the target account’s “Address” can now either be the hostname/FQDN as it was entered in the target list, or the resolved IP address. Scope This change only applies to the CyberArk credential and only applies when “Get Credential By” is set to “Username” or “Parameters”. The following credentials are not affected by this change: CyberArk with Auto-Discovery CyberArk (Legacy) Impact Prior to this change, customers may have created accounts associated with the resolved target IP addresses, despite entering those targets’ hostnames or FQDN as the scan targets. This configuration will continue to work for backwards compatibility, but now they can be associated with the hostname or FQDN instead. While backwards compatibility is being preserved, we encourage customers to review their configurations. Release Immediate for TVM, Nessus and SC.CyberArk Legacy (SOAP API) Integration End-of-Support...
CyberArk Legacy (SOAP API) Integration End-of-Support Summary Tenable will discontinue support of our CyberArk Legacy Integration as of December 31, 2024. This integration utilizes the SOAP API protocol to communicate with CyberArk. This is in alignment with CyberArk’s notice to end support for SOAP requests on December 31, 2024. Change Tenable will discontinue support for the CyberArk Legacy Integration. Additionally there will be a notice added to our CyberArk Legacy documentation informing users to use our non-Legacy CyberArk Integration which supports REST API requests. Impact Customers may continue to use this integration. However, there will be no support or future updates made to this integration. Release Date Dec 31, 2024 - TVM, Nessus, and Security CenterUpcoming Release: CyberArk User Interface Improvements...
Upcoming Release: CyberArk User Interface Improvements Summary Tenable is proud to announce new usability and flexibility improvements to the CyberArk Privileged Access Management (PAM) integration. The first improvement is to add a fourth option to the “Get Credential By” drop-down menu. Currently “Get Credential By” supports the following options: Username, Address and Identifier. Now users will have the “Parameters” option available for use, adding the ability to specify advanced query parameters for credential objects. This provides additional flexibility in how users choose to fetch target credentials from CyberArk, instead of being limited to fetching the credential “by username”, “by address”, or “by identifier”. With the “Parameters” option, the following request parameters will be available, and can be specified in any combination: Safe Username Address Use Target Address (checkbox) Account Name (identifier) Folder Database Query Query Format For additional information on query parameters, see Tenable documentation or the CyberArk credential provider documentation. The second improvement is to add a drop-down menu for privilege escalation similar to the “Get Credential By” drop-down menu, called “Get Escalation Credential By”. This eliminates the need to specify a specific escalation credential identifier, as this often leads to usability issues. The new “Parameters” option will also be available for this new drop-down menu. Note: As a part of this, the “Escalation Account Name” field will no longer be required. Scope This will affect the CyberArk authentication method in Windows and SSH Host credentials, as well as Database credentials and the VMware vCenter API credential. It does not affect the CyberArk Auto-Discovery authentication method or the CyberArk (Legacy) method. Impact There is no action required for existing scans, which will continue to use their existing preferences. The new features are optional. Release Date Oct 14, 2024 for Nessus and TVM TBD for SCCyberArk Version 14 PAM Support Summary Tenable has...
CyberArk Version 14 PAM Support Summary Tenable has verified that our Privileged Access Management (PAM) integration for CyberArk works with version 14 of CyberArk PAM. Change Minor plugin changes were released earlier this year to our integration for CyberArk v14 compatibility. Impact There is no impact to existing scans. If customers encounter issues with this integration, please open a ticket with Technical Support. Release Date May 1, 2024 - TVM, Nessus, and Security Center
CyberArk Database Dynamic Scanning Summary We are proud to...
CyberArk Database Dynamic Scanning Summary We are proud to announce a major feature request for our modern CyberArk integration that eliminates A) the requirement for the user to manually add specific targets to the target settings and B) the need to create multiple credentials in a single scan. However, this feature does allow end users to create up to five credentials in a single scan. This feature takes advantage of CyberArk’s PVWA REST API to gather bulk account data, adds targets to the scan automatically based on user driver query parameters, and requests passwords from the CCP/AIM Web Service. Not only does this eliminate the requirement for the user to manually add specific targets to the settings and the need to create multiple credentials, but it also reduces calls to gather passwords. How it Works When users create a scan they only need to add one arbitrary target to the settings and set up a single credential (reference the two new credential types in the changes below). The credential simply allows communication and authentication between the scanner/sensor and the two CyberArk APIs (PVWA REST API and CCP/AIM Web Service REST API). First, we reach out to the PVWA REST API to gather bulk account details for accounts that meet criteria entered by the user within a ‘platform’ query field. We store this account data and automatically add targets/hosts to the scan. On a host-by-host basis, we request a password based on specific account details. If there are 100 targets added to the scan automatically, we make 100 password requests. As mentioned in the summary, this eliminates the need to make unnecessary requests to ‘try’ multiple credentials against a single target. Changes and Important Notes There is a new Database Credential for all Database Types called CyberArk Database Auto-Discovery Users only need to enter a single arbitrary target to the scan users only need to set up a single credential mentioned above, but can configure up to 5 if they choose to. The current CyberArk credential will remain unchanged and is still available for use Users will have to configure specific UI/backend properties (field) within their CyberArk instance for some of the database types. Some database types require more details for authentication like service (database name), service type, and authentication type). Specific guidance can be found in our Cyberark Integration Doc For more information please refer to our documentation pages. TVM: https://docs.tenable.com/integrations/CyberArk/vulnerability-management/Content/DynamicScannngIntro.htm Nessus: https://docs.tenable.com/integrations/CyberArk/Nessus/Content/DynamicScannngIntro.htm Impact to Existing Scan Policies There are no impacts to existing CyberArk credential configurations. Release Date TVM/Nessus: Tuesday September 5th 2023CyberArk SSH/Windows Dynamic Scanning Summary We are proud...
CyberArk SSH/Windows Dynamic Scanning Summary We are proud to announce a major feature request for our modern CyberArk integration that eliminates A) the requirement for the user to manually add specific targets to the target settings and B) the need to create multiple credentials in a single scan. However, this feature does allow end users to create up to five credentials in a single scan.This feature takes advantage of CyberArk’s PVWA REST API to gather bulk account data, adds targets to the scan automatically based on user driver query parameters, and requests passwords from the CCP/AIM Web Service. Not only does this eliminate the requirement for the user to manually add specific targets to the settings and the need to create multiple credentials, but it also reduces calls to gather passwords. How it Works When users create a scan they only need to add one arbitrary target to the settings and set up a single credential (reference the two new credential types in the changes below). The credential simply allows communication and authentication between the scanner/sensor and the two CyberArk APIs (PVWA REST API and CCP/AIM Web Service REST API). First, we reach out to the PVWA REST API to gather bulk account details for accounts that meet criteria entered by the user within a ‘platform’ query field. We store this account data and automatically add targets/hosts to the scan. On a host-by-host basis, we request a password based on specific account details. If there are 100 targets added to the scan automatically, we make 100 password requests. As mentioned in the summary, this eliminates the need to make unnecessary requests to ‘try’ multiple credentials against a single target. Changes and Important Notes There will be two NEW credential types: SSH: CyberArk SSH Auto-Discovery Windows: CyberArk Windows Auto-Discovery users only need to enter a single arbitrary target to the scan users only need to set up a single credential mentioned above, but can configure up to 5 if they choose to. The current CyberArk credential will remain unchanged and is still available for use Privilege Escalation on SSH is available using this new feature, but only the SUDO method at this time. Domain support is included with Windows configuration, but based on the Domain value in the CyberArk Account details. SSH Key authentication is supported, but privilege escalation is not available for this authentication type at this time. For more information please refer to our documentation pages. TVM: https://docs.tenable.com/integrations/CyberArk/vulnerability-management/Content/DynamicScannngIntro.htm Nessus: https://docs.tenable.com/integrations/CyberArk/Nessus/Content/DynamicScannngIntro.htm Impact to Existing Scan Policies There are no impacts to existing CyberArk credential configurations. Release Date TVM/Nessus: Tuesday September 5th 2023