Tenable InTune MDM Integration: Application Authentication...
Tenable InTune MDM Integration: Application Authentication Summary In order to modernize our authentication standards, Tenable is announcing a new authentication option for the InTune Mobile Device Management (MDM) integration, called “application” authentication. Details When configuring an InTune Mobile credential, it is now possible to select between “user” and “application” authentication types. With user authentication, a user account is required as well as application credentials. With application authentication, the scanner requests API data on behalf of the application and not a user, therefore application credentials are required but user credentials are not. Please note that the application authentication type requires a specific permissions configuration, specifically permissions must be of type “Application” rather than “Delegated”. Updates have been made to the Tenable and Microsoft Intune Mobile Device Management Integration Guide to provide steps to configure authentication. For more information on the differences between user and application access scenarios, please refer to the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview#access-scenarios Impact Customers are not required to update configurations at this time; existing scans will continue to use user authentication. We encourage customers to review the updated documentation. Customers who plan to enforce mandatory multi-factor authentication (MFA) for user accounts may wish to change to application authentication. Release Date 7 April 2025 for Nessus and TVM, TBD for SecurityCenter
Updates to Python Installed Packages detection for Windows...
Updates to Python Installed Packages detection for Windows Summary Tenable’s plugin to enumerate installed Python packages on Windows targets will be re-enabled after addressing issues that impacted some systems. Change Before this update, plugin 181215, Python Installed Packages (Windows) was disabled. The plugin searches the filesystem of a Windows scan target to find installed Python packages and enumerate them, so that vulnerabilities in the packages can be detected. The plugin was designed to search at a filesystem depth that would result in the most thorough discovery of these packages. The plugin inadvertently exposed an issue with some Microsoft Entra ID-joined Windows assets, whose authenticated sessions within Microsoft 365 applications like Teams and Office were maintained by “broker” files. When these files were observed during a scan, the brief filesystem lock would cause the authenticated sessions to permanently fail until the broker plugin was reinstalled. This issue was documented in this Tenable KB article. In the two years since this issue was identified, Tenable Research has updated the plugin code and performed exhaustive testing to ensure the files would be ignored: The depth of filesystem directory recursion was reduced; The directories on disk where these files sit were explicitly excluded from scans. Testing included scans against Entra ID-joined machines with authenticated Microsoft 365 apps, and no recurrence of the prior issue was observed. After the update, this plugin will once again be available for customers, so that Python packages can be enumerated on their Windows machines. Impact Reports of detections and vulnerabilities for Python packages on Windows machines will show in scan results. Plugin 181215 - Python Installed Packages (Windows) Target Release Date November 4, 2024Integration Status Plugin Support for Microsoft System...
Integration Status Plugin Support for Microsoft System Center Configuration Manager Summary Tenable is announcing the release of Integration Status Plugin support for Microsoft’s System Center Configuration Manager (SCCM). The purpose of this additional functionality is to provide users with helpful information regarding the success or failure when using SCCM with a target that it manages. This gives users a simple way to check on the status of the integration success without having to enable plugin debugging on a per-host basis. Additionally, it improves scan review and performance. In the event that integration status failed, the user can enable plugin debugging, re-scan, and review logs associated with a particular integration for more detail. Scope The integration status plugin will check to confirm that the configured credential can authenticate to the SCCM server. Then the plugin will check to ensure that it can use that credential to gather information about the configured target. If there is a problem with the SCCM server or the packages on specified target(s) then the integration status plugin will report the error and guide the user where to gather more debug information. Impact There is no impact to existing scans. If users encounter issues, please open a ticket with Technical Support. Release Date September 27th, 2024
Nessus can now use Kerberos for DCOM Authentication Summary...
Nessus can now use Kerberos for DCOM Authentication Summary Nessus scans that are provided with Windows Kerberos credentials will now use the Kerberos protocol for authentication in plugins that use DCOM or WMI. Kerberos authentication has been available for a long time in Nessus for plugins that only use SMB. Prior to this change the DCOM/WMI plugins would authenticate using NTLM even if only a Kerberos credential was provided. Microsoft Windows is abandoning NTLM due to security concerns and has recommended host and domain configuration that excludes the use of NTLM. Change This implementation of Kerberos for DCOM/WMI only supports the packet integrity authentication level (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) which is the minimum required since Microsoft hardened DCOM to address CVE-2021-26414. If a server or service requires packet privacy (RPC_C_AUTHN_LEVEL_PKT_PRIVACY), Nessus will not be able to scan it. Following the deprecation of SHA1 hashes, Kerberos will slowly be updated to use SHA2 hashes on Windows and other platforms. At this time the Nessus implementation does not support SHA2 based checksums or encryption. Future Tenable plans include upgrading the Nessus DCOM implementation to use packet privacy and upgrading the Nessus Kerberos implementation to use SHA2 based cryptography. Target Release Date ImmediateIntegration Status Plugin Summary Tenable is announcing the...
Integration Status Plugin Summary Tenable is announcing the release of a new plugin named Integration Status. The purpose of this plugin is to provide users with helpful information regarding the success or failure when using one of Tenable’s currently supported PAM, MDM, and/or Patch Management Integrations. This gives users a simple way to check on the status of the integration success without having to enable plugin debugging on a per-host basis. Additionally, it improves scan review and performance. In the event that integration status failed, the user can enable plugin debugging, re-scan, and review logs associated with a particular integration for more detail. Tenable will release this plugin feature in two separate releases. This is based on user demand. Integrations in the initial release include the following. PAMs Arcon BeyondTrust Password Safe CyberArk (this includes Legacy, non-Legacy, and Dynamic Scanning). Delinea Secret Server HashiCorp Vault QiAnXin SenhaSegura WALLIX Bastion MDMs AirWatch Blackberry UEM IBM MaaS360 Microsoft InTune Workspace ONE Patch Management VMware ESX SOAP API VMware vCenter API Integrations that will be released after the initial release include the following. Nutanix RedHat Satellite Server HCL BigFix Microsoft SCCM Microsoft WSUS Scope This plugin reports the success or failure of an integration, based on the intent of the integration. This varies between PAMs, MDM, and Patch Management integrations. Here is a synopsis of each integration type. Tenable’s PAM integrations retrieve account credentials for one or more targets specified in a scan policy and credential. Tenable determines the success or failure of retrieving the credential from a specific PAM within the scope of the Integration Status plugin. NOTE: This plugin does not include authentication success or failure to the target within scope. There are other plugins in existence for this purpose. Tenable’s MDM integrations retrieve mobile devices and data associated with those devices. Tenable determines success or failure of an MDM integration based on whether devices were retrieved or not. Tenable Patch Management integrations retrieve patch data from a specific host. In Tenable’s initial release, we’ve included our VMware integrations (ESXi and vCenter). Here are some details regarding the scope of our VMware Integrations as it relates to the new plugin. Users that configure one or more VMware vCenter API credentials can expect to see integration success or failure on a per host basis. If the target is a vCenter host, Tenable determines whether or not authentication to the API was successful. By adding a vCenter host to the target list, users can get a better perspective on the status of the integration's success or failure. If the target is an ESX host, Tenable determines success or failure based on our ability to retrieve VIBs for this host based on data we retrieve from the vCenter host that manages it. In addition, we report the associated vCenter host that manages it. Users that configure one or more VMware ESX SOAP API credentials can expect to see success or failure based on Tenable’s ability to gather VIBs directly from the specific ESXi host in the target settings. Impact There is no impact to existing scans. If users encounter issues, please open a ticket with Technical Support. Initial Release Date July 31, 2024 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security Center Remaining Integrations Release Date 2024 Q3 - Tenable Vulnerability Management, Tenable Nessus, and Tenable Security CenterUnsupported Internet Explorer detection refinement Summary...
Unsupported Internet Explorer detection refinement Summary Further refinement of this plugin will align detection of unsupported Internet Explorer installations with updated vendor guidance. Change Before this update, in accordance with vendor advisory KB5022834 from February 2023, if the registry key HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions was not present or configured, the Unsupported Internet Explorer detection plugin would report as an unsupported installation of the product on versions of Windows prior to 11, and on Windows Server. Windows 11 machines could still report this plugin if paranoia was enabled in the scan configuration. After this update, to align detection logic with Microsoft’s Internet Explorer Lifecycle FAQ, the check for this registry key has been removed, as it has been determined that it will only impact whether a user is notified that Internet Explorer is disabled. As a result, the plugin will no longer report on Windows 11 devices, or on Windows 10 and Windows Server devices that have a cumulative update superseding the original update that disabled Internet Explorer. Impact Fewer reports of unsupported installations of Internet Explorer will show in scan results with the registry check no longer triggering them. Plugins 22024 - Microsoft Internet Explorer Unsupported Version Detection Target Release Date August 1, 2024Windows Patch Chain Improvements What’s happening? Tenable...
Windows Patch Chain Improvements What’s happening? Tenable is releasing an update for Windows vulnerability patch chains in order to increase accuracy of recommended solutions. More accurate solutions will empower teams to make efficient and complete updates to remediate the active vulnerabilities. Why is this necessary? Before 2018, the Windows plugins would be written for a particular bulletin. From 2018 going forward, the plugins are very specific to a target OS. If patching is significantly out-of-date, long patch chains may be created for any hosts as part of a bulletin. These hosts may have different solutions and so rolling them up together results in inaccuracies. How does it work? Tenable will be introducing a filter to constrain the Windows bulletin patch chains to only the Windows bulletin plugin families. This prevents checks that are less specific from creating bridges between unrelated OS. Additionally, we will be improving the grouping of our plugins to ensure that the chains we create are specific to a particular OS bundle or product. This will split up chains in certain cases but the resulting separate chains will individually be more accurate. How does this update affect me? Customers with findings from plugins for Microsoft Windows Bulletins may see some of those chains broken up into 2 or more chains. As an example, our “Windows 2022 / Azure Stack HCI 22H2” plugins will be grouped into one single chain that will no longer include older versions of Windows or Azure Stack HCI. The older versions will show up in a separate chain or separate set of chains. This change is specific to the Solutions view and does not impact findings. For example, before the change, customers could see many Windows hosts that are not related to the Windows 2022 / Azure Stack HCI Security Update recommended solution. After the change, customers will only see the hosts related to the Windows 2022 / Azure Stack HCI Security Update. When is Tenable releasing the update? The target release date is March 18, 2024. What products does this change affect? Any Tenable product that uses the Solutions view. This includes: Tenable Security Center Tenable Lumin What changes do I need to make? For SC customers, ensure both the plugin feed and SC feed has been updated from the date March 19, 2024 or later. For Lumin customers, no action is required. After the update, the patch chains would be updated on your next scan. Does Tenable anticipate making additional changes to the patch chains? We will continue to evaluate the accuracy of the patch chains and make improvements where necessary. Share feedback with your Tenable Customer Success Manager (CSM) if you have concerns or encounter any issues. Future updates will be announced via the same communication channels as this update.Nessus now has Entra LAPS Support Summary: Nessus now has...
Nessus now has Entra LAPS Support Summary: Nessus now has the ability to leverage accounts managed by Microsoft Entra LAPS. How LAPS works: Since LAPS managed accounts have their passwords rotated routinely, users cannot just directly provide the credentials in their Scan Policy. Before this change, users would instead have to make an additional privileged account on each LAPS enabled Host to provide to Nessus. Now that Nessus can communicate with an Entra LAPS setup, customers no longer need to have or provide those extra privileged accounts. This means less exposure and less redundancy in a customer’s environment. Change: With this LAPS support change, during the startup phase of a scan, Nessus will reach out to a Microsoft Entra Tenant and pull a list of all Local Admin Accounts managed by LAPS. Nessus will then attempt to use these Entra provided LAPS managed accounts as credentials when attempting to access a target host. The LAPS credentials found are not stored or kept in the scanner configuration any way and only exist in memory at runtime. Each time a Scan is initiated with LAPS support enabled, it will do a fresh pull of credentials. How to enable it: To make use of Nessus’ Entra LAPS support, customers need a Registered App in their Entra Tenant with the DeviceLocalCredential.Read.All permission. These Registered App permissions are what allows an App to access the LAPS managed accounts. Customers with an existing Registered App can configure them for use in Nessus by simply granting the Registered App the DeviceLocalCredential.Read.All permission, allowing Nessus to access LAPS data. Customers without a Registered App will need to create a new one, and provide it as a [Cloud Services Microsoft Azure/Entra Credential] in your Scan Policy. For additional information see: https://docs.tenable.com/identity-exposure/3_x/Content/Admin/entra_id_support.htm#Configure-Microsoft-Entra-ID-settings and https://docs.tenable.com/vulnerability-management/Content/Settings/Credentials/CreateManagedCredential.htm Impact: Customers using Rotating Host passwords managed through Microsoft Entra LAPS can now leverage these credentials in their Nessus scans for more secure scanning configurations. Target Release Date: ImmediateResearch Release Highlight - Windows OS Field Normalization (
Research Release Highlight - Windows OS Field Normalization (English) Summary Tenable’s OS identification plugins will now normalize the OS details for Windows scan targets. Change Different releases of Microsoft Windows will respond with a variety of information to the queries performed by Nessus and Nessus Agent during credentialed scans that catalog an asset’s operating system. The query results may occasionally present differently based on the different functions used by Nessus and Nessus Agent. Nessus and Nessus Agent will now use a single function to normalize English-language results and present a consistent data point for an asset’s operating system to the user. Impact Windows assets whose English-language Operating System field value changed between authenticated scans using Nessus and Nessus Agent will now present a consistent value. Dashboards or Reports that use the “Operating System” field in the Asset data set, and search for a specific Windows value in that field, may need to be updated. Future updates will add this functionality where necessary for other operating systems as well as other languages. Plugin 11936 - OS Identification Target Release Q4 2023Updates to Enumeration of Groups on MacOS Summary The MacOS...
Updates to Enumeration of Groups on MacOS Summary The MacOS user & group enumeration plugin has been updated to enumerate nested groups, and to collect the SMBSID for Active-Directory-created groups. Change Users and groups on a MacOS scan target are enumerated with plugin 95929. The plugin has been improved, and will now enumerate nested groups - groups that are a subset of another group. In addition, if a group was created by Microsoft Active Directory or Entra, by joining the scan target to one of these directory services, the SMBSID of the group will be collected, so that it can be used as a unique identifier to match with other assets. Impact Additional nested group and SMBSID group data will be added to the existing users and groups identified in Plugin 95929, if available. Users should see no expansion of users or groups identified in their scan output as a result of this change. Plugin 95929 - macOS and Mac OS X User List Enumeration Target Release Date August 23. 2023
