Tenable will disable the following weak ciphers on, or after,
Tenable will disable the following weak ciphers on, or after, March 10, 2025. This change applies to all sensors connecting to *.cloud.tenable.com, APIs, and users accessing the user interface through a supported browser. This change is to improve security across the Tenable Platform and should be seamless to end users. Please visit the links below to ensure the latest sensor versions are deployed. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 The following ciphers are still supported. In the future, this list will continue to change as technology improves. TLS v1.2: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A TLS v1.3: TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A To ensure connectivity, please upgrade all Tenable products to their latest version per the following: https://docs.tenable.com/PDFs/product-lifecycle-management/tenable-software-release-lifecycle-matrix.pdf For an optimal experience and to connect with the minimal cipher suite, use the following systems requirements page as a guide: https://docs.tenable.com/general-requirements/Content/IOSystemRequirements.htm
New Medium severity TLS 1.1 deprecated Nessus plugin and...
New Medium severity TLS 1.1 deprecated Nessus plugin and SSL detection Nessus plugin severity increase Rationale Tenable will be publishing a new Medium severity Nessus plugin 157288 "TLS Version 1.1 Protocol Deprecated" to help users identify TLS servers that support TLS 1.1 which is now considered deprecated. This new plugin will allow our users to identify the servers in their environment that support this deprecated TLS protocol. They are then enabled to make informed risk decisions about upgrading, retiring, or strengthening protections around these TLS servers with a defense in depth architecture. This new plugin will be functionally identical to Nessus plugin 121010 except it will be Medium severity instead of Informational. At some point in the future Tenable will be deprecating plugin 121010 as this new plugin will effectively replace it. Tenable will also be updating the severity of Nessus plugin 20007 "SSL Version 2 and 3 Protocol Detection" from the existing CVSSv2 7.1 (High) and CVSSv3 7.5 (High) to new severity CVSSv2 10.0 (Critical) and CVSSv3 9.8 (Critical). Impact Plugin 157288 "TLS Version 1.1 Protocol Deprecated" - Tenable Research has identified that approximately 49% of servers that support SSL/TLS have support for TLS 1.1 enabled. This will manifest in a new Medium severity plugin firing for the majority of users scanning SSL/TLS servers. Plugin 20007 "SSL Version 2 and 3 Protocol Detection" - Tenable Research has identified that approximately 5% of servers that support SSL/TLS have support for SSL enabled. This will manifest in existing findings from this plugin with a High severity increasing to Critical severity for approximately half of users scanning SSL/TLS servers. New Nessus plugins 157288 TLS Version 1.1 Protocol Deprecated | CVSSv2 6.1 (Medium) | CVSSv3 6.5 (Medium) Updated Nessus plugins 20007 SSL Version 2 and 3 Protocol Detection | CVSSv2 10.0 (Critical) | CVSSv3 9.8 (Critical) Target Release Date Monday, April 4th, 2022
TLS Discovery Scan Template Settings Optimization Summary...
TLS Discovery Scan Template Settings Optimization Summary The default setting for SSL/TLS Service Discovery will be updated to be consistent across all scan policy templates. Background Most scan templates other than ones named "Advanced" offer a way to customize some options in each settings category. For scan templates that allow customizing Discovery settings, the default for SSL/TLS service discovery has been "Known ports" even though the default for every other named mode of Discovery settings has been "All" unless otherwise noted in the scan template's description. This has led to different SSL/TLS service discovery when a named setting was chosen or when Custom was chosen and the values were left unmodified. Solution The default value for SSL/TLS discovery will be made consistent across all scan policies created from templates that don't explicitly define a value for this setting. The new default for this setting will be "All ports". The default value for this setting will be affected for templates named "Advanced" as well. Current scan policies and scans run from those policies will not be affected. Impact Customers who are used to creating Nessus scans from templates and who often use the "custom" mode for Discovery settings or customers who use the Advanced templates will want to evaluate whether or not to change the SSL/TLS discovery setting from its new default. A setting of "None" or "Known ports" may be more desirable to reduce the impact of SSL/TLS service discovery on scan times and/or network load. Affected Components Nessus Scan Templates Tenable.io Scan Templates Target Release Date 4/15/2021 --------------------------------------------------------------------------------------------------- Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.New Plugin for TLS Version 1.1 Protocol (PCI) Summary A new...
New Plugin for TLS Version 1.1 Protocol (PCI) Summary A new plugin is being released by the end of next week, regarding TLS Version 1.1 and PCI. Change After conversations with the PCI Council, we have decided to release a new, specific plugin for TLS Version 1.1 regarding PCI, which will have a severity level of Medium. Nessus Plugin 121010 (TLS Version 1.1 Protocol Detection) will not see its current severity level (info) changed. Impact Customers should expect the new TLS 1.1 PCI plugin to fire only on PCI scans, and to report with a severity level of Medium if the protocol is detected. Target Release Date 7 August 2020