Tenable Blog

Announcements

• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• Active Inbound Connection From Host Listed in Known Bot Database - The ability to identify whether a host is connecting to a host in a botnet, or a host in a botnet is connected to it, is important information.
• Cisco ASA 5500 Series DoS - I lost track of how many times I've been taunted with the words, "I'm gonna DoS your firewall!" Oh wait, that was just something I heard in the movies and on TV. Turns out it's a reality if you're using an ASA firewall configured with IPv6. I wonder just how many more vulnerabilities are going to crop up for IPv6 protocol stacks (we even see IPv4 vulnerabilities crop up now and again!).
• Malicious Process Detection: Potentially Unwanted Software - Nessus now makes the distinction between malware and software that could be used for "evil" but has a chance of not being malicious (like Netcat).
• MikroTik Winbox Less Than 5.17 File Download DoS - " An unauthenticated, remote attacker may make multiple requests to download a large file, resulting in the service becoming unresponsive." MikroTik makes some super cool hardware too, fantastic wireless access points. They have their own operating system called RouterOS, however, this vulnerability is in a utility called Winbox used to configure the operating system.
• Oracle iPlanet Web Server Between 7.0 and 7.0.15 Vulnerabilities - Looks like some XSS vulnerabilities and one bug called "Range Header DoS" are listed as "could not be reproduced."
• Winamp Less Than 5.63 Vulnerabilities - Winamp is still going strong with all kinds of software products for media. Turns out they have some vulnerabilities that have been corrected.
• ACDSee Pro Less Tan 5.2 Memory Corruption Vulnerabilities - No, not the great classic rock band, the image editing application! They have patched four heap overflows, and something about being a long way to the top if you want to heap overflow.
• HAProxy Trash Buffer Overflow Vulnerability - HAProxy is a load balancer, have to make sure this type of device is always patched as even DoS vulnerabilities can be severe (though this one happens to be a buffer overflow). There are some mitigating circumstances: "It requires that the global.tune.bufsize option is set to a value greater than default and that header rewriting is configured."
• Quagga Less Than 0.99.19 Vulnerabilities - For those that may not know: "Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD. Quagga is a fork of GNU Zebra which was developed by Kunihiro Ishiguro." We recently published quite a few plugins to detect vulnerabilities on this platform.

Announcements

• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• Measuresoft ScadaPro DLL Injection Code Execution
• MailEnable ForgottenPassword.aspx Username Parameter XSS
• XnView less than Version 1.99.0 Multiple Vulnerabilities
• Rocket Software UniData less than Version 7.3 Remote Command Execution (credentialed check)
• Kerio WinRoute Firewall Web Server Remote Source Code Disclosure

Tenable CEO and CTO Ron Gula took a few minutes to talk about some of the important new features of Log Correlation Engine (LCE) version 4. Watch now on Tenable's YouTube Channel:

Password Breaches Are Nothing New

You don't have to look very hard to find an article discussing password breaches. Recently, there was a lot of buzz around LinkedIn, LastFM, and eHarmony, three very large sites suffering from passwords being leaked to the public. This is not a new phenomenon (earlier this year everyone was all up in arms about the Zappos password breach), but one that continues to garner attention in the media.

However, what most journalists are saying about password breaches is likely different from what I am about to tell you -- it simply does not matter how strong your password is, how it is encrypted when stored by the provider, or how the transport layer is encrypted (e.g., SSL). Here's why:

How It's Encrypted Matters, but No One Does It Right

Many websites today, primarily for performance reasons, are using traditional one-way hashing algorithms to store your passwords (such as MD5 or SHA1). This means you give the website a password, it computes a cryptographic hash and stores it in a database of some kind. The plaintext password should never be written to disk. The next time you login, the website computes the hash in the same manner and compares it to the value stored in the database.

This is all well and good, until someone obtains a copy of the password hashes. Obtaining the hashes, without any other protections, such as password salting, two or more users with the same password will have the same hash value. This allows attackers to generate very large databases of already-hashed passwords and make a comparison. Hardware on graphics processing units (GPU) can help accelerate the process. There are also websites that will provide hash-cracking services (submit the hash to a website and get the cleartext password in return). Several of these sites also use “Rainbow Tables,” a form of lookup tables which takes a bit longer, but allows for smaller tables. A ‘salt’ will help slow down this process, a little. Salts are a random string appended to the password such that user's passwords are different. However, sometimes developers implement salts incorrectly, and use the same salt for each user or store the salt where attackers can obtain it (or calculate it). Even if salts are implemented correctly, the processing power of GPUs can be used to crack the salted password hashes in more time, using even larger pre-computed password dictionaries than ones without a salt. What does all this mean? Likely, at least a few websites (internal to your organization or external) are storing your password using a hash that can be reversed in a relatively short timeframe, depending on the hash used and computing power of the attacker.

Announcements

• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• Symantec Endpoint Protection Manager Versions less than 11 RU7 MP2 (credentialed check)
• ImageMagick Versions less than 6.7.6-4 Heap-Based Buffer Overflow
• Pretty Link Plugin for WordPress url Parameter XSS
• Cobbler xmlrpc API Remote Shell Command Execution
• Firefox 12.x Multiple Vulnerabilities (Mac OS X)
• Adobe AIR for Mac OS X 3.x Multiple Vulnerabilities
• Flash Player for Mac OS X Multiple Vulnerabilities (APSB12-14)