Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Brian Martin

Tenable Security Response

Brian Martin's picture
Security Advisory
Wednesday, April 9, 2014

SecurityCenter is vulnerable to the recently disclosed OpenSSL 'Heartbleed' vulnerability as it bundles the software. The flaw in OpenSSL is due to an out-of-bounds read flaw that is triggered during...

Security Advisory
Thursday, March 20, 2014

Nessus contains a race condition in the Malicious Process Detection plugin that leads to unauthorized privileges being gained. The issue is due to the plugin creating a binary with a...

Security Advisory
Monday, September 23, 2013

SecurityCenter contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the devform.php script...

Security Advisory
Tuesday, October 25, 2011

Tenable's Nessus scanner is affected by a vulnerability in the bundled version of the OpenSSL library. The issue is triggered when a malicious client requests multiple SSL/TLS renegotations, and will...

Blog Post
Thursday, September 29, 2011

During the past few weeks, the Tenable R&D team has created several plugins to enhance SSL certificate auditing capability. Nessus will identify SSL certificates regardless of port and launch dozens of plugins to check for a variety of weaknesses and vulnerabilities. Three new plugins expand that auditing capability to more effectively audit your organization. SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions Tenable has released a plugin titled “SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions” (ID# 56284) to help users verify X.509 / SSL certificate chains. Based on RFC 3280 guidelines , Nessus will examine an SSL certificate found on any port to verify that it adheres to all basic constraints and key usage extensions. If an X.509 certificate in a chain fails to adhere to constraints and usage extensions, Nessus will report that violations are present. This finding means that either a root or intermediate Certificate Authority (CA) signed a certificate incorrectly.

Blog Post
Friday, April 1, 2011

Supervisory Control And Data Acquisition , or SCADA, generally refers to the computers that control industrial and infrastructure systems. These include systems found in power plants, nuclear reactors, commercial buildings and more. The last few weeks have seen another serious blow to the perception of SCADA security. On March 21 st , Luigi Auriemma posted to the Full-Disclosure mail list announcing his research and vulnerability findings in SCADA products from vendors such as Siemens, Iconics, 7-Technologies and DATAC. Auriemma’s post included links to 34 advisories ranging from overflows to denial of service. Due to the sensitive nature of SCADA systems and the resources they control, his research made the news . A day later, Ruben Santamarta (aka reversemode) announced the availability of vulnerability information in SCADA vendors including Advantech/BroadWin and CSE-Semaphore. The next day, US-Cert issued an advisory about SQL injection vulnerability in Ecava IntegraXor , another SCADA system.

Blog Post
Tuesday, March 1, 2011

Tenable is pleased to announce the release of Nessus 4.4.1! This is a point release (moving from 4.4.0 to 4.4.1), containing several enhancements and minor bug fixes. From a user perspective, there is a new feature that allows the SYN scanner to be selectively throttled. A new setting, nessus_syn_scanner.global_throughput.max can be added to the nessusd.conf file. The option sets the maximum number of packets per second that Nessus will send during a SYN port scan (regardless of how many hosts are scanned in parallel).

Security Advisory
Wednesday, October 27, 2010

Early 4.0.x versions of Nessus for bundle the Qt browser. Nessus versions for Windows, not Unix, were affected by the following issue. QtWeb Browser is prone to a flaw in...

Blog Post
Tuesday, September 14, 2010

Many corporations spent last weekend playing “Whack-a-Worm”, attempting to eradicate the “Here You Have” worm. The major problem with viruses and worms is that once you think you have removed...

Blog Post
Monday, August 2, 2010

Intro The first time I was asked to scan a Class B network, my initial reaction was “Are you kidding me?” I actually thought it was a trick question to see how I reacted to unexpected situations. I had just two weeks to develop a strategy and perform the scan. This seemed to be a daunting task. Ten years later, I had provided assessments for Class B (or bigger) networks over a dozen times, mostly for government agencies and the occasional university. Performing an audit of tens of thousands of IP addresses is no different from any other audit, unless time is restrictive. Large IP blocks in small time periods require you to revise your normal assessment methodology. Where you typically scan 65,535 ports on a machine, you may only be able to scan a dozen or two. Instead of examining every open port on a machine, time constraints may force you to focus on low-hanging fruit and services that are prone to high-risk vulnerabilities. Developing a Methodology Thinking about the polar opposites in assessment, you have a single IP address on one side, and a Class B network on the other. Adjusting your methodology to account for the number of machines becomes a balancing act between allotted time and number of targets. As the number of systems to scan increases, while the time allocated to scan remains constant, the amount of time per system must decrease.

Pages

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.