Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R8] Tenable Products Affected by OpenSSL 'CCS Injection' Vulnerability

Medium

Synopsis

Multiple products from Tenable Network Security are vulnerable to the recently disclosed OpenSSL 'CCS Injection' vulnerability as they bundle affected versions of the software.

The flaw in OpenSSL is due to a flaw in the handshake process. With a carefully crafted handshake, a remote attacker can force the client or server to use weak keying material. This can then be leveraged to conduct a Man-in-the-Middle (MitM) attack allowing for the decryption or modification of traffic between the victim client and server. This affects the HTTPS web interface of Nessus, SecurityCenter, and PVS, while affecting the proxy server of LCE.

Note that while the CVSS score is 6.8 (Medium), it typically leads to a considerably more severe impact. Both Nessus and PVS currently have plugins that will detect this vulnerability.

Solution

Tenable has updated the products to address this issue. Please see the product-specific instructions below:

Nessus

Tenable has released version 5.2.7 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected.

To update your Nessus installation, follow these steps:

  1. Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
  2. Stop the Nessus service.
  3. Install according to your operating system procedures.
  4. Restart the Nessus service.

SecurityCenter

Tenable has released a patch for all supported versions of SecurityCenter that addresses this vulnerability. The following patches apply OpenSSL 1.0.1h, which is not affected.:

http://static.tenable.com/prod_docs/upgrade_security_center.html

The patch can be obtained from:

https://support.tenable.com/support-center/index.php?x=&mod_id=160

SecurityCenter 4.8.1 patches:

File                        md5sum
sc4.8.1-rh6-64.tgz          4ad4fb7bee4546d4c3a59b3ae3da39a6
sc4.8.1-rh6-32.tgz          7a9b66ac070bb322d9eb9127beedab57
sc4.8.1-rh5-64.tgz          003fd53de9d56568d3c29e08c93bcb90
sc4.8.1-rh5-32.tgz          639d867aee00d05f10d71c35ea5683bc

SecurityCenter 4.7.1 patches:

File                        md5sum
sc4.7.1-rh6-64.tgz          0c23ec8403b4f865953eb5aca6248f16
sc4.7.1-rh6-32.tgz          31e802c05658d9e363174cdaca5461ac
sc4.7.1-rh5-64.tgz          d88d8e5842122da166fcb45ccda01233
sc4.7.1-rh5-32.tgz          3e9f009924e692aeae0e795c74b17a2f

SecurityCenter 4.6.2.2 patches:

File                            md5sum
sc4.6.2.2-rh6-64.tgz            4df5e9904c58a881fa01ca5ac6c52dde
sc4.6.2.2-rh6-32.tgz            c014d0258a8af365e5cd609741ea8aab
sc4.6.2.2-rh5-64.tgz            fd160d7edb47a00a015624048b941583
sc4.6.2.2-rh5-32.tgz            ca22c43ca32b9bc6698c3cc2300ef8f7

Note that the original patches included in this advisory have been deprecated in favor of a newer set of patches listed above that fixes additional issues covered in TNS-2014-04.

PVS

Tenable has released version 4.0.3 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected. Upgrade information can be found at:

http://static.tenable.com/prod_docs/upgrade_pvs.html

The updated version of PVS can be obtained from:

https://support.tenable.com/support-center/index.php?x=&mod_id=170

File					md5sum
pvs-4.0.3-es5.i386.rpm			4ada80893dbe51d65f12231ab025f145    
pvs-4.0.3-es5.x86_64.rpm		a6f9b1cc7c4ce29b48b1d1a1e593e4a6    
pvs-4.0.3-es6.i686.rpm			3300f2a74750ab1f7c3fe29910d24975      
pvs-4.0.3-es6.x86_64.rpm		5980cda1958ed8e9507b74aefd23e2fc    
pvs-4.0.3-i386.exe			9b53139d6542e893fc5464819bb64dc5    
pvs-4.0.3-x64.exe			73e877ba0a83cffa6c5ce56aac2607fc
pvs-4.0.3-osx.dmg			7d7cc3679a00ea67a79a742c90361f52      

LCE

Tenable has released a patch for lce_report_proxyd for 4.2.x versions of the Log Correlation Engine (LCE) that address this vulnerability (note that 4.0.2 is supported, but not vulnerable). This patch applies OpenSSL 1.0.0m, which is not affected. The patch can be obtained from:

https://support.tenable.com/support-center/index.php?x=&mod_id=180

Patches

File					md5sum
lce_report_proxyd_el5_i386		00d7710fd58e4cc0299a5c21b2307e5c
lce_report_proxyd_el5_x86_64		6ce1006d6a5774e5a74a8953b184708a
lce_report_proxyd_el6_i386		3ad6cd53dbfd86e4003a32bd23889349
lce_report_proxyd_el6_x86_64		4a759371025b7520bfb90b496bfe1e53

To install a patch

# /sbin/service lce_report_proxy stop
# cp --preserve /opt/lce/daemons/lce_report_proxyd /opt/lce/daemons/lce_report_proxyd_422
# cp ~/lce_report_proxyd__ /opt/lce/daemons/lce_report_proxyd
# chown root:root /opt/lce/daemons/lce_report_proxyd
# chmod 6750 /opt/lce/daemons/lce_report_proxyd
# /sbin/service lce_report_proxy start

Tenable Appliance

Tenable has made version 2.8.1 available which includes updated OpenSSL 1.0.1h files for the bundled SecurityCenter 4.8.1, PVS 4.0.3, Nessus 5.2.7, and corrected operating system binaries.

Please note that TNS-2014-14 also contains patch information relevant to this installation.

This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]