Synopsis
Multiple products from Tenable Network Security are vulnerable to the recently disclosed OpenSSL 'CCS Injection' vulnerability as they bundle affected versions of the software.
The flaw in OpenSSL is due to a flaw in the handshake process. With a carefully crafted handshake, a remote attacker can force the client or server to use weak keying material. This can then be leveraged to conduct a Man-in-the-Middle (MitM) attack allowing for the decryption or modification of traffic between the victim client and server. This affects the HTTPS web interface of Nessus, SecurityCenter, and PVS, while affecting the proxy server of LCE.
Note that while the CVSS score is 6.8 (Medium), it typically leads to a considerably more severe impact. Both Nessus and PVS currently have plugins that will detect this vulnerability.
Solution
Tenable has updated the products to address this issue. Please see the product-specific instructions below:
Nessus
Tenable has released version 5.2.7 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected.
To update your Nessus installation, follow these steps:
- Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
- Stop the Nessus service.
- Install according to your operating system procedures.
- Restart the Nessus service.
SecurityCenter
Tenable has released a patch for all supported versions of SecurityCenter that addresses this vulnerability. The following patches apply OpenSSL 1.0.1h, which is not affected.:
http://static.tenable.com/prod_docs/upgrade_security_center.html
The patch can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=160
SecurityCenter 4.8.1 patches:
File md5sum
sc4.8.1-rh6-64.tgz 4ad4fb7bee4546d4c3a59b3ae3da39a6
sc4.8.1-rh6-32.tgz 7a9b66ac070bb322d9eb9127beedab57
sc4.8.1-rh5-64.tgz 003fd53de9d56568d3c29e08c93bcb90
sc4.8.1-rh5-32.tgz 639d867aee00d05f10d71c35ea5683bc
SecurityCenter 4.7.1 patches:
File md5sum
sc4.7.1-rh6-64.tgz 0c23ec8403b4f865953eb5aca6248f16
sc4.7.1-rh6-32.tgz 31e802c05658d9e363174cdaca5461ac
sc4.7.1-rh5-64.tgz d88d8e5842122da166fcb45ccda01233
sc4.7.1-rh5-32.tgz 3e9f009924e692aeae0e795c74b17a2f
SecurityCenter 4.6.2.2 patches:
File md5sum
sc4.6.2.2-rh6-64.tgz 4df5e9904c58a881fa01ca5ac6c52dde
sc4.6.2.2-rh6-32.tgz c014d0258a8af365e5cd609741ea8aab
sc4.6.2.2-rh5-64.tgz fd160d7edb47a00a015624048b941583
sc4.6.2.2-rh5-32.tgz ca22c43ca32b9bc6698c3cc2300ef8f7
Note that the original patches included in this advisory have been deprecated in favor of a newer set of patches listed above that fixes additional issues covered in TNS-2014-04.
PVS
Tenable has released version 4.0.3 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected. Upgrade information can be found at:
http://static.tenable.com/prod_docs/upgrade_pvs.html
The updated version of PVS can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=170
File md5sum pvs-4.0.3-es5.i386.rpm 4ada80893dbe51d65f12231ab025f145 pvs-4.0.3-es5.x86_64.rpm a6f9b1cc7c4ce29b48b1d1a1e593e4a6 pvs-4.0.3-es6.i686.rpm 3300f2a74750ab1f7c3fe29910d24975 pvs-4.0.3-es6.x86_64.rpm 5980cda1958ed8e9507b74aefd23e2fc pvs-4.0.3-i386.exe 9b53139d6542e893fc5464819bb64dc5 pvs-4.0.3-x64.exe 73e877ba0a83cffa6c5ce56aac2607fc pvs-4.0.3-osx.dmg 7d7cc3679a00ea67a79a742c90361f52
LCE
Tenable has released a patch for lce_report_proxyd for 4.2.x versions of the Log Correlation Engine (LCE) that address this vulnerability (note that 4.0.2 is supported, but not vulnerable). This patch applies OpenSSL 1.0.0m, which is not affected. The patch can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=180
Patches
File md5sum lce_report_proxyd_el5_i386 00d7710fd58e4cc0299a5c21b2307e5c lce_report_proxyd_el5_x86_64 6ce1006d6a5774e5a74a8953b184708a lce_report_proxyd_el6_i386 3ad6cd53dbfd86e4003a32bd23889349 lce_report_proxyd_el6_x86_64 4a759371025b7520bfb90b496bfe1e53
To install a patch
# /sbin/service lce_report_proxy stop # cp --preserve /opt/lce/daemons/lce_report_proxyd /opt/lce/daemons/lce_report_proxyd_422 # cp ~/lce_report_proxyd__ /opt/lce/daemons/lce_report_proxyd # chown root:root /opt/lce/daemons/lce_report_proxyd # chmod 6750 /opt/lce/daemons/lce_report_proxyd # /sbin/service lce_report_proxy start
Tenable Appliance
Tenable has made version 2.8.1 available which includes updated OpenSSL 1.0.1h files for the bundled SecurityCenter 4.8.1, PVS 4.0.3, Nessus 5.2.7, and corrected operating system binaries.
Please note that TNS-2014-14 also contains patch information relevant to this installation.
Additional References
http://www.openssl.org/news/secadv_20140605.txthttp://ccsinjection.lepidum.co.jp/
https://www.imperialviolet.org/2014/06/05/earlyccs.html
This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team