Re: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?

Subject: Re: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?
From: Taylor Armstrong - NOAA Affiliate <email@hidden>
Date: Tue, 27 Sep 2016 15:50:44 -0400

Biggest issue is (in my opinion) laziness in Tenable's plugin. They're not looking for the vulnerability. For example: In a previous OS update (I forget it if was 10.9->10.10 or 10.10->10.11, they flagged every system not upgraded as "Critical" because of the Shockwave vulnerability, even though there was a stand-alone patch for the older OS to address it.

I'm in the process now of validating every CVE Tenable listed, to see what may have already been addressed in any of the multiple 10.11 security updates that have come out since the 10.12 beta, just to make sure that they're all accurate., but if anyone else is working along these lines, more than happy to share results.

NIST is essentially worthless as a baseline due to the timeline. Several of us here are active on the CIS efforts, and we've written our own when we needed to for deadline purposes, but that's at least a couple of months' effort at absolute minimum, I'm trying to figure out how to deflect some of the heat from this particular plugin as our ISSO's start to see it pop up.

Taylor

On Tue, Sep 27, 2016 at 3:20 PM, Ron Colvin <email@hidden> wrote:

Apple has introduced security with new major OS releases for several years ago. Somehow it needs to be built in to the upgrade process that there will be some residual risk until the new OS is approved for deployment. I like Nessus but as with most tool vendors they are reporting raw CVSS scores, there should be a way to use the scoring tools to measure your risk rather than default CVSS. If Apache isn't running as an example I don't think the default CVSS applies.

Apple generally doesn't back-patch so I am fairly certain that some of the vulnerabilities, possibly all, will not be patched in old OS versions.

Plan on accepted risk and mitigations of re-rated vulnerabilities until a new Baseline can be approved is the best advise I think. Who is your Baseline provider? Weeks, month or years? NIST just closed the comment period for a new Special Publication on 10.10 hardening. The final version for 10.10 only should be out in the next few weeks.

On 9/27/16 3:03 PM, Taylor Armstrong - NOAA Affiliate wrote:
Wondering if anyone is starting to tackle the best way to push back on this.

Tenable added plugin 93685 last week, and it is starting to show up in our environment.

From the description:
The remote host is running a version of Mac OS X that is 10.11.6 or later but prior to macOS 10.12. It is, therefore, affected by multiple vulnerabilities in the following components :
- apache - apache_mod_php - Apple HSSPI Support - AppleEFIRuntime - AppleMobileFileIntegrity - AppleUCC - Application Firewall - ATS - Audio - Bluetooth - cd9660 - CFNetwork - CommonCrypto - CoreCrypto - CoreDisplay - curl - Date & Time Pref Pane - DiskArbitration - File Bookmark - FontParser - IDS - Connectivity - Intel Graphics Driver - IOAcceleratorFamily - IOThunderboltFamily - Kerberos v5 PAM module - Kernel - libarchive - libxml2 - libxslt - mDNSResponder - NSSecureTextField - Perl - S2 Camera - Security - Terminal - WindowServer
Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Solution
Upgrade to macOS version 10.12 or later.
Risk Factor: Critical

Obviously, 10.12 included a host of security patches. However, I'm starting to go through the list trying to validate that they're not addressed in 10.11.6 (or that they won't be by the next Security Update). There's no chance that we're going to rush to upgrade to 10.12 without a secure baseline in place From my perspective, this is laziness on Tenable's part: the only check is for OS version, it is not actually validating that any of the vulnerabilities actually are present on a given system. Anyone else started working on this one yet?

--

Taylor Armstrong
Contractor at NOAA
Macintosh Systems Administrator
Tel: 301-713-1156, ext 195
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
-- ******************************************************** Ron Colvin CISSP, CAP, CEH Certified Security Analyst NASA ETADS ASCS staff <email@hidden> Direct phone 301-286-2451 NASA Jabber (email@hidden) AIM rcolvin13 NASA LCS (email@hidden) ********************************************************

Taylor Armstrong

Contractor at NOAA
Macintosh Systems Administrator
Tel: 301-713-1156, ext 195

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Follow-Ups:
- Re: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?
  - From: Peter Thoenen - NOAA Federal <email@hidden>

References:
	>[Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache? (From: Taylor Armstrong - NOAA Affiliate <email@hidden>)

Prev by Date: [Fed-Talk] Two-Factor Authentication (2FA) & Apple Watch on a STIG'd iMac
Next by Date: Re: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?
Previous by thread: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?
Next by thread: Re: [Fed-Talk] Tenable/Nessus plugin 93685 - anyone dealing with this headache?
Index(es):
- Date
- Thread