pfSense Forum

pfSense English Support => General Questions => Topic started by: MaxBishop on February 07, 2018, 05:44:34 pm

Title: (solved) Nessus vulnerability false positives
Post by: MaxBishop on February 07, 2018, 05:44:34 pm
I am running version 2.4.2-RELEASE-p1 (amd64)

A Nessus scan shows several false positives identified as: pfSense < 2.1.1 Multiple Vulnerabilities

It reports my installed version as: unknown..0

My question is: is the current version of pfSense hiding its version?

Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 07, 2018, 07:49:06 pm
How exactly are you scanning - from public wan side or lan side?  do you have ports open on the wan?  What exactly are you scanning with, what version of Nessue/Tenable?
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 09:27:44 am
Hi,

I'm scanning from the LAN side with:
Nessus  7.0.1 (#108) LINUX
Updated: February 7 at 12:15 PM
Plugin set: 201802071215

The scan identifies 4 Critical, 5 High, and 9 Medium level vulnerabilities.
Code: [Select]

CRITICAL 10.0 106488 pfSense < 2.1.1 Multiple Vulnerabilities (SA-14_02 - SA-14_03)
CRITICAL 10.0 106490 pfSense SA-14_08 / pfSense SA-14_09 / pfSense SA-14_10 / pfSense SA-14_11 / SA-14-12 SA-14-12 : Multiple Vulnerabilities
CRITICAL 10.0 106491 pfSense < 2.1.5 Multiple Vulnerabilities (SA-14_15 - SA-14_17)
CRITICAL 0.0 106499 pfSense SA-16_01 / SA-16-02 : Multiple Vulnerabilities
HIGH 9.0 106501 pfSense < 2.3.1-p1 Multiple Vulnerabilities (SA-16_05)
HIGH 9.0 106502 pfSense < 2.3.1-p5 Multiple Vulnerabilities (SA-16_07 - SA-16_08)
HIGH 9.0 106503 pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)
HIGH 7.8 106489 pfSense < 2.1.3 Remote Denial of Service Vulnerability (SA-14_05)
HIGH 7.5 106498 pfSense SA-15_10 / SA-15-11 : Multiple Vulnerabilities
MEDIUM 6.8 106493 pfSense < 2.2.1 Multiple Vulnerabilities (SA-15_02 - SA-15_04)
MEDIUM 4.3 106492 pfSense < 2.2 Multiple Vulnerabilities (SA-15_01)
MEDIUM 4.3 106494 pfSense < 2.2.2 Multiple Vulnerabilities (SA-15_05)
MEDIUM 4.3 106495 pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07)
MEDIUM 4.3 106496 pfSense < 2.2.4 Multiple Vulnerabilities (SA-15_07)
MEDIUM 4.3 106497 pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)
MEDIUM 4.3 106500 pfSense SA-16_03 / SA-16-04 : Multiple Vulnerabilities
MEDIUM 4.3 106504 pfSense < 2.3.4 DHCP Lease Display XSS (SA-17_04)
MEDIUM 4.3 106505 pfSense < 2.3.4-p1 Multiple Vulnerabilities (SA-17_05 - SA-17_06)

I can provide a more detailed report, but again, all of these are based on the reported pfSense version number (unknown..0).
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 09:34:51 am
Well clearly something is not right if your running 2.4.2p1 and all those issues are related to running pfense below looks like 2.3.4p1

I will have to fire up nessus and do a scan, just haven't played with it in a bit - will fire up that VM...
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 09:41:41 am
Hi,
Thanks,
Let me know if you need any other information.
Meanwhile, I'll check it out in my VM prototype network too.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 09:53:20 am
Just installed 7.0.1 plugins are compiling should be able to scan here shortly.
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 10:13:26 am
Hi,

My virtual network gives me the same results.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 10:26:42 am
Its still working on the plugins - as soon as it finishes.. If I can duplicate the problem then we can look into why and raise it to either nessus or pfsense... I know for sure I am running 2.4.2p1... I would assume ;) you know what version your running.. I take it your running one on hardware and other on some vms.  I also have a pfsense vm I can scan.. Currently using sg4860 which is what I will scan first as soon as the plugins finish...
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 10:36:17 am
Correct: 2.4.2-RELEASE-p1 (in both VM and native network)

My VM network is an isolated system with its own pfsense router.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 10:38:10 am
My guess is whatever they are doing to detect version is flawed in someway... Normally you can actually look at the source of the script they use for that specific detection and the output... Will know more and be able get more details once I can get my system showing the same thing or maybe not.. Its about ready I hope ;)

They are not actually check for the issue, they are just reporting known issues with version its detecting which seems to be under 2.1.1?
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 11:25:20 am
Ok not seeing what your seeing... Pretty sure picked the firewall plugins... But let me double check and run another scan... All hits I understand or am OK with.  The only one going to look into is the ssl 2 and 3..  No use for those on the webgui - but then again only can hit that from my trusted network so not really an issue.  And can sure setup nessus to trust my cert signed by my CA..

What exact scan did you do so I can duplicate what you did.. I just picked the basic network scan and thought I had selected the firewalls plugin which includes the pfsense web gui stuff...  But will double check that.

Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 12:24:58 pm
Yeah your going to have to give exact details of your scan... I can not seem to get it to show those issues.

Information about this scan :

Nessus version : 7.0.1
Plugin feed version : 201802080515
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : Basic Network Scan
Scanner IP : 192.168.9.211
Port scanner(s) : snmp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests -  Test mode : single
Web app tests -  Try all HTTP methods : no
Web app tests -  Maximum run time : 5 minutes.
Web app tests -  Stop at first flaw : CGI
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2018/2/8 11:55 CST
Scan duration : 699 sec

less...
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 01:08:35 pm
Hi,

Advanced Scan:
    Discovery
       General: Test the Local Nessus host
       Ping Methods: ARP, TCP=built-in, ICMP(max=2)
   Port Scanning:
      Local Port Enumerators: SSH,  WMI, SNMP, [only run if local failed]
      Network Scanners: SYN
   Service Discovery
      General: Probe all ports
      Search for SSL/TLS ciphers - enumerate all   
  Assessment
      General: default
      Brute Force: Only use credentials provided
  Web Applications: Scan web applications: ON

The last item may be of interest.

Meanwhile, I'll try the scan without the Web Applications scan. Then I'll try it with a "reset to factory" in the VM.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 01:12:15 pm
thanks

You mean host discovery.. There are options under advanced for discovery..

Yeah that doesn't do much of anything... Please walk me through what your doing on the newscan screen..  What you pick what you change in settings, etc.

Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 01:20:09 pm
I edited that last post. (Sorry, I hit post before I was done.)
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 01:21:07 pm
Yeah scan is running now..

Yeah Not seeing anything like what your seeing... Did your exact scan settings.  See my previous post of what it finds for warnings.

You running like proxy or pfblocker or something?  The finding of ssl 2 and 3 is because of the ntopng interface on 3000, not the pfsense gui in my findings.

Here attached scan using your walk through of what you changed... Not anything like what your seeing..  You must of brokensomething or had a failed update or something??

Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 01:52:57 pm
Hi,

I did have pfBlocker and Suricata installed. Here's what I'm going to do:

1) Uninstall pfBlocker and Suricata and rerun

If that fails, I'll create a fresh install and try it.

Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 02:38:09 pm

OK,

On my Advanced scan I have a plugin tab that shows the CGI abuses plugin as enabled (image attached)

On a from-scratch install, running the scan shows the same set of critical/high/medium vulnerabilities.

However, running the scan with the CGI abusus plugin disabled removes the detections.

Do you have this plugin enabled?
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 02:47:35 pm
All plugins enabled... Yes went through and made sure my settings were exactly how you stated your settings are... Can post screenshots if you want.

Seems I even have 1 more plugin than you under that 3785, you list 3784..

My plugins dated

Plugins
Last Updated
Today at 5:15 AM
Expiration
February 06, 2023
Plugin Set
201802080515

Seems your plugins are from yesterday? "201802071215" - you could update them..

edit:  Where exactly did you find this? "reported pfSense version number (unknown..0)."
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 03:20:36 pm
Below I have the details of one example where the pfSense version shows as unknown. All of the vulnerabilities are in the CGI abuses category and all appear to occur because the version could not be determined by Nessus.

I have also included a screenshot of my pfSense dashboard (this is the from-scratch install)..

I am re-running the scan after a complete Nessus update.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 08, 2018, 03:31:32 pm
So to validate that scanner is looking for problems with below 2.1.1 in the scan... I fired up a liveCD 2.1 release version - and it shows the problems you were seeing..

But on my 2.4.2p1 running the same exact scan does not see these problems.

edit: if I look at the scan of the old 2.1 system it does show that unknown..0 thing see 2nd pic


Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 04:15:52 pm
Hi,

I'm stumped. I see the problem with:

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6
The system is on the latest version.
Version information updated at Thu Feb 8 21:44:23 UTC 2018   

It appears to be reproducible with a fresh install. Next I'll test it with the development snapshot.
Title: Re: Nessus vulnerability false positives
Post by: ivor on February 08, 2018, 04:25:50 pm
I would suggest contacting Nessus as this issue is related to their software and the way its detecting pfSense. As Johnpoz have shown, the issue doesn't seem to be occurring to others.
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 08, 2018, 04:43:50 pm
@ johnpoz

Thanks for your work on this.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 09, 2018, 07:18:57 am
When I get back from my walk and snow blowing the drive - freaking lots of snow in chicagoland last night... I will fire up fresh 2.4.2 download on vm and see if can duplicate.. But I am unable to get it to show what your showing unless I do scan an OLD pfsense...
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 09, 2018, 08:09:57 am
Hi,

That would be great. Last night I created a VM directly from the developer image and implemented it with the default setup...  and I still got the ominous results. I used a fresh install of the community edition for Nessus and customer feedback is restricted to those who can afford the Pro License (~ $2200/yr).

The CGI vulnerabilities are not identified from the WAN side. The "unknown version" detection is almost certainly a false positive.  If it can't be reproduced, then I am doing something (very) stupid.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 09, 2018, 10:30:52 am
Yeah I don't have the pro version either...  do you have any sort of proxy or anything between your scanner and the pfsense lan IP other than switch?  Just so we do apples to apples are you scanning via IP or fqdn?

I have some real life work to do ;)  But will for sure spin up a fresh 2.4.2 vm.  I am running scanner on a 16.04 ubuntu server VM..
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 09, 2018, 12:15:21 pm
Hi,

Yea, this work stuff always gets in the way of fun.

I have nothing unusual for my setups... no proxy, etc.

My native network is totally vanilla. A pfsense router and an unmanaged switch.

The VM networks consist of multiple VBox machines sharing an internal adaptor. I have two of these, one where the router is the stable release and another with the development snapshot from yesterday.

I have the Nessus community edition installed in Kali and, separately, in Arch Linux.

BTW: I am very impressed with pfSense and I will probably deploy it at the lab where I work..
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 09, 2018, 12:30:08 pm
Ok -- so very odd... I just started a scan on the fresh vm.. 2.4.2 not p1 and it is showing same issues with the 2.1.1 errors..

now here is the thing... I set the web gui to be just on 80... While my main sg4860 is only on SSL... Let me change the 2.4.2 vm web to be on ssl only and rescan.
Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 09, 2018, 12:43:26 pm
Well that wasn't it... Still getting errors with 2.4.2 not p1 using 8443...

 URL               : https://192.168.9.45:8443/
  Installed version : unknown..0
  Fixed version     : 2.1.1

Let me update it to P1.. and scan again.

edit:  Ok so while the VM was updating to 2.4.2p1 I rescanned my sg4860... And not seeing the errors... So if this is clean after the update.. My GUESS would be that your system failed in its update to 2.4.2p1??  Give me a few minutes scanning the vm now.

edit2:  Well WTF... So why is it clean VM shows the problem, but my sg4860 does not?? Could it really be something different in the CE version over the netgate version??  Going to have to look to the test they do against pfsense when it fails and then run that specific check against the sg4860... The only thing off the top I can think of is I am running a valid cert vs self signed even though nessus doesn't trust it.  And am running ntop on 3000 as another webserver maybe that is confusing nessus.. Let me turn that off and scan m sg4860 again.

Ok this makes ZERO sense... When I seach the audit trail for this plugin ID shows pfsense not found on 80???

Title: Re: Nessus vulnerability false positives
Post by: johnpoz on February 09, 2018, 01:47:55 pm
Well it uses pfsense_webui_detect.nbin in the nasl -- this is clearly broken it seems...
Title: Re: Nessus vulnerability false positives
Post by: MaxBishop on February 09, 2018, 04:12:37 pm
Setting my web port to 8083 seems to correct the problem.

Perhaps a Nessus Pro subscriber could ring their bell on this. For 2200 bucks I say they should have some pull.

Meanwhile johnpoz, you really do an outstanding job of serving the community.

(No snow in Boston)
Title: Re: (solved) Nessus vulnerability false positives
Post by: ivor on February 10, 2018, 09:48:09 am
Great work johnpoz!
Title: Re: (solved) Nessus vulnerability false positives
Post by: johnpoz on February 10, 2018, 10:09:32 am
Thanks ivor but setting the gui to different port doesn't really fix anything - it just masks the problem.  For whatever reason it seems that the nessus detection of pfsense is just broken.. I tried running the nbin that nasl script calls doesn't seem to output anything.  I would have to dig way deeper than feel like doing ;)

They don't even seem to have a forum for other home users of the FREE activation can discuss problems and tricks, etc.  Unless there is some 3rd party place which I have not looked into.. To be honest any such scan from the lan side kind of pointless if you ask me..

You should know without some scan telling you that your not uptodate... Everything else it told me like my snmp community was public, and it didn't trust the CA that signed the cert.. Oh you mean I allow snoop to unbound in the acl.. All stuff that already knew - the only little tidbit that was any sort of surprise was that the ntopng gui on 3000 was still using ssl 3, etc.  I would be a bit concerned with that if it wasn't only access from my private secure network ;)

If you do get any more info MaxBishop I would be curious on their broken detection binary..
Title: Re: (solved) Nessus vulnerability false positives
Post by: jimp on February 13, 2018, 02:32:04 pm
For what it's worth, I believe it's a benefit that a scanner is unable to properly determine what you're running. Why make it any easier on someone or something to figure out what you've got? :-)
Title: Re: (solved) Nessus vulnerability false positives
Post by: bamhm182 on February 17, 2018, 10:26:07 am
Came across this because I'm having the same results w/ the newest version of Nessus and the newest version of pfSense. Did anyone ever get around to making a support ticket with Nessus? If we haven't gotten a response from someone with Nessus Pro, we might as well create one from a Nessus Free account. Better than nothing.

jimp, just because the current Nessus scanner doesn't detect the version doesn't mean it isn't possible. If the reason they can't fix it is because it isn't possible, that's another thing.
Title: Re: (solved) Nessus vulnerability false positives
Post by: MaxBishop on February 18, 2018, 07:45:46 am
I don't think any of us has the (very) expensive Pro license. As best I can tell, there is no way to feed back to Tenable without one.
Title: Re: (solved) Nessus vulnerability false positives
Post by: Sn3ak on February 18, 2018, 07:33:33 pm
For what it's worth, I believe it's a benefit that a scanner is unable to properly determine what you're running. Why make it any easier on someone or something to figure out what you've got? :-)

Obscurity is not security. This is a bad line of thinking, especially if you wish to sell to Enterprises. Sure, hiding as much as possible from external attackers is nice but hiding from your CS department (or yourself) is generally not a good practice.

I came here as I too have the same problem on several Netgate boxes running 2.4.2_p1.

I'm not sure why this thread is marked as solved, it doesn't seem to be. I'll try and enquire with my support desk and see if I can get some answers about how the binary is detecting (or not, as is the case) the version. I don't know if they will have any real motivation to help, as I am low in the food chain and pfSense is not on the supported list. If I find anything helpful, I will report back. I am running with SecurityCenter, so I don't have as much control over the scans as you guys appear to.

I will also be trying a credentialed scan hopefully tomorrow and see if that changes things at all.
Title: Re: (solved) Nessus vulnerability false positives
Post by: ivor on February 19, 2018, 02:46:35 am
It's marked solved because it's not a pfSense issue. It's related to the way Nessus detects pfSense. If you want it fixed, please contact Nessus. Thread locked.
Title: Re: (solved) Nessus vulnerability false positives
Post by: jimp on February 19, 2018, 08:06:27 am
Obscurity is not security. This is a bad line of thinking, especially if you wish to sell to Enterprises. Sure, hiding as much as possible from external attackers is nice but hiding from your CS department (or yourself) is generally not a good practice.

This is not security by obscurity. It's reducing unnecessary information exposure. If you rely on the device itself to tell you what version something is, you need to have a proper mechanism setup and in place to do that internally (e.g. SNMP or other means of querying the device).

Being able to determine the OS based on network behavior or daemon responses is not a reliable detection mechanism, and being able to do so is a problem, not a solution. I wouldn't go so far as to say it's a security issue if you can identify the OS, but it's still better if it's not accurately discernible.