Netgate SG-1000 microFirewall

Author Topic: (solved) Nessus vulnerability false positives  (Read 707 times)

0 Members and 1 Guest are viewing this topic.

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
(solved) Nessus vulnerability false positives
« on: February 07, 2018, 05:44:34 pm »
I am running version 2.4.2-RELEASE-p1 (amd64)

A Nessus scan shows several false positives identified as: pfSense < 2.1.1 Multiple Vulnerabilities

It reports my installed version as: unknown..0

My question is: is the current version of pfSense hiding its version?

« Last Edit: February 09, 2018, 05:43:14 pm by MaxBishop »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #1 on: February 07, 2018, 07:49:06 pm »
How exactly are you scanning - from public wan side or lan side?  do you have ports open on the wan?  What exactly are you scanning with, what version of Nessue/Tenable?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #2 on: February 08, 2018, 09:27:44 am »
Hi,

I'm scanning from the LAN side with:
Nessus  7.0.1 (#108) LINUX
Updated: February 7 at 12:15 PM
Plugin set: 201802071215

The scan identifies 4 Critical, 5 High, and 9 Medium level vulnerabilities.
Code: [Select]

CRITICAL 10.0 106488 pfSense < 2.1.1 Multiple Vulnerabilities (SA-14_02 - SA-14_03)
CRITICAL 10.0 106490 pfSense SA-14_08 / pfSense SA-14_09 / pfSense SA-14_10 / pfSense SA-14_11 / SA-14-12 SA-14-12 : Multiple Vulnerabilities
CRITICAL 10.0 106491 pfSense < 2.1.5 Multiple Vulnerabilities (SA-14_15 - SA-14_17)
CRITICAL 0.0 106499 pfSense SA-16_01 / SA-16-02 : Multiple Vulnerabilities
HIGH 9.0 106501 pfSense < 2.3.1-p1 Multiple Vulnerabilities (SA-16_05)
HIGH 9.0 106502 pfSense < 2.3.1-p5 Multiple Vulnerabilities (SA-16_07 - SA-16_08)
HIGH 9.0 106503 pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)
HIGH 7.8 106489 pfSense < 2.1.3 Remote Denial of Service Vulnerability (SA-14_05)
HIGH 7.5 106498 pfSense SA-15_10 / SA-15-11 : Multiple Vulnerabilities
MEDIUM 6.8 106493 pfSense < 2.2.1 Multiple Vulnerabilities (SA-15_02 - SA-15_04)
MEDIUM 4.3 106492 pfSense < 2.2 Multiple Vulnerabilities (SA-15_01)
MEDIUM 4.3 106494 pfSense < 2.2.2 Multiple Vulnerabilities (SA-15_05)
MEDIUM 4.3 106495 pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07)
MEDIUM 4.3 106496 pfSense < 2.2.4 Multiple Vulnerabilities (SA-15_07)
MEDIUM 4.3 106497 pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)
MEDIUM 4.3 106500 pfSense SA-16_03 / SA-16-04 : Multiple Vulnerabilities
MEDIUM 4.3 106504 pfSense < 2.3.4 DHCP Lease Display XSS (SA-17_04)
MEDIUM 4.3 106505 pfSense < 2.3.4-p1 Multiple Vulnerabilities (SA-17_05 - SA-17_06)

I can provide a more detailed report, but again, all of these are based on the reported pfSense version number (unknown..0).

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #3 on: February 08, 2018, 09:34:51 am »
Well clearly something is not right if your running 2.4.2p1 and all those issues are related to running pfense below looks like 2.3.4p1

I will have to fire up nessus and do a scan, just haven't played with it in a bit - will fire up that VM...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #4 on: February 08, 2018, 09:41:41 am »
Hi,
Thanks,
Let me know if you need any other information.
Meanwhile, I'll check it out in my VM prototype network too.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #5 on: February 08, 2018, 09:53:20 am »
Just installed 7.0.1 plugins are compiling should be able to scan here shortly.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #6 on: February 08, 2018, 10:13:26 am »
Hi,

My virtual network gives me the same results.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #7 on: February 08, 2018, 10:26:42 am »
Its still working on the plugins - as soon as it finishes.. If I can duplicate the problem then we can look into why and raise it to either nessus or pfsense... I know for sure I am running 2.4.2p1... I would assume ;) you know what version your running.. I take it your running one on hardware and other on some vms.  I also have a pfsense vm I can scan.. Currently using sg4860 which is what I will scan first as soon as the plugins finish...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #8 on: February 08, 2018, 10:36:17 am »
Correct: 2.4.2-RELEASE-p1 (in both VM and native network)

My VM network is an isolated system with its own pfsense router.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #9 on: February 08, 2018, 10:38:10 am »
My guess is whatever they are doing to detect version is flawed in someway... Normally you can actually look at the source of the script they use for that specific detection and the output... Will know more and be able get more details once I can get my system showing the same thing or maybe not.. Its about ready I hope ;)

They are not actually check for the issue, they are just reporting known issues with version its detecting which seems to be under 2.1.1?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #10 on: February 08, 2018, 11:25:20 am »
Ok not seeing what your seeing... Pretty sure picked the firewall plugins... But let me double check and run another scan... All hits I understand or am OK with.  The only one going to look into is the ssl 2 and 3..  No use for those on the webgui - but then again only can hit that from my trusted network so not really an issue.  And can sure setup nessus to trust my cert signed by my CA..

What exact scan did you do so I can duplicate what you did.. I just picked the basic network scan and thought I had selected the firewalls plugin which includes the pfsense web gui stuff...  But will double check that.

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #11 on: February 08, 2018, 12:24:58 pm »
Yeah your going to have to give exact details of your scan... I can not seem to get it to show those issues.

Information about this scan :

Nessus version : 7.0.1
Plugin feed version : 201802080515
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : Basic Network Scan
Scanner IP : 192.168.9.211
Port scanner(s) : snmp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests -  Test mode : single
Web app tests -  Try all HTTP methods : no
Web app tests -  Maximum run time : 5 minutes.
Web app tests -  Stop at first flaw : CGI
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2018/2/8 11:55 CST
Scan duration : 699 sec

less...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #12 on: February 08, 2018, 01:08:35 pm »
Hi,

Advanced Scan:
    Discovery
       General: Test the Local Nessus host
       Ping Methods: ARP, TCP=built-in, ICMP(max=2)
   Port Scanning:
      Local Port Enumerators: SSH,  WMI, SNMP, [only run if local failed]
      Network Scanners: SYN
   Service Discovery
      General: Probe all ports
      Search for SSL/TLS ciphers - enumerate all   
  Assessment
      General: default
      Brute Force: Only use credentials provided
  Web Applications: Scan web applications: ON

The last item may be of interest.

Meanwhile, I'll try the scan without the Web Applications scan. Then I'll try it with a "reset to factory" in the VM.
« Last Edit: February 08, 2018, 01:19:05 pm by MaxBishop »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #13 on: February 08, 2018, 01:12:15 pm »
thanks

You mean host discovery.. There are options under advanced for discovery..

Yeah that doesn't do much of anything... Please walk me through what your doing on the newscan screen..  What you pick what you change in settings, etc.

« Last Edit: February 08, 2018, 01:17:40 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #14 on: February 08, 2018, 01:20:09 pm »
I edited that last post. (Sorry, I hit post before I was done.)