Netgate SG-1000 microFirewall

Author Topic: (solved) Nessus vulnerability false positives  (Read 668 times)

0 Members and 1 Guest are viewing this topic.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #15 on: February 08, 2018, 01:21:07 pm »
Yeah scan is running now..

Yeah Not seeing anything like what your seeing... Did your exact scan settings.  See my previous post of what it finds for warnings.

You running like proxy or pfblocker or something?  The finding of ssl 2 and 3 is because of the ntopng interface on 3000, not the pfsense gui in my findings.

Here attached scan using your walk through of what you changed... Not anything like what your seeing..  You must of brokensomething or had a failed update or something??

« Last Edit: February 08, 2018, 01:33:17 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #16 on: February 08, 2018, 01:52:57 pm »
Hi,

I did have pfBlocker and Suricata installed. Here's what I'm going to do:

1) Uninstall pfBlocker and Suricata and rerun

If that fails, I'll create a fresh install and try it.


Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #17 on: February 08, 2018, 02:38:09 pm »

OK,

On my Advanced scan I have a plugin tab that shows the CGI abuses plugin as enabled (image attached)

On a from-scratch install, running the scan shows the same set of critical/high/medium vulnerabilities.

However, running the scan with the CGI abusus plugin disabled removes the detections.

Do you have this plugin enabled?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #18 on: February 08, 2018, 02:47:35 pm »
All plugins enabled... Yes went through and made sure my settings were exactly how you stated your settings are... Can post screenshots if you want.

Seems I even have 1 more plugin than you under that 3785, you list 3784..

My plugins dated

Plugins
Last Updated
Today at 5:15 AM
Expiration
February 06, 2023
Plugin Set
201802080515

Seems your plugins are from yesterday? "201802071215" - you could update them..

edit:  Where exactly did you find this? "reported pfSense version number (unknown..0)."
« Last Edit: February 08, 2018, 02:55:36 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #19 on: February 08, 2018, 03:20:36 pm »
Below I have the details of one example where the pfSense version shows as unknown. All of the vulnerabilities are in the CGI abuses category and all appear to occur because the version could not be determined by Nessus.

I have also included a screenshot of my pfSense dashboard (this is the from-scratch install)..

I am re-running the scan after a complete Nessus update.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #20 on: February 08, 2018, 03:31:32 pm »
So to validate that scanner is looking for problems with below 2.1.1 in the scan... I fired up a liveCD 2.1 release version - and it shows the problems you were seeing..

But on my 2.4.2p1 running the same exact scan does not see these problems.

edit: if I look at the scan of the old 2.1 system it does show that unknown..0 thing see 2nd pic


- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #21 on: February 08, 2018, 04:15:52 pm »
Hi,

I'm stumped. I see the problem with:

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6
The system is on the latest version.
Version information updated at Thu Feb 8 21:44:23 UTC 2018   

It appears to be reproducible with a fresh install. Next I'll test it with the development snapshot.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 729
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: Nessus vulnerability false positives
« Reply #22 on: February 08, 2018, 04:25:50 pm »
I would suggest contacting Nessus as this issue is related to their software and the way its detecting pfSense. As Johnpoz have shown, the issue doesn't seem to be occurring to others.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #23 on: February 08, 2018, 04:43:50 pm »
@ johnpoz

Thanks for your work on this.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #24 on: February 09, 2018, 07:18:57 am »
When I get back from my walk and snow blowing the drive - freaking lots of snow in chicagoland last night... I will fire up fresh 2.4.2 download on vm and see if can duplicate.. But I am unable to get it to show what your showing unless I do scan an OLD pfsense...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #25 on: February 09, 2018, 08:09:57 am »
Hi,

That would be great. Last night I created a VM directly from the developer image and implemented it with the default setup...  and I still got the ominous results. I used a fresh install of the community edition for Nessus and customer feedback is restricted to those who can afford the Pro License (~ $2200/yr).

The CGI vulnerabilities are not identified from the WAN side. The "unknown version" detection is almost certainly a false positive.  If it can't be reproduced, then I am doing something (very) stupid.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #26 on: February 09, 2018, 10:30:52 am »
Yeah I don't have the pro version either...  do you have any sort of proxy or anything between your scanner and the pfsense lan IP other than switch?  Just so we do apples to apples are you scanning via IP or fqdn?

I have some real life work to do ;)  But will for sure spin up a fresh 2.4.2 vm.  I am running scanner on a 16.04 ubuntu server VM..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #27 on: February 09, 2018, 12:15:21 pm »
Hi,

Yea, this work stuff always gets in the way of fun.

I have nothing unusual for my setups... no proxy, etc.

My native network is totally vanilla. A pfsense router and an unmanaged switch.

The VM networks consist of multiple VBox machines sharing an internal adaptor. I have two of these, one where the router is the stable release and another with the development snapshot from yesterday.

I have the Nessus community edition installed in Kali and, separately, in Arch Linux.

BTW: I am very impressed with pfSense and I will probably deploy it at the lab where I work..

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #28 on: February 09, 2018, 12:30:08 pm »
Ok -- so very odd... I just started a scan on the fresh vm.. 2.4.2 not p1 and it is showing same issues with the 2.1.1 errors..

now here is the thing... I set the web gui to be just on 80... While my main sg4860 is only on SSL... Let me change the 2.4.2 vm web to be on ssl only and rescan.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #29 on: February 09, 2018, 12:43:26 pm »
Well that wasn't it... Still getting errors with 2.4.2 not p1 using 8443...

 URL               : https://192.168.9.45:8443/
  Installed version : unknown..0
  Fixed version     : 2.1.1

Let me update it to P1.. and scan again.

edit:  Ok so while the VM was updating to 2.4.2p1 I rescanned my sg4860... And not seeing the errors... So if this is clean after the update.. My GUESS would be that your system failed in its update to 2.4.2p1??  Give me a few minutes scanning the vm now.

edit2:  Well WTF... So why is it clean VM shows the problem, but my sg4860 does not?? Could it really be something different in the CE version over the netgate version??  Going to have to look to the test they do against pfsense when it fails and then run that specific check against the sg4860... The only thing off the top I can think of is I am running a valid cert vs self signed even though nessus doesn't trust it.  And am running ntop on 3000 as another webserver maybe that is confusing nessus.. Let me turn that off and scan m sg4860 again.

Ok this makes ZERO sense... When I seach the audit trail for this plugin ID shows pfsense not found on 80???

« Last Edit: February 09, 2018, 01:14:25 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)