Netgate SG-1000 microFirewall

Author Topic: (solved) Nessus vulnerability false positives  (Read 710 times)

0 Members and 1 Guest are viewing this topic.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Nessus vulnerability false positives
« Reply #30 on: February 09, 2018, 01:47:55 pm »
Well it uses pfsense_webui_detect.nbin in the nasl -- this is clearly broken it seems...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Nessus vulnerability false positives
« Reply #31 on: February 09, 2018, 04:12:37 pm »
Setting my web port to 8083 seems to correct the problem.

Perhaps a Nessus Pro subscriber could ring their bell on this. For 2200 bucks I say they should have some pull.

Meanwhile johnpoz, you really do an outstanding job of serving the community.

(No snow in Boston)

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 736
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: (solved) Nessus vulnerability false positives
« Reply #32 on: February 10, 2018, 09:48:09 am »
Great work johnpoz!
Need help fast? Commercial support: https://www.netgate.com/support/

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #33 on: February 10, 2018, 10:09:32 am »
Thanks ivor but setting the gui to different port doesn't really fix anything - it just masks the problem.  For whatever reason it seems that the nessus detection of pfsense is just broken.. I tried running the nbin that nasl script calls doesn't seem to output anything.  I would have to dig way deeper than feel like doing ;)

They don't even seem to have a forum for other home users of the FREE activation can discuss problems and tricks, etc.  Unless there is some 3rd party place which I have not looked into.. To be honest any such scan from the lan side kind of pointless if you ask me..

You should know without some scan telling you that your not uptodate... Everything else it told me like my snmp community was public, and it didn't trust the CA that signed the cert.. Oh you mean I allow snoop to unbound in the acl.. All stuff that already knew - the only little tidbit that was any sort of surprise was that the ntopng gui on 3000 was still using ssl 3, etc.  I would be a bit concerned with that if it wasn't only access from my private secure network ;)

If you do get any more info MaxBishop I would be curious on their broken detection binary..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21572
  • Karma: +1471/-26
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #34 on: February 13, 2018, 02:32:04 pm »
For what it's worth, I believe it's a benefit that a scanner is unable to properly determine what you're running. Why make it any easier on someone or something to figure out what you've got? :-)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline bamhm182

  • Newbie
  • *
  • Posts: 7
  • Karma: +1/-2
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #35 on: February 17, 2018, 10:26:07 am »
Came across this because I'm having the same results w/ the newest version of Nessus and the newest version of pfSense. Did anyone ever get around to making a support ticket with Nessus? If we haven't gotten a response from someone with Nessus Pro, we might as well create one from a Nessus Free account. Better than nothing.

jimp, just because the current Nessus scanner doesn't detect the version doesn't mean it isn't possible. If the reason they can't fix it is because it isn't possible, that's another thing.
« Last Edit: February 17, 2018, 10:34:42 am by bamhm182 »

Offline MaxBishop

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #36 on: February 18, 2018, 07:45:46 am »
I don't think any of us has the (very) expensive Pro license. As best I can tell, there is no way to feed back to Tenable without one.

Offline Sn3ak

  • Full Member
  • ***
  • Posts: 102
  • Karma: +2/-0
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #37 on: February 18, 2018, 07:33:33 pm »
For what it's worth, I believe it's a benefit that a scanner is unable to properly determine what you're running. Why make it any easier on someone or something to figure out what you've got? :-)

Obscurity is not security. This is a bad line of thinking, especially if you wish to sell to Enterprises. Sure, hiding as much as possible from external attackers is nice but hiding from your CS department (or yourself) is generally not a good practice.

I came here as I too have the same problem on several Netgate boxes running 2.4.2_p1.

I'm not sure why this thread is marked as solved, it doesn't seem to be. I'll try and enquire with my support desk and see if I can get some answers about how the binary is detecting (or not, as is the case) the version. I don't know if they will have any real motivation to help, as I am low in the food chain and pfSense is not on the supported list. If I find anything helpful, I will report back. I am running with SecurityCenter, so I don't have as much control over the scans as you guys appear to.

I will also be trying a credentialed scan hopefully tomorrow and see if that changes things at all.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 736
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: (solved) Nessus vulnerability false positives
« Reply #38 on: February 19, 2018, 02:46:35 am »
It's marked solved because it's not a pfSense issue. It's related to the way Nessus detects pfSense. If you want it fixed, please contact Nessus. Thread locked.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21572
  • Karma: +1471/-26
    • View Profile
Re: (solved) Nessus vulnerability false positives
« Reply #39 on: February 19, 2018, 08:06:27 am »
Obscurity is not security. This is a bad line of thinking, especially if you wish to sell to Enterprises. Sure, hiding as much as possible from external attackers is nice but hiding from your CS department (or yourself) is generally not a good practice.

This is not security by obscurity. It's reducing unnecessary information exposure. If you rely on the device itself to tell you what version something is, you need to have a proper mechanism setup and in place to do that internally (e.g. SNMP or other means of querying the device).

Being able to determine the OS based on network behavior or daemon responses is not a reliable detection mechanism, and being able to do so is a problem, not a solution. I wouldn't go so far as to say it's a security issue if you can identify the OS, but it's still better if it's not accurately discernible.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!