(solved) Nessus vulnerability false positives

MaxBishop

Hi,

My virtual network gives me the same results.

johnpoz

Its still working on the plugins - as soon as it finishes.. If I can duplicate the problem then we can look into why and raise it to either nessus or pfsense… I know for sure I am running 2.4.2p1... I would assume ;) you know what version your running.. I take it your running one on hardware and other on some vms. I also have a pfsense vm I can scan.. Currently using sg4860 which is what I will scan first as soon as the plugins finish...

getinthere.png_thumb

MaxBishop

Correct: 2.4.2-RELEASE-p1 (in both VM and native network)

My VM network is an isolated system with its own pfsense router.

johnpoz

My guess is whatever they are doing to detect version is flawed in someway… Normally you can actually look at the source of the script they use for that specific detection and the output... Will know more and be able get more details once I can get my system showing the same thing or maybe not.. Its about ready I hope ;)

They are not actually check for the issue, they are just reporting known issues with version its detecting which seems to be under 2.1.1?

johnpoz

Ok not seeing what your seeing… Pretty sure picked the firewall plugins... But let me double check and run another scan... All hits I understand or am OK with. The only one going to look into is the ssl 2 and 3.. No use for those on the webgui - but then again only can hit that from my trusted network so not really an issue. And can sure setup nessus to trust my cert signed by my CA..

What exact scan did you do so I can duplicate what you did.. I just picked the basic network scan and thought I had selected the firewalls plugin which includes the pfsense web gui stuff... But will double check that.

scanresults.png_thumb

johnpoz

Yeah your going to have to give exact details of your scan… I can not seem to get it to show those issues.

Information about this scan :

Nessus version : 7.0.1
Plugin feed version : 201802080515
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : Basic Network Scan
Scanner IP : 192.168.9.211
Port scanner(s) : snmp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : enabled
Web application tests : enabled
Web app tests - Test mode : single
Web app tests - Try all HTTP methods : no
Web app tests - Maximum run time : 5 minutes.
Web app tests - Stop at first flaw : CGI
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2018/2/8 11:55 CST
Scan duration : 699 sec

less...

MaxBishop

Hi,

Advanced Scan:
Discovery
General: Test the Local Nessus host
Ping Methods: ARP, TCP=built-in, ICMP(max=2)
Port Scanning:
Local Port Enumerators: SSH, WMI, SNMP, [only run if local failed]
Network Scanners: SYN
Service Discovery
General: Probe all ports
Search for SSL/TLS ciphers - enumerate all
Assessment
General: default
Brute Force: Only use credentials provided
Web Applications: Scan web applications: ON

The last item may be of interest.

Meanwhile, I'll try the scan without the Web Applications scan. Then I'll try it with a "reset to factory" in the VM.

johnpoz

thanks

You mean host discovery.. There are options under advanced for discovery..

Yeah that doesn't do much of anything… Please walk me through what your doing on the newscan screen.. What you pick what you change in settings, etc.

newscan.png_thumb

MaxBishop

I edited that last post. (Sorry, I hit post before I was done.)

johnpoz

Yeah scan is running now..

Yeah Not seeing anything like what your seeing… Did your exact scan settings. See my previous post of what it finds for warnings.

You running like proxy or pfblocker or something? The finding of ssl 2 and 3 is because of the ntopng interface on 3000, not the pfsense gui in my findings.

Here attached scan using your walk through of what you changed... Not anything like what your seeing.. You must of brokensomething or had a failed update or something??

yoursettings.png_thumb

MaxBishop

Hi,

I did have pfBlocker and Suricata installed. Here's what I'm going to do:

Uninstall pfBlocker and Suricata and rerun

If that fails, I'll create a fresh install and try it.

MaxBishop

OK,

On my Advanced scan I have a plugin tab that shows the CGI abuses plugin as enabled (image attached)

On a from-scratch install, running the scan shows the same set of critical/high/medium vulnerabilities.

However, running the scan with the CGI abusus plugin disabled removes the detections.

Do you have this plugin enabled?

cgiAbuses.jpg_thumb

johnpoz

All plugins enabled… Yes went through and made sure my settings were exactly how you stated your settings are... Can post screenshots if you want.

Seems I even have 1 more plugin than you under that 3785, you list 3784..

My plugins dated

Plugins
Last Updated
Today at 5:15 AM
Expiration
February 06, 2023
Plugin Set
201802080515

Seems your plugins are from yesterday? "201802071215" - you could update them..

edit: Where exactly did you find this? "reported pfSense version number (unknown..0)."

dupesettings.png_thumb

MaxBishop

Below I have the details of one example where the pfSense version shows as unknown. All of the vulnerabilities are in the CGI abuses category and all appear to occur because the version could not be determined by Nessus.

I have also included a screenshot of my pfSense dashboard (this is the from-scratch install)..

I am re-running the scan after a complete Nessus update.

vulner.jpg_thumb

pfDash.jpg_thumb

johnpoz

So to validate that scanner is looking for problems with below 2.1.1 in the scan… I fired up a liveCD 2.1 release version - and it shows the problems you were seeing..

But on my 2.4.2p1 running the same exact scan does not see these problems.

edit: if I look at the scan of the old 2.1 system it does show that unknown..0 thing see 2nd pic

oldversionpfsense.png_thumb

showingunknown.png_thumb

MaxBishop

Hi,

I'm stumped. I see the problem with:

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6
The system is on the latest version.
Version information updated at Thu Feb 8 21:44:23 UTC 2018

It appears to be reproducible with a fresh install. Next I'll test it with the development snapshot.

ivor

I would suggest contacting Nessus as this issue is related to their software and the way its detecting pfSense. As Johnpoz have shown, the issue doesn't seem to be occurring to others.

MaxBishop

@ johnpoz

Thanks for your work on this.

johnpoz

When I get back from my walk and snow blowing the drive - freaking lots of snow in chicagoland last night… I will fire up fresh 2.4.2 download on vm and see if can duplicate.. But I am unable to get it to show what your showing unless I do scan an OLD pfsense...

MaxBishop

Hi,

That would be great. Last night I created a VM directly from the developer image and implemented it with the default setup… and I still got the ominous results. I used a fresh install of the community edition for Nessus and customer feedback is restricted to those who can afford the Pro License (~ $2200/yr).

The CGI vulnerabilities are not identified from the WAN side. The "unknown version" detection is almost certainly a false positive. If it can't be reproduced, then I am doing something (very) stupid.