• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

(solved) Nessus vulnerability false positives

Scheduled Pinned Locked Moved General pfSense Questions
40 Posts 6 Posters 6.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MaxBishop
    last edited by Feb 8, 2018, 4:36 PM

    Correct: 2.4.2-RELEASE-p1 (in both VM and native network)

    My VM network is an isolated system with its own pfsense router.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Feb 8, 2018, 4:38 PM

      My guess is whatever they are doing to detect version is flawed in someway… Normally you can actually look at the source of the script they use for that specific detection and the output... Will know more and be able get more details once I can get my system showing the same thing or maybe not.. Its about ready I hope ;)

      They are not actually check for the issue, they are just reporting known issues with version its detecting which seems to be under 2.1.1?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Feb 8, 2018, 5:25 PM

        Ok not seeing what your seeing… Pretty sure picked the firewall plugins... But let me double check and run another scan... All hits I understand or am OK with.  The only one going to look into is the ssl 2 and 3..  No use for those on the webgui - but then again only can hit that from my trusted network so not really an issue.  And can sure setup nessus to trust my cert signed by my CA..

        What exact scan did you do so I can duplicate what you did.. I just picked the basic network scan and thought I had selected the firewalls plugin which includes the pfsense web gui stuff...  But will double check that.

        scanresults.png
        scanresults.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Feb 8, 2018, 6:24 PM

          Yeah your going to have to give exact details of your scan… I can not seem to get it to show those issues.

          Information about this scan :

          Nessus version : 7.0.1
          Plugin feed version : 201802080515
          Scanner edition used : Nessus
          Scan type : Normal
          Scan policy used : Basic Network Scan
          Scanner IP : 192.168.9.211
          Port scanner(s) : snmp_scanner
          Port range : default
          Thorough tests : no
          Experimental tests : no
          Paranoia level : 1
          Report verbosity : 1
          Safe checks : yes
          Optimize the test : yes
          Credentialed checks : no
          Patch management checks : None
          CGI scanning : enabled
          Web application tests : enabled
          Web app tests -  Test mode : single
          Web app tests -  Try all HTTP methods : no
          Web app tests -  Maximum run time : 5 minutes.
          Web app tests -  Stop at first flaw : CGI
          Max hosts : 30
          Max checks : 5
          Recv timeout : 5
          Backports : Detected
          Allow post-scan editing: Yes
          Scan Start Date : 2018/2/8 11:55 CST
          Scan duration : 699 sec

          less...

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            MaxBishop
            last edited by Feb 8, 2018, 7:19 PM Feb 8, 2018, 7:08 PM

            Hi,

            Advanced Scan:
                Discovery
                  General: Test the Local Nessus host
                  Ping Methods: ARP, TCP=built-in, ICMP(max=2)
              Port Scanning:
                  Local Port Enumerators: SSH,  WMI, SNMP, [only run if local failed]
                  Network Scanners: SYN
              Service Discovery
                  General: Probe all ports
                  Search for SSL/TLS ciphers - enumerate all 
              Assessment
                  General: default
                  Brute Force: Only use credentials provided
              Web Applications: Scan web applications: ON

            The last item may be of interest.

            Meanwhile, I'll try the scan without the Web Applications scan. Then I'll try it with a "reset to factory" in the VM.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Feb 8, 2018, 7:17 PM Feb 8, 2018, 7:12 PM

              thanks

              You mean host discovery.. There are options under advanced for discovery..

              Yeah that doesn't do much of anything… Please walk me through what your doing on the newscan screen..  What you pick what you change in settings, etc.

              newscan.png
              newscan.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                MaxBishop
                last edited by Feb 8, 2018, 7:20 PM

                I edited that last post. (Sorry, I hit post before I was done.)

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Feb 8, 2018, 7:33 PM Feb 8, 2018, 7:21 PM

                  Yeah scan is running now..

                  Yeah Not seeing anything like what your seeing… Did your exact scan settings.  See my previous post of what it finds for warnings.

                  You running like proxy or pfblocker or something?  The finding of ssl 2 and 3 is because of the ntopng interface on 3000, not the pfsense gui in my findings.

                  Here attached scan using your walk through of what you changed... Not anything like what your seeing..  You must of brokensomething or had a failed update or something??

                  yoursettings.png
                  yoursettings.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M
                    MaxBishop
                    last edited by Feb 8, 2018, 7:52 PM

                    Hi,

                    I did have pfBlocker and Suricata installed. Here's what I'm going to do:

                    1. Uninstall pfBlocker and Suricata and rerun

                    If that fails, I'll create a fresh install and try it.

                    1 Reply Last reply Reply Quote 0
                    • M
                      MaxBishop
                      last edited by Feb 8, 2018, 8:38 PM

                      OK,

                      On my Advanced scan I have a plugin tab that shows the CGI abuses plugin as enabled (image attached)

                      On a from-scratch install, running the scan shows the same set of critical/high/medium vulnerabilities.

                      However, running the scan with the CGI abusus plugin disabled removes the detections.

                      Do you have this plugin enabled?

                      cgiAbuses.jpg
                      cgiAbuses.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Feb 8, 2018, 8:55 PM Feb 8, 2018, 8:47 PM

                        All plugins enabled… Yes went through and made sure my settings were exactly how you stated your settings are... Can post screenshots if you want.

                        Seems I even have 1 more plugin than you under that 3785, you list 3784..

                        My plugins dated

                        Plugins
                        Last Updated
                        Today at 5:15 AM
                        Expiration
                        February 06, 2023
                        Plugin Set
                        201802080515

                        Seems your plugins are from yesterday? "201802071215" - you could update them..

                        edit:  Where exactly did you find this? "reported pfSense version number (unknown..0)."

                        dupesettings.png
                        dupesettings.png_thumb

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • M
                          MaxBishop
                          last edited by Feb 8, 2018, 9:20 PM

                          Below I have the details of one example where the pfSense version shows as unknown. All of the vulnerabilities are in the CGI abuses category and all appear to occur because the version could not be determined by Nessus.

                          I have also included a screenshot of my pfSense dashboard (this is the from-scratch install)..

                          I am re-running the scan after a complete Nessus update.

                          vulner.jpg
                          vulner.jpg_thumb
                          pfDash.jpg
                          pfDash.jpg_thumb

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Feb 8, 2018, 9:31 PM

                            So to validate that scanner is looking for problems with below 2.1.1 in the scan… I fired up a liveCD 2.1 release version - and it shows the problems you were seeing..

                            But on my 2.4.2p1 running the same exact scan does not see these problems.

                            edit: if I look at the scan of the old 2.1 system it does show that unknown..0 thing see 2nd pic

                            oldversionpfsense.png
                            oldversionpfsense.png_thumb
                            showingunknown.png
                            showingunknown.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • M
                              MaxBishop
                              last edited by Feb 8, 2018, 10:15 PM

                              Hi,

                              I'm stumped. I see the problem with:

                              2.4.2-RELEASE-p1 (amd64)
                              built on Tue Dec 12 13:45:26 CST 2017
                              FreeBSD 11.1-RELEASE-p6
                              The system is on the latest version.
                              Version information updated at Thu Feb 8 21:44:23 UTC 2018

                              It appears to be reproducible with a fresh install. Next I'll test it with the development snapshot.

                              1 Reply Last reply Reply Quote 0
                              • I
                                ivor
                                last edited by Feb 8, 2018, 10:25 PM

                                I would suggest contacting Nessus as this issue is related to their software and the way its detecting pfSense. As Johnpoz have shown, the issue doesn't seem to be occurring to others.

                                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                1 Reply Last reply Reply Quote 0
                                • M
                                  MaxBishop
                                  last edited by Feb 8, 2018, 10:43 PM

                                  @ johnpoz

                                  Thanks for your work on this.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by Feb 9, 2018, 1:18 PM

                                    When I get back from my walk and snow blowing the drive - freaking lots of snow in chicagoland last night… I will fire up fresh 2.4.2 download on vm and see if can duplicate.. But I am unable to get it to show what your showing unless I do scan an OLD pfsense...

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      MaxBishop
                                      last edited by Feb 9, 2018, 2:09 PM

                                      Hi,

                                      That would be great. Last night I created a VM directly from the developer image and implemented it with the default setup…  and I still got the ominous results. I used a fresh install of the community edition for Nessus and customer feedback is restricted to those who can afford the Pro License (~ $2200/yr).

                                      The CGI vulnerabilities are not identified from the WAN side. The "unknown version" detection is almost certainly a false positive.  If it can't be reproduced, then I am doing something (very) stupid.

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Feb 9, 2018, 4:30 PM

                                        Yeah I don't have the pro version either…  do you have any sort of proxy or anything between your scanner and the pfsense lan IP other than switch?  Just so we do apples to apples are you scanning via IP or fqdn?

                                        I have some real life work to do ;)  But will for sure spin up a fresh 2.4.2 vm.  I am running scanner on a 16.04 ubuntu server VM..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          MaxBishop
                                          last edited by Feb 9, 2018, 6:15 PM

                                          Hi,

                                          Yea, this work stuff always gets in the way of fun.

                                          I have nothing unusual for my setups… no proxy, etc.

                                          My native network is totally vanilla. A pfsense router and an unmanaged switch.

                                          The VM networks consist of multiple VBox machines sharing an internal adaptor. I have two of these, one where the router is the stable release and another with the development snapshot from yesterday.

                                          I have the Nessus community edition installed in Kali and, separately, in Arch Linux.

                                          BTW: I am very impressed with pfSense and I will probably deploy it at the lab where I work..

                                          1 Reply Last reply Reply Quote 0
                                          28 out of 40
                                          • First post
                                            28/40
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received