Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0118
OpenSSL updated in Tenable Nessus Network Monitor
18 May 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable Nessus Network Monitor
Operating System: Red Hat
Windows
Mac OS
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0739 CVE-2018-0733 CVE-2017-3738
Member content until: Sunday, June 17 2018
OVERVIEW
Vulnerabilities have been identified in Tenable Nessus Network Monitor
prior to version 5.5.0. [1]
IMPACT
The vendor has provided the following information:
"Nessus Network Monitor leverages third-party software to help provide
underlying functionality. One of the third-party components (OpenSSL) were
found to contain vulnerabilities, and updated versions have been made available
by the providers.
Out of caution and in line with good practice, Tenable opted to upgrade the
bundled OpenSSL to address the potential impact of these issues. Nessus Network
Monitor 5.5.0 updates OpenSSL to version 1.0.2o to address the identified
vulnerabilities.
Risk Information
CVE ID: CVE-2017-3738 CVE-2018-0733 CVE-2018-0739
Tenable Advisory ID: TNS-2018-07
Risk Factor: Medium
CVSSv2 Base / Temporal Score: 4.3 / 3.4
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Affected Products:
Nessus Network Monitor 5.4.1 & earlier
Advisory Timeline:
2018-05-16 - [R1] Initial Release" [1]
MITIGATION
Tenable advises upgrading to Nessus Network Monitor version 5.5.0. [1]
REFERENCES
[1] [R1] Nessus Network Monitor 5.5.0 Fixes One Third-party
Vulnerability
https://www.tenable.com/security/tns-2018-07
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWv4oTIx+lLeg9Ub1AQgsZw/+MR15DojJ6y2YZ3tOVzmj0pONRXaY2u+9
1bAJ9IjjNecWVFIeK8cw/KR91xofLzVQK9HdXs4A2DwYOI/wn9SvLPE+bPTCW3JP
5hNr/752YK8DW5PzolaxAhtg+dhvwZVjRS851jM2aYQFt2h9UH4UwHLm6sfQxQs1
VqNrJFaozK1Ex5OC6OlTtR63wuarXjhQpghtHW9DNYmczX4403248MNe9tCgBqlw
WDdRejYsGYnuO6V0wInnxnQfkl3547GEUmbrYOF31QAdjhZ2553shfpYq9IROk84
+bj4RVtXlj81O81FolcVn2/EKsz0hQO67ViESouZWBsV7vieqwfX4yqK9/imQv4v
oKBAv5UpnjiCwezLe9v5Ekbtj5TJbAHBQHUMq6NKn9AiC0A0K08jxqOLeR7L0wkf
LS+7faBqzrnkbQKaKxWtRBOzvK3+4xLx378UR44l5qM8y5OKrhB5RopMUuqZ3Hzv
Epm4AZ2N8l7o7DoeD2aZRPlmfMpJ6wbeLxs1936VRxuDpLdGhDdNbJGPbzgA6Omr
476YcXqQpWDDkwz+dYe9lSDUiEB9ths+vM6621MkPqR3XJZyC64EjaH+gzKJJmaY
FepDF+7A9PtJCVlwfoZNIOHFGd4kqMyPPxY7bZb5+Uaqb69ZaNFpXlgq4LLpHrb1
SybaJoeIoV0=
=sNbt
-----END PGP SIGNATURE-----