18 May 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0118 OpenSSL updated in Tenable Nessus Network Monitor 18 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Nessus Network Monitor Operating System: Red Hat Windows Mac OS Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-0739 CVE-2018-0733 CVE-2017-3738 Member content until: Sunday, June 17 2018 OVERVIEW Vulnerabilities have been identified in Tenable Nessus Network Monitor prior to version 5.5.0.  IMPACT The vendor has provided the following information: "Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled OpenSSL to address the potential impact of these issues. Nessus Network Monitor 5.5.0 updates OpenSSL to version 1.0.2o to address the identified vulnerabilities. Risk Information CVE ID: CVE-2017-3738 CVE-2018-0733 CVE-2018-0739 Tenable Advisory ID: TNS-2018-07 Risk Factor: Medium CVSSv2 Base / Temporal Score: 4.3 / 3.4 CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Affected Products: Nessus Network Monitor 5.4.1 & earlier Advisory Timeline: 2018-05-16 - [R1] Initial Release"  MITIGATION Tenable advises upgrading to Nessus Network Monitor version 5.5.0.  REFERENCES  [R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerability https://www.tenable.com/security/tns-2018-07 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWv4oTIx+lLeg9Ub1AQgsZw/+MR15DojJ6y2YZ3tOVzmj0pONRXaY2u+9 1bAJ9IjjNecWVFIeK8cw/KR91xofLzVQK9HdXs4A2DwYOI/wn9SvLPE+bPTCW3JP 5hNr/752YK8DW5PzolaxAhtg+dhvwZVjRS851jM2aYQFt2h9UH4UwHLm6sfQxQs1 VqNrJFaozK1Ex5OC6OlTtR63wuarXjhQpghtHW9DNYmczX4403248MNe9tCgBqlw WDdRejYsGYnuO6V0wInnxnQfkl3547GEUmbrYOF31QAdjhZ2553shfpYq9IROk84 +bj4RVtXlj81O81FolcVn2/EKsz0hQO67ViESouZWBsV7vieqwfX4yqK9/imQv4v oKBAv5UpnjiCwezLe9v5Ekbtj5TJbAHBQHUMq6NKn9AiC0A0K08jxqOLeR7L0wkf LS+7faBqzrnkbQKaKxWtRBOzvK3+4xLx378UR44l5qM8y5OKrhB5RopMUuqZ3Hzv Epm4AZ2N8l7o7DoeD2aZRPlmfMpJ6wbeLxs1936VRxuDpLdGhDdNbJGPbzgA6Omr 476YcXqQpWDDkwz+dYe9lSDUiEB9ths+vM6621MkPqR3XJZyC64EjaH+gzKJJmaY FepDF+7A9PtJCVlwfoZNIOHFGd4kqMyPPxY7bZb5+Uaqb69ZaNFpXlgq4LLpHrb1 SybaJoeIoV0= =sNbt -----END PGP SIGNATURE-----