Tenable Identity Exposure 2023 On-Premises Release Notes
- Tenable Identity Exposure 3.42 (2023-04-06)

Tenable Identity Exposure 2023 On-Premises Release Notes

Tenable Identity Exposure 3.42 (2023-04-06)

This release is end-of-life (EOL). Upgrade to a supported version. For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.

New Features

Dashboard data availability — Enables reporting on compliance scores, deviances count, and users count values over a new maximum 1-year time span (from one month).
Scalability — Tenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency.
Quicker and easier deployment of Indicators of Attack — Tenable Identity Exposure can now add or remove Indicators of Attack automatically from configured domain controllers without any manual intervention. For more information, see Install Indicators of Attack in Tenable Identity Exposure Administrator Guide.
Indicators of Attack
- Inhibits the CPU consumption to limit the impact on the domain controller.
- Improved resource footprint on domain controllers.
Attack Path — Introducing views of Tier 0 assets and the attack paths leading to them. For more information, see the Tenable Identity Exposure User Guide.
Accounts with never expiring passwords — A new option in this IoE allows whitelisting for entire organizational units (OUs).
Privileged Analysis — You can control whether or not to send privileged data collection to the Tenable Cloud service (default: do not send).

Bug Fixes

Tenable Identity Exposure version 3.42 contains the following bug fixes:

Bug Fixes	Defect ID
Indicators of Exposure and Related Fixes
Application of Weak Password Policies on Users Improved performance for heavy workload scenarios. Introduction of two new reasons to explain better two cases where you may think the GPO applies but in fact does not: An Organizational Unit that contains computers may block the GPO inheritance. A security filtering prevents the GPO from applying to computers. Verify AAD SSO Account Password Last Change now resolves deviances when they apply to deleted AD objects. Dangerous Kerberos Delegation now handles existing but empty Resource-Based Constrained Delegation (RBCD) attributes. Accounts using a Pre-Windows 2000 Compatible Access Control (C-PRE-WIN2000-ACCESS-MEMBERS) now reports all problematic well-known principals of the "Pre-Windows 2000 Compatible Access" group. Elimination of false positives on the Tenable Identity Exposure GPO for these IoEs: Verify Sensitive GPO Objects and Files Permissions and Domain Controllers Managed by Illegitimate Users. Tenable Identity Exposure now limits the Organizational Unit allow list option for the IoE Accounts With Never Expiring Passwords in the backend to reduce the quantity of logs generated. It is now possible to view Indicators of Exposure in German again. Tenable Identity Exposure no longer shows tenable_ad_date tags in the CSV export file.	N/A
Indicators of Attack and Related Fixes
Reduced false positives/negatives for Tenable Identity Exposure attacks for the following IoAs: sAMAccountName Impersonation, Kerberoasting, OS Credential Dumping: LSASS Memory, DCShadow, and DPAPI Domain Backup Key Extraction. OS Credential Dumping: LSASS Memory — Shows more accurate process and username information when displaying the information in the user interface and alerts. Password Spraying no longer misses attacks when Tenable Identity Exposure cannot match an IP address through the DNS Record AD object. MassiveComputersRecon — Removed the non-relevant option Whitelisted target domain controllers IoA Script Tenable Identity Exposure improved the resiliency of the IoA setup script for subsequent installations of the script. It is again possible to run the Register-TenableIOA script from a domain-joined server using runas. The Indicator of Attack PDF report no longer shows an erroneous header on the cover page. The renaming of the Tenable Identity Exposure GPO no longer has an impact on the automatic update feature of the Tenable Identity Exposure Indicator of Attack configuration. Tenable Identity Exposure attack detection is now more accurate and reduces false negatives and false positives. The IoA installation reestablishes security events logging. Tenable Identity Exposure correctly shows attributes with a dollar character ($) in the Indicator of Attack investigation view. When installing the IoAs on a Windows 2022 Domain Controller, the server no longer needs to reboot. Tenable Identity Exposure no longer pushes an IoA configuration on the PDC in a deleted GPO. It now uses the installed IoA configuration for a more robust IoA automatic update experience. Tenable Identity Exposure now requires fewer permissions to obtain the same Indicator of Attack analysis.	N/A
Tenable Identity Exposure Installer
Shows more precise labels for SQL drives. Supports non-English languages. Allows you to click on the "Previous" button to go back and change installation options. Fails silently if it detects an existing SQL server previously installed on the Storage Manager.	N/A
Attack Path
After deleting a directory, the Attack Path now refreshes its Tier0 graph. The page now shows a single menu bar. The Attack Path service can now handle multiple large security descriptors during its initialization.	N/A
Other Fixes
The Tenable Identity Exposure (Compliance) Score through the Public API now excludes deactivated checkers for the provided profile. This had led to an incorrect score via the Public API. This is now improved and consistent with the Compliance Score available in the Tenable Identity Exposure user interface. Authentication — Tenable Identity Exposure now logs a successful login attempt after it validates it. Security — GraphQL suggestions no longer appear. Tenable Identity Exposure dashboard widgets now show "0" instead of "No data" when it does not detect any deviants. Improvements in the Kerberos service account authentication when Tenable Identity Exposure collects data for privileged analysis. Upgraded the RabbitMQ library dependency to fix CVE-2022-37026. Tenable Identity Exposure improved performance when dealing with multi-valued attributes with numerous entries. Tenable Identity Exposure improved SYSVOL fault tolerance, such as against invalid accesses. Tenable Identity Exposure indicates again the LDAP objects that became out of scope (for example, due to permissions.) DNS records show up with their correct IPv6 addresses. Tenable Identity Exposure no longer lists the security profiles to which a user does not have access. Tenable Cloud Service — Tenable Identity Exposure provides more precise error messages when it cannot connect or authenticate to Tenable Cloud Service. License — Tenable Identity Exposure now bases its count of active users only on the AD objects whose objectClass is strictly User, and not the objectClasses that contain User such as MSMQ-Migrated-User or strongAuthenticationUser. Trail Flow — You can now copy the SDDL field when using a non-secured HTTP protocol (relevant for some on-premises deployments that either use HTTP or a not recognized HTTPS certificate). Tenable Identity Exposure API Reference Portal — Removed irrelevant entry (events). API — Reinforced integer input validation and managing the error appropriately as Bad request instead of Internal server error. Tenable Identity Exposure handles better foreign security principals when they are also unresolved security principals. Tenable Identity Exposure replaces the \0a sequences in AD attributes with a space when sending them through SYSLOG. It is now possible to edit roles with removed directories in some edge cases. Tenable Identity Exposure links unresolved security principals in the attack path feature to the right domain.	N/A

Patches 3.42.17 (2023-10-24)

Tenable Identity Exposure version 3.42.17 contains the following patches:

Patch	Defect ID
Upon upgrade, Tenable Identity Exposure automatically populates the Event Logs Storage Fully Qualified Domain Name (FQDN) or IP address with the existing configuration.	N/A
Tenable Identity Exposure rectified unquoted uninstall paths in RabbitMQ and Erlang installations.	N/A
The Unlinked, Disabled, or Orphan GPO Indicator of Exposure (IoE) now more effectively manages scenarios involving removed GPOs.	N/A
Retrieving sensitive data now functions seamlessly with renamed Active Directory domains.	N/A
In the ADCS Dangerous Misconfigurations IoE, for the purpose of certificate template analysis, it's now possible to exclude trustees from other AD domains by using their samAccountName or userPrincipalName.	N/A
Permissions for NT AUTHORITY\Authenticated Users no longer appear in the Tenable installation folder.	N/A
The Trail Flow can now capably manage customers with an extensive history of events.	N/A
Tenable Identity Exposure fixed multiple memory leaks in the collector service.	N/A
Tenable Identity Exposure fixed a correlation logic that impacted these Indicators of Attack: DCSync, DCShadow, DC Password Change, DNS Admins Exploitation, Domain Backup Key Extraction, Massive Computers Reconnaissance, NTDS Extraction, Credential Dumping: LSASS Memory, SAM Name Impersonation, and Zerologon Exploitation.	N/A
The Tenable Identity Exposure installer now accepts Elliptic Curves certificates for securing communications between services.	N/A
The Tenable Identity Exposure on-premises installer now allows you to use Fully Qualified Domain Names (FQDNs) in every field where it previously asked for an IP address.	N/A

Patches 3.42.12 (2023-06-19)

Tenable Identity Exposure version 3.42.12 contains the following patches:

Patch	Defect ID
The security analysis now has an improved ability to manage security descriptors that are not properly formatted.	N/A
A newly implemented mechanism enhances the resilience of the database when there are numerous attribute modifications.	N/A
The IoA security analysis now falls back to a previous Windows event log version when necessary.	N/A
The security analysis now limits the generation of error logs when it encounters an incorrect regular expression from an IoE option.	N/A
Whenever a user modifies their password, all of their active sessions become invalid.	N/A
Tenable Identity Exposure now reads event log files in gz format with fewer retry attempts to address potential issues caused by open file handles on these files.	N/A
In the absence of the IoA module, the logs do not mention any inappropriate IoA-related messages.	N/A
Indicators of Exposure (IoE) Application of Weak Password Policies on Users shows improved performance when carrying out the initial security check. Insufficient Hardening Against Ransomware has improved resilience when raising deviances. Dangerous Sensitive Privileges has improved analysis performance.	N/A

Patches 3.42.11 (2023-06-02)

Tenable Identity Exposure version 3.42.11 contains the following patches:

Patch	Defect ID
Tenable Identity Exposure can once again run with multiple listeners (Ceti) instances.	N/A
Tenable Identity Exposure now generates the IoA GPO audit.csv file using results from Windows APIs instead of the auditpol.exe output (which is localizable).	N/A
The customization of Tenable Identity Exposure IoAs now works as expected.	N/A
An additional parameter, -EventLogsFileWriteFrequency X, in the Indicator of Attack deployment script allows you to address potential issues with slow or broken Distributed File System (DFS) replication that you may experience. For more information, see DFS Replication Issues Mitigation in the Administrator Guide.	N/A
Update of the xml2js dependency to the latest version (from 0.4.23 to 0.5.0).	N/A
Tenable Identity Exposure now limits the occurrence of Access Denied errors originating from the SYSVOL share to prevent excessive log disk usage.	N/A

Updated Software Dependencies

Tenable Identity Exposure on-premises version 3.42.11 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection.

Tenable Identity Exposure		Version 3.42.3	Version 3.42.11	Version 3.42.17
Software Name	File Name	Version	Version	Version
cUrl	curl.exe	7.66.0	8.0.1	8.4.0
SysInternals Handle	handle.exe	4.22.0	5.0.0	5.0
IIS URL Rewrite Module 2	rewrite_amd64_en-US.msi	7.2.1980	7.2.1993	7.2.1993
.net Runtime .net Windows Server Hosting	dotnet-hosting-6.0.14-win.exe	6.0.14	6.0.16	6.0.22.32824 6.0.22.23424
NodeJS	node-x64.msi	16.19.1	16.20.0	18.18.0
MSSQL	setup.exe	2019.150.2000.5	2019.150.4312.2	15.0.4322.2
RabbitMQ	rabbitmq-server.exe	3.10.11	3.10.19	3.12.6
Erlang OTP	otp_win64.exe	25.1.2	25.1.2	26.1.1
C++ 2105-2022 Redistributable (unchanged)	vcredist_2015_x64.exe	14.24.28127.4	14.24.28127.4	14.24.28127.4
ASP.NET Core	dotnet-hosting-win.exe	6.0.14	6.0.16	6.0.22.23424