Tenable Identity Exposure 2024 On-Premises Release Notes

Tip: You can subscribe to receive alerts for Tenable documentation updates.

These release notes are listed in reverse chronological order.

Tenable Identity Exposure 3.77.6 (2024-12-04)

Tenable Identity Exposure version 3.77.6 contains the following bug fixes:

 
The updater.exe file is now digitally signed with the Tenable Certificate. This ensures protection against unauthorized modifications and provides assurance of the file's authenticity.
Tenable Identity Exposure now provides correct attack vectors for PetitPotam through an improved correlation engine. You must redeploy the IoA event listener.
Tenable Identity Exposure now supports additional reverse DNS formats to extract IPv4 addresses from DnsNode objects, addressing previously “unknown” outputs in the Indicator of Attack feature. This enhancement improves alert context and increases the accuracy of relevant IOAs in Basic Mode.
TCP Syslog alerting works as expected on Windows Server 2016.
The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks.
The ADCS Dangerous Misconfigurations IoE now takes into account the "Whitelisted Trustee" option.
The Dangerous Kerberos Delegation IoE now enforces the whitelisting for disabled objects.
The Application of Weak Password Policies on Users IoE no longer shows false positives for the "No privileged PSO are applied on the domain" reason.
Incriminating attributes now display detailed values when localized.
The NTDS Extraction Indicator of Attack renamed the "Allowed processes" option to clarify its use in "aggressive" mode only and removed the unused "Allowed NTDS destination paths" option.
Tenable Identity Exposure now ensures correct CSV exports by escaping double quotes ("), improving the accuracy of the exported data.
When some domains are unreachable, the connectivity tests for all domains show better performance to prevent unexpected web interface timeouts.
Tenable Identity Exposure now adapts to analyze Windows Event Logs ingested with a delay.
Indicators of Exposures (IoE) now show improved accuracy of the latest detection date.
The findings of a Microsoft Entra ID deviance now correctly match the selected tenant.
In certain edge cases, Tenable Identity Exposure cannot analyze password hashes.
Tenable Identity Exposure added the `UserNameVariants` field to DCSyncData, allowing format-agnostic whitelisting of usernames (SID, UPN, sAMAccountName). Currently, this change applies only to the DCSync attack Indicator of Attack (IoA).
Envoy stores the CA certificate in an encrypted format, with the default route configuration size increased from 4 KB to 4 MB to accommodate larger payloads.
Tenable Identity Exposure now correctly tests the connectivity to cloud.tenable.com.
After an LDAP connectivity issue, the Directory Listener automatically restarts after 12 hours to re-sync with any potentially missed ADObject states.
UDP Syslog alerting now truncates the payload once it reaches the MTU size.
Software Name Pre-upgrade Post-upgrade
Tenable Identity Exposure 3.77.3 3.77.6
C++ 2015-2019 Redistributable 14.38.33135.0 14.38.33135.0
.NET Windows Server Hosting 8.0.10.24468 8.0.11.24521
IIS URL Rewrite Module 2 7.2.1993 7.2.1993
Application Request Routing 3.0 3.0.5311 3.0.5311
NodeJS 20.18.0 20.18.1.0
Erlang OTP 26.2.5.4 26.2.5.5
Rabbit MQ 3.12.14 4.0.3
SQL Server 15.0.4385.2 15.0.4405.4
OpenSSL 3.3.2 3.3.2
Envoy 1.29.9 1.29.10
Handle 5.0.0 5.0.0
Curl 8.10.1 8.11.0

Tenable Identity Exposure 3.77.3 (2024-11-06)

  • Indicators of Attack (IoA)

    • New basic and aggressive modes — The basic mode is designed for customers who prefer a streamlined setup, minimizing configuration time and reducing false positives, thereby cutting down on unnecessary alert noise. This applies to the following IoAs:

      • DCSync

      • Suspicious DC Password Change

      • Golden Ticket

      • NTDS Extraction

      • OS Credential Dumping: LSASS Memory

      • Enumeration of Local Administrators

      • SAMAccountName Impersonation

  • Indicators of Exposure (IoE)

    • New IoEs

    • Shadow Credentials — A new IoE detects backdoors and misconfigurations of shadow credentials in the "Windows Hello for Business" feature and its associated key credentials.

    • Managed Service Accounts Dangerous Misconfigurations — A new IoE ensures the proper deployment and configuration of Managed Service Accounts.

    • Privileged Authentication Silo Configuration — Assists AD administrators in installing and setting up an authentication silo for Tier-0 accounts.

    • Property Sets Integrity — "Property Set" in Microsoft Active Directory (AD) consolidates multiple attributes for easier, more efficient ACL management. This Indicator of Exposure checks for misconfigurations or potential backdoors within these AD objects and their attributes.

    • Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

    • Enabled Guest Account — Checks that the built-in guest account is disabled.

    • Conflicting Security Principals — Checks that there are no duplicated (conflicting) users, computers, or groups.

    • RSOP-based IoEs — To enhance performance, Tenable Identity Exposure excludes live RSoP (Resultant Set of Policy) checks. Instead, schedule one RSoP security check every 30 minutes, which allows for better management of related checks that are necessary during the RSoP process. For more information, see RSOP-based Indicators of Exposure.

    • Last Password Change on KRBTGT Account — Added support for the krbtgt_AzureAD account in Windows Hello for Business (Cloud Trust deployment).

    • Reversible Passwords — Now includes validation for reversible passwords defined by the PSO with the attribute msDS-PasswordReversibleEncryptionEnabled.

    • Local Administrative Account Management — Support for New Windows LAPS. Introduces a new option called "LAPS version installed" and validate the configuration of the LAPS version based on user selections.

  • Proxy — Ability to define a proxy connection during Tenable Identity Exposure installation or upgrade . This proxy connection enables on-premises environments to work with Tenable One features.

  • Secure Relay installation — The enhanced installer facilitates the upload of the self-signed certificate from the Directory Listener when you install the Secure Relay on a separate (standalone) machine.

  • Email alerting now only supports secured encryption protocols, specifically TLS 1.2 and 1.3. Customers who have overridden their Secure Relay to use deprecated SMTP encryption standards, like SSLv3, must remove the override. The only allowed values are 'Tls12', 'Tls13', or 'TLS12,Tls13' for automatic switching based on the server version. Using unsupported values will prevent the relay from starting.

  • New 10-hour "defer time" (Golden Ticket IoA) to allowlist legitimate users during this period, reducing the number of false positives.

  • IoA setup — Ability to choose event gathering duration before triggering event analysis. Values are bounded from 30 seconds to 9 minutes.

  • Active DirectoryTenable Identity Exposure increased the size limit for the AD objects it manages.

  • Indicators of Exposure

    • Dangerous Kerberos Delegation

      • No longer considers users with smartcards a security issue, as they are not affected by the AS-REP Roasting attack.

      • No longer flags computers as deviant for the reason "Not protected against delegation"; it resolves any existing deviances.

      • A new reason reports all accounts where the attribute used by the constrained delegation (msDS-AllowedToDelegateTo) refers to a Service Principal Name (SPN) that does not exist.

      • A new reason detects the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).

  • User Primary Group IoE — An additional reason reports on all accounts where the primaryGroupID attribute appears empty due to insufficient rights.

  • Accounts With Never Expiring Passwords — A new reason to make a distinction between privileged users and regular users.

  • Conflicting Security Principals — A new IoE checks that there are no duplicated (conflicting) objects such as users, computers, or groups.

  • User Account Using Old Password, Computers Running an Obsolete OS, and Dormant Accounts — Two new reasons to make a distinction between privileged users and regular users.

  • Domain Without Computer-Hardening GPOs

    • New checks to ensure that null sessions are explicitly disabled on all domain computers.

    • New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).

    • New checks to ensure that the Print Spooler service is disabled on all domain controllers.

    • SMB signing enforcement — Tenable Identity Exposure ensures proper SMB signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.

Tenable Identity Exposure version 3.77.3 contains the following bug fixes:

Bug Fix
The "Allowed Users" option in the "Protected Users Group Not Used" Indicator of Exposure now allows whitelisting users by UserPrincipalName (UPN), SID, and sAMAccountName, instead of the previous method of using only Distinguished Name.
The Indicator of Attack listener now supports non-ASCII encoding.
Tenable Identity Exposure does not trigger the "Application of Weak Password Policies on Users" deviance for computers within a whitelisted container (configured in the profile).
Tenable Identity Exposure shows a warning message advising you to take a system snapshot before upgrading.
Tenable Identity Exposure improved the rollback process by removing residual items.
Tenable Identity Exposure resolved the Indicator of Exposure display when viewing the details of read-only profiles.
Envoy now prioritizes IPv4 resolution and fall back to IPv6, correcting the current configuration that does the opposite.

Ability to secure the login session cookie to ensure that the session cookies are only sent over HTTPS, enhancing the security of the web application.
The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks.
Tenable Identity Exposure now ensures a successful construction of the Tier0 asset graph.
The security analysis service processes its inputs during high CPU peaks (such as during security checks.)
Tenable Identity Exposure shows a successful description on health check issues with unknown status.
Tenable Identity Exposure correctly parses trust attributes (even when they are missing in rare scenarios) to show the topology view without issues.
The Indicator of Attack (IoA) deadlock issue no longer occurs on the machine hosting the security analysis service.
The Health Check for the AD Data Collector service now reports as true.
The Application of Weak Password Policies on Users IoE has enhancements to handle better edge cases related to options' limits.
The Secure Relay installer no longer triggers after the upgrade and restart of the Directory Listener.
Tenable Identity Exposure now prevents the Secure Relay from repeatedly sending LDAP query results that are no longer required by the security analysis service.
The DCSync IoA now accounts for the edge case where the 'samAccountName' of the Tenable service account exceeds 20 characters, ensuring that alerts do not trigger when the Privileged Analysis feature is enabled.
When using the installer in a localized version, an error message displays in English upon uploading invalid certificates.
The Privileged AD User Accounts Synchronized to Microsoft Entra ID IoE no longer requires the option "Whitelist computers".
The Password Guessing IoA's option "Detection time interval" now shows the correct label.
The Tenable Identity Exposure user interface no longer loads twice when accessing the base URL of the Tenable Identity Exposure environment.
Tenable Identity Exposure updated permissions behaviors related to the Indicators of Exposure pages.
Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small SaaS platforms, ensuring reliable database accessibility.
Tenable Identity Exposure now shows all Entra ID IoEs on the IoE pane.
Tenable Identity Exposure remediated false positives caused by Password Spraying Indicator of Attack (and potentially other IoAs).
For some edge cases, Tenable Identity Exposure updated the Secure Relay installation process for domain-joined machines: Customers using a Domain Admin account now receive a prompt advising them to use a Local Admin account instead.
Tenable Identity Exposure introduced a mechanism during the Relay startup to perform a network check between the Relay and the platform. If the platform is not yet operational, the Relay startup process waits to ensure a stable connection before proceeding.
If you have a Tenable One license, the user creation takes place in Tenable Vulnerability Management and propagates to Tenable Identity Exposure. In this case, when you click the "Create user" button in Tenable Identity Exposure, a message appears to direct you to Tenable Vulnerability Management to create users.
The Tenable Identity Exposure installer now works correctly for localized versions.
Tenable Identity Exposure uninstalls older .NET version during a major upgrade.
Tenable Identity Exposure resolved a logging issue in the "NTDS Extraction" IoA, ensuring it functions correctly in all scenarios.
An update to the "Password Guessing" IoA with a new "detection time interval" option, which previously referred to the "Password Spraying" IoA erroneously.
Optimization of the "GoldenTicket" IoA to eliminate occasional pauses in IoA and IoE analysis that previously lasted an hour or more.
The enhanced detection algorithm in the "Golden Ticket" IoA reduces false negatives and false positives.
Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small platforms, ensuring reliable database accessibility.
Public API endpoint /export/profile/:profileId/checkers/:checkerId now works correctly without options.
The MSI log files are available in C:\Tenable\Logs after an installation or an upgrade.
Software Name Pre-upgrade Pre-upgrade Post-upgrade
Tenable Identity Exposure 3.42.20 3.59.8 3.77.3
C++ 2015-2019 Redistributable 14.38.33135.0 14.38.33135.0 14.38.33135.0
.NET Windows Server Hosting 6.0.35 6.0.35 8.0.10.24468
IIS URL Rewrite Module 2 7.2.1993 7.2.1993 7.2.1993
Application Request Routing 3.0 3.0.5311 3.0.5311 3.0.5311
NodeJS 18.20.4 20.18.0 20.18.0
Erlang OTP 26.2.5.4 26.2.5.4 26.2.5.4
Rabbit MQ 3.12.14 3.12.4 3.12.14
SQL Server 15.0.4385.2 15.0.4385.2 15.0.4385.2
OpenSSL 1.1t 3.2.0 3.3.2
Envoy -- 1.29.9 1.29.9
Handle 5.0.0 5.0.0 5.0.0
Curl 8.10.1 8.10.1 8.10.1
Note: Tenable Identity Exposure shows a warning when your user count reaches 95% of the license limit. If the you exceed this limit, you will receive a prompt to review your license. Once usage surpasses 110%, Tenable Identity Exposure will block certain IoE features until you address the license overage.

Tenable Identity Exposure 3.59 (2024-02-20)

This release is end-of-life (EOL). Upgrade to a supported version. For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.