Tenable Identity Exposure 2024 On-Premises Release Notes
These release notes are listed in reverse chronological order.
Tenable Identity Exposure 3.59.6 (2024-08-05)
Tenable Identity Exposure version 3.59.6 contains the following bug fixes:
Bug Fix |
---|
The Secure Relay installer now checks if the current user is a local administrator. |
When installing the Secure Relay on a domain-joined machine using a Domain Admin account, a pop-up message appears to instruct you to use a Local Admin account. |
Proxy changes on the machine hosting the security analysis service (Cygni) no longer create a deadlock. |
Software Name | Pre-upgrade | Post-upgrade |
---|---|---|
Tenable Identity Exposure | 3.59.5 | 3.59.6 |
C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 |
.NET Windows Server Hosting | 6.0.31 | 6.0.32 |
.NET Runtime | 6.0.31 | 6.0.32 |
.Net Core | 6.0.31 | 6.0.32 |
ASP.NET Core | 6.0.31 | 6.0.32 |
IIS URL Rewrite Module 2 | 7.21993 | 7.2.1993 |
Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
NodeJS | 20.14.0 | 20.14.0 |
Erlang OTP | 26.2.5 | 26.2.5.2 |
Rabbit MQ | 3.13.3 | 3.13.6 |
SQL Server | 15.0.4375.4 | 15.0.4375.4 |
OpenSSL | 3.3.0 | 3.3.0 |
Envoy | 1.29.5 | 1.29.5 |
Handle | 5.0.0 | 5.0.0 |
Curl | 8.7.1 | 8.7.1 |
Tenable Identity Exposure 3.59.5 (2024-07-02)
-
OpenSSL 3.0 Support — This release upgrades OpenSSL to version 3.0.x. As a result, X.509 certificates signed with SHA1 no longer work at security level 1 or higher. TLS defaults to security level 1, which makes SHA1-signed certificates untrusted for authenticating servers or clients.
You must upgrade your certificates in response to this change. If you continue the installation without updating your certificates to use OpenSSL 3.0, the Tenable Identity Exposure installer returns the following error messages with recommended fixes:
-
Refer to the OpenSSL 3.0 release notes for more information.
-
To upgrade to version 3.59.5, see the upgrade requirements and procedures in the Tenable Identity Exposure User Guide.
Tenable Identity Exposure version 3.59.5 contains the following bug fixes:
Bug Fix |
---|
The SAML-generated Tenable certificates now use a 4096-bit key size with SHA-256 encryption (previously 1024-bit). |
Implementation of a security mechanism addresses the user enumeration capability during account lockouts. |
An update of the TLS cipher suite list ensures compatibility with Azure ARC Update Manager for Windows Server 2022. |
The Secure Relay installation can now proceed after a failed upgrade of Tenable Identity Exposure. |
Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control Indicator of Exposure now appears correctly. |
The Relay now ensures reliable Syslog message delivery across networks with latency. |
A change in the correlation for the process name in the attack vector of the Credential Dumping: LSASS Memory Indicator of Attack decreases the number of unknowns. |
A new mechanism ensures that the database is resilient to having too many modifications in the badPwdCount attribute. In certain edge cases, the service responsible for managing the rate of bad password count events experienced a disconnection from the message queue manager, causing interruptions in event handling. |
The web application now supports uploading an ECC CA certificate to use for validation of TLS connections, including LDAPS authentication, SMTPS, and more. |
Activity logs no longer report internal services activity. |
Rollback resilience is now enhanced after upgrade failures, ensuring environment variables remain unchanged. |
Enhancements to error messages for clearer guidance when the installer fails during the communication test between the Relay and the platform. |
Secure Relay installation: The "Proxy Configuration" screen shows empty editable boxes to avoid a potential default rollback. |
Software Name | Pre-upgrade | Post-upgrade |
---|---|---|
Tenable Identity Exposure | 3.59.4 | 3.59.5 |
C++ 2015-2019 Redistributable | 14.24.28127.4 | 14.40.33810.0 |
.NET Windows Server Hosting | 6.0.27 | 6.0.31 |
.NET Runtime | 6.0.27 | 6.0.31 |
ASP.NET Core | 6.0.27 | 6.0.31 |
IIS URL Rewrite Module 2 | 7.21993 | 7.2.1993 |
Application Request Routing 3.0 | 3.0.05311 | 3.0.5311 |
NodeJS | 18.19.0 | 20.14.0 |
Erlang OTP | 26.2.2 | 26.2.5 |
Rabbit MQ | 3.12.12 | 3.13.3 |
SQL Server | 15.0.4335.1 | 15.0.4375.4 |
OpenSSL | 1.1.1t | 3.3.0 |
Envoy | 1.29.4 | 1.29.5 |
Handle | 5.0.0 | 5.0.0 |
Curl | 8.4 | 8.7.1 |
Tenable Identity Exposure 3.59.4 (2024-02-20)
- Secure Relay — Introducing a new mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of Advanced Message Queuing Protocol (AMQP). For more information, see Upgrade to Use Secure Relay in the Installation Guide and Configure the Relay in the Administration Guide.
Alerting and Authentication — The Secure Relay supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
Authentication — You can configure LDAP Authentication by selecting a Secure Relay. This relay reaches your LDAP Server to authenticate the user.
Alerts — Syslog and SMTP alerting function can send alerts to private servers through a Secure Relay. When creating an alert, the Secure Relay platform asks you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.
If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.
Basic Authentication and Unauthenticated HTTP Proxy Support — The Relay feature also supports HTTP proxy with basic authentication or no authentication if your network requires a proxy server to reach the Directory Listener server. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
- Entra ID Support — This feature extends the scope of Tenable Identity Exposure to Microsoft Entra ID (formerly Azure AD) in addition to Active Directory. The following are new Entra ID-focused Indicators of Exposure (IoEs) now available to identify vulnerabilities within Entra ID:
Known Federated Backdoor — A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) But if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings.
First-Party Service Principal with Credentials — First-Party Service Principals (Enterprise Applications) come from applications (Application Registrations) belonging to Microsoft. Most of them have sensitive permissions in Microsoft Entra ID that you often overlook during security reviews. This allows attackers to add credentials to them to benefit stealthily from their privileges.
Privileged Entra Account Synchronized With AD (Hybrid) — Checks for hybrid accounts, specifically those synchronized from Active Directory that have privileged roles in Entra ID. These accounts pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts.
Dangerous API Permissions Affecting the Tenant — Certain permissions on some Microsoft APIs can pose a serious threat to the entire Microsoft Entra tenant, because a service principal with these permissions becomes powerful while being more discreet than a user with a powerful administrator role such as Global Administrator. Abusing this can allow an attacker to bypass the Multi-Factor Authentication (MFA) and resist user password resets.
Missing MFA for Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.
Missing MFA for Non-Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a non-privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.
High number of Administrators — Administrators have elevated privileges by definition. They can pose security risks when there is a high number of them since it increases the attack surface because there is a higher chance that one of them gets compromised. This is also the sign that the least-privileged principle is not respected.
- New Indicators of Attack (IoA)
-
DC Password Change — Related to Zerologon, this IoA focuses on a specific post-exploitation activity that attackers commonly use in conjunction with the Netlogon vulnerability: the modification of the Domain Controller machine account password. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
Zerologon — Detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
Domain Backup Key Extraction — Detects a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
-
Indicators of Exposure (IoE)
-
New IoEs:
-
Unsecure Dynamic DNS Zone Updates Allowed — Identifies unsecure configuration of dynamic DNS zone updates, which can lead to unauthenticated editing of DNS records, making them vulnerable to rogue DNS records.
-
Property Sets Sanity — Checks for any misconfiguration or backdoor from malicious actors present in Property Sets and their attributes within the AD schema. While there are currently no known public attack vectors associated with the use of property sets, this IoE focuses primarily on identifying misconfigurations or peculiarities stemming from third-party products that use this feature.
-
WSUS Dangerous Misconfigurations — Checks Windows Server Update Services (WSUS), a Microsoft product that deploys Windows updates to workstations and servers, for misconfigured settings that can lead to an elevation to administrator privileges from a standard account.
-
Detection of Password Weaknesses — Checks for robust passwords to ensure the security of Active Directory authentication. Weak passwords arise from factors such as insufficient complexity, outdated hashing algorithms, shared passwords, and exposure in leaked databases. Attackers exploit these weaknesses to mimic accounts, particularly concerning privileged ones, enabling unauthorized access within the Active Directory.
-
DFS Misconfiguration — Checks that SYSVOL uses Distributed File System Replication (DFSR), a mechanism that replaced the File Replication Service (FRS) for better robustness, scalability, and replication performance.
-
Deviant object exclusions: Tenable Identity Exposure allows exclusions for deviant objects in selected IoEs, including:
-
Group: Logon Restrictions for Privileged Users
-
Operating System: Computers Running an Obsolete OS
-
Organizational Unit: Logon Restrictions for Privileged Users, Computers Running an Obsolete OS, Application of Weak Password Policies on Users, Dormant Accounts, User Account Using Old Password
-
-
IoE analysis — on-premises users can now disable IoE analysis on the default Tenable security profile to reduce resource usage and achieve a lower latency in the security analysis. To implement this, you set the ALSID_CASSIOPEIA_CYGNI_Application__IOE__IgnoreDefaultProfile environment variable on the Security Engine Node (SEN) to true and restart the Cygni service.
-
-
Reporting Center — This feature offers a way to export important data as reports to key stakeholders in an organization using a streamlined report creation process. For more information, see the Reporting Center in the Tenable Identity Exposure Administrator Guide.
-
Dashboard templates — Ready-to-use templates help you focus on the priority issues that concern your organization such as compliance, risk, password management, and user/admin monitoring. For more information, see Dashboards in the Tenable Identity Exposure User Guide.
-
Platform health check capabilities — Tenable Identity Exposure lists the platform health checks it performed in a consolidated view to enable you to investigate and resolve configuration anomalies promptly. For more information, see Health Checks in the Tenable Identity Exposure Administrator Guide.
- Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.
-
Scalability — Tenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency. For more information, see Scale Tenable Identity Exposure Services in the Tenable Identity Exposure Installation Guide.
-
Trail Flow
-
Tenable Identity Exposure receives events from Active Directory promptly as soon as changes appear. However, for high-frequency changes in large groups, it applies a 10-minute delay to aggregate events before notifying the rest of the system, preventing performance issues.
-
It is now possible to filter trail flow events by both date and time.
-
Tenable Identity Exposure version 3.59.4 contains all bug fixes since version 3.42.
Tenable Identity Exposure on-premises version 3.59.4 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection. The components are:
-
Storage Manager (SM)
-
Security Engine Node (SEN)
-
Directory Listener (DL)
Software Name | Component | Pre-upgrade Version | Post-upgrade Version |
---|---|---|---|
Tenable Identity Exposure | 3.42 | 3.59 | |
C++ 2015-2019 Redistributable | All (unchanged) | 14.24.28127.4 | 14.24.28127.4 |
.NET Windows Server Hosting | SEN, DL | 6.0.22.23424 | 6.0.27 |
.NET Runtime | SEN, DL | 6.0.22.32824 | 6.0.27 |
ASP.NET Core | SEN, DL | 6.0.22.23424 | 6.0.27 |
IIS URL Rewrite Module 2 | SEN (unchanged) | 7.2.1993 | 7.21993 |
Application Request Routing 3.0 | SEN (unchanged) | 3.0.05311 | 3.0.05311 |
NodeJS | SM, SEN | 18.18.0 | 18.19.0 |
Erlang OTP | SEN | 26.1.1 | 26.2.2 |
Rabbit MQ |
SEN |
3.12.6 | 3.12.12 |
SQL Server | SM | 15.0.4322.2 | 15.0.4335.1 |
Tenable Identity Exposure 3.42.18 (2024-04-18)
See Tenable Identity Exposure 3.42 (2023-04-06) On-premises Release Notes for the complete list of new features, bug fixes, and patches.
Tenable Identity Exposure version 3.42.18 contains the following patches:
Patch | Defect ID |
---|---|
SAML-generated Tenable certificates now use a robust 4096 SHA256 key size, an enhancement from the previous 1024 size. | N/A |
Attack Path enhancements:
|
N/A |
Tenable Identity Exposure now refreshes CA certificates properly following updates in the Syslog alert configuration. | N/A |
Tenable Identity Exposure now applies the neutralization of formula elements in a CSV file, commonly known as CSV injection. | N/A |
When Tenable Identity Exposure analyzes a 4776 event that lacks a hostname, resulting in an "Unknown" source, it now appropriately filters it out based on the "Allow Unknown source" option of the Password Guessing Indicator of Attack. | N/A |
DCSync Indicator of Attack enhancements:
|
N/A |
The Indicator of Attack events listener can once again run on Windows Server versions older than 2016. | N/A |
A new mechanism ensures that the database is resilient to having many badPwdCount attribute modifications. | N/A |
Tenable Identity Exposure on-premises version 3.42.11 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection.
Tenable Identity Exposure | Version 3.42.3 | Version 3.42.11 | Version 3.42.17 | Version 3.42.18 | |
---|---|---|---|---|---|
Software Name | File Name | Version | Version | Version | Version |
cUrl | curl.exe | 7.66.0 | 8.0.1 | 8.4.0 | 8.4.0 |
SysInternals Handle | handle.exe | 4.22.0 | 5.0.0 | 5.0 | 5.0 |
IIS URL Rewrite Module 2 | rewrite_amd64_en-US.msi | 7.2.1980 | 7.2.1993 | 7.2.1993 | 7.2.1993 |
.net Runtime |
dotnet-hosting-6.0.14-win.exe | 6.0.14 | 6.0.16 |
6.0.22.32824 |
6.0.28 |
NodeJS | node-x64.msi | 16.19.1 | 16.20.0 | 18.18.0 | 18.19.1 |
MSSQL | setup.exe | 2019.150.2000.5 | 2019.150.4312.2 | 15.0.4322.2 | 15.0.4355.3 |
RabbitMQ | rabbitmq-server.exe | 3.10.11 | 3.10.19 | 3.12.6 | 3.12.13 |
Erlang OTP | otp_win64.exe | 25.1.2 | 25.1.2 | 26.1.1 | 26.2.3 |
C++ 2105-2022 Redistributable (unchanged) | vcredist_2015_x64.exe | 14.24.28127.4 | 14.24.28127.4 | 14.24.28127.4 | 14.38.33130.0 |
ASP.NET Core | dotnet-hosting-win.exe | 6.0.14 | 6.0.16 | 6.0.22.23424 | 6.0.28 |