Tenable.ad 3.11 On-premise (2021-12-01)
This release is end-of-life (EOL). Upgrade to a supported version. For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.
New Features
Tenable Identity Exposure version 3.11 includes the following new features:
-
A new Indicator of Exposure lists dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI).
-
Secure communications between components via TLS using Tenable Identity Exposure's self-signed auto-generated certificate or a custom certificate.
-
A dedicated MSI for the security probe installation.
-
A lockout policy to mitigate brute force attacks against authentication mechanisms. It aims to lock out user accounts after too many failed login attempts.
-
A product licensing feature to allow you to update your Tenable Identity Exposure license.
-
Ability to disable certain indicators of exposure without restarting the security engine node.
-
Support for the localization process.
-
Single domain recrawling to force the refreshing of data for a domain.
-
Use of native Server Message Block (SMB) mapping.
-
Upgrade of Node.js to v16.
-
Japanese language support
-
New Indicator of Exposure to detect when privileged users are allowed to authenticate on systems that are not considered as trusted.
-
New Indicator of Attack to detect PETIT-POTAM attempts to coerce remote servers to authenticate with another machine on the network due to a Windows vulnerability.
-
A licensing feature to allow you to update your Tenable Identity Exposure license.
-
A new ability to define time zones for PDF/PPTX/CSV reports.
-
A new pane to display the details of an event when you review an incriminating attribute.
Bug Fixes
Tenable Identity Exposure version 3.11 contains the following bug fixes:
| Bug Fix | Defect ID |
|---|---|
| Tenable Identity Exposure purges the previous version's events from internal queues after each upgrade. | N/A |
| The analytics service successfully reconnects to the RabbitMQ server after failures. | N/A |
| The Indicator of Exposure C-PASSWORD-POLICY is more resilient against a specific corner case. | N/A |
| Tenable Identity Exposure ignores InheritOnly ACEs when it checks ACLs to avoid false positives. | N/A |
| The Trail Flow no longer freezes. | N/A |
| The Indicators of Attack requiring Sysmon tolerate better versions of Windows event, which strengthens detection. | N/A |
| Tenable Identity Exposure lists an event's deviances. | |
| Tenable Identity Exposure now processes the InheritOnly flag in the Active Directory's ACEs when it checks ACLs. | N/A |
| Tenable Identity Exposure displays current dashboard data for new profiles. | N/A |
| Tenable Identity Exposure sets a timeout when it reindexes the database to prevent sporadic database unavailability. | N/A |
| Tenable Identity Exposure processes correctly LDAP objects with an empty GPLinks attribute. | N/A |
| Tenable Identity Exposure enables a live trail flow on the first login. | N/A |
| There are fewer deadlock possibilities in the database when Tenable Identity Exposure inserts Active Directory objects. | N/A |
| The widget title now supports Japanese characters. | N/A |
| Tenable Identity Exposure decreases the memory that the security analysis service consumes. | N/A |
| Tenable Identity Exposure uses the correct configuration naming context when it looks for the Default Query Policy. | N/A |
| Diffs on long attribute values no longer overflow. | N/A |
| Tenable Identity Exposure enables live directory status on the first login. | N/A |
| Tenable Identity Exposure shows better data consistencies regarding the member attributes of group objects. | N/A |
| The Indicator of Exposure C-DC-ACCESS-CONSISTENCY does not check deleted domain controllers when you disable this option. | N/A |
| Node.JS has upgraded to version 12.22.7. | N/A |
| The Indicator of Exposure C-OBSOLETE-SYSTEMS displays alerts for the correct end of life date for Windows Server 2012 R2. | N/A |
| Tenable Identity Exposure reports correctly the end of support date for Windows 2012 r2. | N/A |
| API route events/eventId/ad objects do not fail due to responses exceeding the limit of 8000 bytes. | N/A |
| The Directory Listener reconnects to the queue manager without exhausting ports. | N/A |
| An indicator of exposure does not show up as deviant if all of its deviant objects are ignored. | N/A |
| The Indicator of Exposure C-OBSOLETE-SYSTEMS now checks for obsolete versions of Windows 10. | N/A |
| There is no longer a mismatch error between properties and attributes for indicators of attack. | N/A |
| The Ceti service can locate the TimeCreated property from an indicator-of-attack event. | N/A |
| Multi-threading works in the check context. | N/A |
| Indicator of attack errors are now centralized in Ceti's logs. | N/A |
| The GetLastEvent command returns correctly the ID of the last event without filtering. | N/A |
| Tenable Identity Exposure decodes correctly the cACertificate attribute. | N/A |
| Users can access the "Email alerts" page in order to create or modify email alerts. | N/A |
| Sysvol crawling succeeds with SMB mapping. | N/A |
| Crawling succeeds even when LDAP requests take a long time to initialize. | N/A |
| SYSVOL crawling completes successfully despite network errors | N/A |
| The fetching of attribute names no longer fails due to timeout. | N/A |
| There are no performance issues with the Cygni component. | N/A |
| The Ceti component asks the Eridanis component to send directories only once. | N/A |
| Tenable Identity Exposure does not consider an empty GpcFileSysPath attribute as deviant. | N/A |
| The IoA task script supports Windows Server 2008R2. | N/A |
| Tenable Identity Exposure no longer considers as deviant alerts from domains that were removed. | N/A |
| The Sysvol Crawler continues even if the registry.pol file exceeds a given size. | N/A |
| The LDAP initialization succeeds even when it crawls an object that does not have an attribute change. | N/A |
| The parsing of POL files now works correctly. | N/A |
| There are no longer lost IoA events. | N/A |
| When creating a PSO after creating a domain, Tenable Identity Exposure no longer displays the reason "No PSO are applied on the domain". | N/A |
| Tenable Identity Exposure displays two distinct trust relationships even if they start from and end at the same domain. | N/A |
| Tenable Identity Exposure redirects the user from the email's "IoE details" and "IoA details" buttons to their corresponding page. | N/A |
| Tenable Identity Exposure supports Syslog and email ports above 60000. | N/A |
| Tenable Identity Exposure reconnects to the LDAP server when it loses the connection due to an LDAP_SERVER_DOWN error. | N/A |
| The Consolidated View timeline begins with the last day of the previous month when you select the month period. | N/A |
| Tenable Identity Exposure exports the Consolidated View in PDF or PPT with the same selected month. | N/A |
| Tenable Identity Exposure raises an "NTLMv1 protocol not disabled" deviance when the GPO is unlinked. | N/A |
| The checker now ignores the KRBTGT account. | N/A |
| Default profile options are included in any profile. | N/A |
| The license lock works with the NFR license. | N/A |
| The LDAP initialization completes even when it attempts to crawl inaccessible objects. | N/A |
| LDAP initialization succeeds even when it crawls an object that does not have an attribute change. | N/A |
Patches
Tenable Identity Exposure 3.11.9 (2022-12-15)
Tenable Identity Exposure version 3.11.9 contains the following patches.
| Patch | Defect ID |
|---|---|
| Fixed CVE-2022-37026 by upgrading the RabbitMQ library dependency. | N/A |
Tenable Identity Exposure 3.11.7 (2022-04-06)
Tenable.ad version 3.11.7 contains the following patches.
| Patch | Defect ID |
|---|---|
| Tenable Identity Exposure correctly flushes out Login event (4624) from its cache memory after a Logoff event (4634). | N/A |
| Tenable Identity Exposure displays attacks that occur on the 1st day of the month in the correct month. | N/A |
| When you remove a GPO, Tenable Identity Exposure only displays the deleted event. | N/A |
| When the SYSVOL connection breaks, Tenable Identity Exposure renews the connection to allow the listener to fetch new events. | N/A |
| The allow lists for Credentials Roaming users and groups now accept the samAccountName format. | N/A |
This patch also updates OpenSSL-related software to address the security issue CVE-2022-0778.
Tenable Identity Exposure 3.11.6 (2022-03-08)
Tenable.ad version 3.11.6 contains the following patches.
| Patch | Defect ID |
|---|---|
| SQL services are running when upgrading from version 3.11.3. | N/A |
| Split architecture installations include TLS options. | N/A |
| Rabbit MQ correctly resumes after upgrading from version 3.1.5 to 3.11.3. | N/A |
| Event insertion no longer affects performance. | N/A |
| Events for Indicators of Attack do not consume too many memory resources. | N/A |
Tenable Identity Exposure 3.11.4 (2022-01-24)
Tenable.ad version 3.11.4 contains the following patches.
| Patch | Defect ID |
|---|---|
| The Tenable Identity Exposure installer pre-fills values for IP/ports from variables during an upgrade. | N/A |
| The upgrade correctly considers existing certificates. | N/A |
| The SQL service account can now access local certificates. | N/A |
| Tenable Identity Exposure updates group members when they change Organizational Units (OU). | N/A |
| The Security Probe installer completes after a reinstallation. | N/A |
| The Tenable Identity Exposure installer verifies that the PFX certificates are valid. | N/A |