2012-01-23 product and content updates
This Rapid7® Nexpose® 5.1 release features improvements to security configuation assessment, Web application security, scanning and documentation, and expanded virtualization support.
These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. See the third FAQ.
Thanks for choosing Nexpose!
Release 5.1 is one of many exciting deliveries in 2012 in response to your direct feedback. It incorporates the full commitment of Rapid7 to delivering a great product to you, our customer. The release includes improved asset searches and reporting with our new, extended Dynamic Asset Group criteria. If you are using Advanced Policy Engine for security configuration assessment, we now provide USGCB support as well as a high-level overview of your policy compliance across your organization. For those of you looking to migrate to newer platforms we have enhanced the backup-and-restore feature to allow cross-platform migration in addition to a smaller footprint of backup files. In terms of coverage, we rounded out our checks for the OWASP Top 10, released more than 3400 checks since the 5.0 release, and improved accuracy of our SSH vulnerability checks. We trust that you’ll find these enhancements useful. Keep an eye out for continued enhancements throughout 2012, and as always, please keep the feedback coming on how we can make Nexpose even better.
Director of Engineering, Rapid7
Security Configuration Assessment | product and content
USGCB scanning helps you keep current with government standards
With the new, fully integrated USGCB scan template, you can scan your Windows 7, Windows 7 Firewall, Windows 7 Energy, and Internet Explorer 8 assets to verify compliance with the United States Government Configuration Baseline (USGCB). Informed by the results of policy scans, you can make any necessary configuration changes to ensure that your assets comply with USGCB standards. To create a scan configuration that matches the specific needs of your environment, you can customize scan templates with USGCB checks, which are included in the Advanced Policy Engine. As with Federal Desktop Core Configuration (FDCC) checks, you can view and override USGCB results in the Web interface.
To help you further to comply with U.S. government requirements, this feature also allows you to generate USGCB Result Files and output their content in a machine-readable format for submission to the Office of Management and Budget.
NOTE: The USGCB scan template is bundled with the FDCC module and sold as a separately licensable option. This module requires the Advanced Policy Engine to be enabled. To discuss pricing and upgrade options, please contact Rapid7.
Security configuration assessment at a glance
The new Policies tab provides a centralized view of your assets’ compliance with key security policies and baselines for which you have run scans. On the new Policies page you can get a quick overview of your assets’ compliance with Advanced Policy Engine policies and baselines for which you have run scans. The page shows compliance statistics at the policy level to help you quickly gauge compliance across your entire organization.
Web application security | product and content
Nexpose now delivers coverage in all 10 of the OWASP Top 10 Security Risk categories
New checks identify "Failure to Restrict URL Access" vulnerabilities, which make up the A8 category of the Open Web Application Security Project (OWASP) Top 10 Security Risks for Web applications. With this improvement, the Web scanner now identifies vulnerabilities in each of the Top 10 OWASP categories. You can find more information about the category here:
NOTE: These checks require HTTP form or HTTP basic credentials in the site configuration.
Web crawling is improved | product
With enhanced crawling capabilities, the Web scanner can identify more links in complex Web applications.
Scanning improvements | product and content
"Pass-the-hash” credential expands deep scanning options
You can now use captured LM/NTLM hashes for running credentialed scans on Windows assets via the standard SMB/CIFS protocol. Expanding your range of deep scanning options, this credential makes it unnecessary to “crack the password” to gain access to target services.
Penetration testers who use Metasploit can leverage this feature by launching a Nexpose scan task and checking the Pass the LM/NTLM hash credentials checkbox. Metasploit will then automatically pass to Nexpose any LM/NTLM hashes that it looted during exploitation, allowing Nexpose to perform fully authenticated scans.
SSH checks have improved accuracy
Better SSH negotiation eliminates false positives on scan target services that utilize an authentication mechanism after the negotiation.
Coverage and reporting improvements
- Improved checks for vulnerabilities reported in Microsoft Security Bulletin MS10-070 provide better security coverage.
- Baseline comparison reports are now generated without issues when an asset is included in the report scope by more than one scope selection mechanism: asset, asset group, or site.
Virtualization support | product
Options expand for vAsset discovery connections
You can now specify any port and protocol (HTTPS or HTTP) for communicating with vSphere instances when establishing vConnections for vAsset discovery.
Connection columns improve vAsset monitoring
The vEvents table, which lists every change in the vAsset discovery environment, now includes the vConnection associated with each event, so that you can determine which assets and events are associated with each vCenter server or ESX(i) host.
Usability and Administrative Enhancements | product
New dynamic filters provide more granular asset searches
The dynamic asset group filter capabilities have been greatly expanded. You can now create dynamic asset groups based on risk scores, exploit and malware exposures, CVSS metrics, PCI scan results, and scan dates. These enhanced searching capabilities provide more granular ways to isolate assets that affect your security posture in critical ways and prioritize them for remediation.
New asset column shows number of malware kits
Asset Listing tables in the Web interface now include a column that lists the number of malware kits that can be used to exploit vulnerabilities on each asset. Viewing the number of malware exposures and sorting on them can help you prioritize remediation tasks.
Platform-independent backups allow migration to newer platforms
(aka 32-bit to 64-bit migration)
When performing backups, you can select a platform-independent option that gives you the flexibility to restore the files on any host system, whether or not it has the same operating system as the host for the backup. This option also reduces the size of the backup file.
NOTE: Platform-independent backups may take longer to complete.
Other usability enhancements
- The navigation tabs in the Web interface are ordered to better match your workflow.
- You can create a CSV file listing all of the threats associated with an asset.
Documentation improvements | product
Expanded user’s guide provides more detailed information on reports
The user’s guide now includes more detailed information and best practices for generating and reading reports and using the CSV export. You can download the guide by clicking the Support link in the Web interface.
- Linux 32 | Update ID: 2220601069
- Linux 64 | Update ID: 839270008
- Windows 32 | Update ID: 1220461598
- Windows 64 | Update ID: 3456844061
Installers Released on January 23, 2012 (see fourth FAQ).
md5sum filesDownload the appropriate md5sum file to ensure that the installer was not corrupted during download:
Frequently asked questions (FAQs)
- How will I know Nexpose has updated with this specific release?
All updates are listed on the News page of the Nexpose Security Console Web interface.
- Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the Nexpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your Nexpose installation.
- What are content updates, and what are product updates?
Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in Nexpose.
- Why are installers not updated with every release?
To help you stay on top of an ever-growing number of security threats, Rapid7 makes the delivery of new security content timely and convenient. After installation and first-time start-up, Nexpose continues to update itself dynamically. This makes it unnecessary for Rapid7 to update installers with every release of security content. So, you don't have to download installers every time new content is available.
- Does this dynamic self-updating cause Nexpose to restart?
Yes. You may notice Nexpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
- How can I obtain more information about this release?
If you have purchased Nexpose, contact our Technical Support Team at Support@Rapid7.com. If you are using the Community version of Nexpose, go to http://community.rapid7.com.
- Where can I find announcements for other releases?
You can find all release announcements in the Rapid7 Community at https://community.rapid7.com/community/nexpose/nexpose_release_notes?view=docume nts.
Join the Rapid7 Community!
Learn tips and tricks, engage with your peers,
and keep up with the latest product developments.