Nexpose release notes for September 2015

Document created by S Tempest Employee on Sep 1, 2015Last modified by S Tempest Employee on Sep 30, 2015
Version 9Show Document
  • View in full screen mode

To help you protect your environment against ever-evolving security threats, Rapid7 releases coverage updates for Nexpose on a weekly basis. Product IDs and installer links are added the day of the release. This page contains detailed announcements for the most recent Nexpose coverage releases:


This Rapid7® Nexpose® 5.17.5 release contains:

  • update server notification
  • database update notification
  • accuracy improvements
  • recurring coverage

Action required: Do you whitelist the Rapid7 Update Server IP address in your firewall?

If you do, you’ll need to add a new IP address, 52.3.118.139, to your whitelist in order to continue to receive Nexpose updates. We are moving the Nexpose update server (updates.rapid7.com) soon for better performance and reliability. Update your whitelist now to avoid interruptions.

Reminder: Upgrade the database on all your consoles to receive product updates.

Upgrade now to the latest version of PostgreSQL! You need to upgrade to take advantage of all available security coverage. Use the migration utility in the console for an easy update.

  • Remember to upgrade the database for all your consoles.
    • As of the September 9, 2015 release, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.

Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.

Accuracy improvements | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have updated the vulnerability checks for Adobe Flash Player Unspecified Vulnerability On Opera Browser to be specific to Mac OS X.
  • We have updated the CVSS vector for Microsoft vulnerability MS14-068, so the displayed CVSS score is consistent throughout the application.

Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.

Buzz

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

Product Update IDs

  • Linux 64 | Update ID: 485402516
  • Windows 64 | Update ID: 4225267025

Content update ID

  • Update ID: 4078016344

This Rapid7® Nexpose® 5.17.4 release contains:

  • database update notification
  • application improvements
  • accuracy improvements
  • coverage improvement
  • recurring coverage

REMINDER: Upgrade the database on all your consoles to receive product updates.

Upgrade now to the latest version of PostgreSQL! You need to upgrade to receive updates and take advantage of all available security coverage.

  • Remember to upgrade the database for all your consoles.
    • As of the September 9, 2015 release, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

      s_NX_upgrade_link.png
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.

Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have corrected an issue that prevented DHCP directory watcher connection to windows file shares when the security policy LAN Manager authentication level was set to Send NTLMv2 responses only: Refuse LM & NTLM, for better performance on connections that use NTLMv2 only.
  • We have addressed an issue that prevented users without the Manage Site Credentials permission from saving sites to which they otherwise had permissions that had shared credentials applied. Now they can have appropriate access without needing advanced permissions.

Accuracy improvements | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the accuracy of Shellshock vulnerability coverage for Cisco NX devices to account for fix versions that have been released over time.
  • For those scanning Red Hat Enterprise platforms, an issue that caused false positives with Red Hat middleware applications has been resolved.

Coverage improvement | content

New coverage expands your visibility into assets and threats in your environment:

  • Vulnerability coverage has been added to detect the SYNful Knock router implant in Cisco devices.

Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

Product Update IDs

  • Linux 64 | Update ID: 4199974493
  • Windows 64 | Update ID: 2469653147

Content update ID

  • Update ID: 929560692

This Rapid7® Nexpose® 5.17.3 release contains:

  • database update notification
  • application improvements
  • accuracy improvements
  • scanning improvement
  • coverage improvement
  • recurring coverage

URGENT REMINDER: You will no longer receive product updates if you have not updated your database.

Upgrade now to the latest version of PostgreSQL! You need to upgrade to receive updates and take advantage of all available security coverage.

  • Remember to upgrade the database for all your consoles.
    • As of the September 9, 2015 release, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

      s_NX_upgrade_link.png
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.

Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have fixed an issue where only Global Administrators could test site and shared credentials, so others with appropriate permissions can perform those actions.
  • We have fixed an issue with the display of scan durations longer than one day, for more accurate representation of the length of scans.
  • Display of assets discovered by connections is restricted to users with the Manage Sites permission, so your organization can maintain greater control over access to those assets.
  • Scans now show an Integrating status after scan engine activity is complete. This allows you to differentiate between scan activity and console activity for the overall scan status.

Accuracy improvements | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have updated the solution of the Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory vulnerability to include remediation guidance for IIS7 and above.
  • For those scanning Solaris systems, we have improved the accuracy of the vulnerability check for Solaris Insecure Crontab File Permissions.
  • For those scanning non server core installations of Windows Server 2008 R2, the check accuracy for Microsoft security bulletins MS14-084, MS15-019 and MS15-053 has been improved, so you can avoid false positives for these bulletins.
  • An issue that caused false positives with Red Hat Security Advisory RHSA-2014:1317 has been resolved, so you will not receive a notification on systems that are not vulnerable.
  • An issue that caused false positives with Red Hat Security Advisory RHSA-2014:0487 has been resolved, so you will not receive a notification on systems that are not vulnerable.
  • We have improved the accuracy of vulnerability coverage for Windows Disable Autorun Registry Key by adding support for KB971029, so you can more precisely track vulnerable assets.

Scanning improvement | product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • For customers with large numbers of Amazon connections and assets, we have resolved an issue where the Security Console could potentially make additional and unnecessary requests to the Amazon AWS API, in order to improve performance in such situations.

Coverage improvement | content

New coverage expands your visibility into assets and threats in your environment:

  • You can now scan your organization's assets against the CIS Windows 7 policy and determine your level of compliance.

Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

Product Update IDs

  • Linux 64 | Update ID: 326875871
  • Windows 64 | Update ID: 963594825

Content update ID

  • Update ID: 3004221166

This Rapid7® Nexpose® 5.17.2 release contains:

  • database update notification
  • Patch Tuesday coverage and recurring coverage
  • application improvements
  • accuracy improvement

 

ACTION REQUIRED: You will no longer receive product updates if you have not updated your database.

Upgrade now to the latest version of PostgreSQL! You need to upgrade to receive updates and take advantage of all available security coverage.

  • If you haven't upgraded yet, it's easy; but do it now! Remember to upgrade the database for all your consoles.
    • As of this release, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

      s_NX_upgrade_link.png
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.

Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.

September Patch Tuesday checks | content

New vulnerability checks provide up-to-date Microsoft Patch Tuesday scan coverage for September 2015. For information about all current security bulletins covered in this release, see the Microsoft Security Bulletin Summary for September 2015. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets. These checks help you determine where new risks are located in your environment, allowing you to prioritize what needs to be remediated and help minimize risk.

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • Due to an issue with applied file system permissions, some non-default installations of the application could be used by a user with local access to the machine where it is installed to escalate local privileges to those of the application's system processes. This privilege escalation issue was resolved with this release for existing installations, and resolved in the prior release for new installations. We thank Will Hunt of 7Safe, Ltd. for coordinating disclosure of this vulnerability.
  • Administrators now have the option to require a new user to change their password immediately on their next login, so that the user will have a unique password for better security on the console.
  • Administrators with permissions to manage user accounts can now see each user's password expiration date in the Users table, so they can better monitor which users have passwords that will expire soon.
  • We have addressed an issue that prevented users without the Manage Site Credentials permission from saving sites they otherwise had permissions to that had shared credentials applied. Now they can have appropriate access without needing advanced permissions.
  • For those using XML Export 2.0 reports, we have corrected an issue that could cause older scan data to appear for some assets when the Use only assets found in the last scan option was checked, so you now have the most up-to-date information in your reports.
  • We have addressed an issue that prevented assets with zero vulnerabilities and zero services discovered from showing up in the XML Export (original or version 2.0) reports, so you can confirm that these assets have been scanned.

Accuracy improvement | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:
  • We have improved the accuracy of vulnerability coverage for Microsoft security bulletin MS15-093, so you can more precisely track the vulnerability of assets without Internet Explorer installed on them.

Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

Product Update IDs

  • Linux 64 | Update ID: 259347500
  • Windows 64 | Update ID: 4195383421

Content update ID

  • Update ID: 4066087902

This Rapid7® Nexpose® 5.17.1 release contains:

  • database update notification
  • application improvements
  • accuracy improvement
  • scanning improvement
  • coverage improvement and recurring coverage

 

ACTION REQUIRED: Upgrade your database now!

Upgrade now to the latest version of PostgreSQL! You need to upgrade to keep getting updates and take advantage of all available security coverage.

  • If you haven't upgraded yet, it's easy; but do it now!
    • This week's release is the last one in which you can get updates without the database upgrade. After this, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

      s_NX_upgrade_link.png
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.
  • If you've upgraded already, great! If not, you will no longer receive updates.

Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have fixed an issue where some with the Manage Sites privilege could no longer access the Shared Scan Credentials configuration page, so you can administer your installation with the specified permissions.
  • We have fixed an issue where the Security Console would not immediately restart after initiating a maintenance task in some situations, so you can experience a smooth process when performing maintenance and updates.
  • We have fixed an issue where the Project Sonar data import feature was not available on certain installations that were licensed for it.

Accuracy improvements | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • For those scanning targets with the AIX operating system, the AIX obsolete version check has been enhanced to include technology levels for a more granular insight into unsupported versions.
  • For those with a vulnerable result on the unix-user-home-dir-mode check, the remediation information has been improved to provide better guidance.

Scanning improvement | product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • For those connecting multiple consoles to the same Scan Engine, we have resolved an issue where console connections from the engine could cause the engine to run out of memory, so your scan engines can remain available.

Coverage improvement | content

New coverage expands your visibility into assets and threats in your environment:

  • You can now scan your organization's assets against the CIS Windows Server 2012 R2 policy so you can determine your level of compliance against these policies.

Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

Product Update IDs

  • Linux 64 | Update ID: 663811262
  • Windows 64 | Update ID: 397581391

Content update ID

  • Update ID: 3507899859

Attachments

    Outcomes