Nessus False Negative
Friday 16th March, 2012 11:20 Comments: 0
I was a little bit surprised to discover that Tenable's Nessus had failed to identify support for SSLv2 on a few servers last week. It was definitely a false negative, as other tools showed that two ciphers were supported (Nmap, THCSSLCheck, Qualys SSL Labs, OpenSSL client). Nessus could accurately identify SSLv2 on a test server of mine, which suggested that there was some subtle quirk that Nessus wasn't expecting.
I contacted Nessus using their support portal. What followed was a quick, polite and professional exchange of messages. I was kept informed that their plugin development team were looking into the issue. They then asked me to send them some packet captures using the various tools, which I provided. Just over 48 hours later they informed me that they've made a change that should fix the issue.
Almost exactly a year ago, I ran into a somewhat similar issue with a rival tool (I won't name names). That tool completely failed to identify SSLv2 support for an SMTPS server running on the standard TCP port 465. Again, the OpenSSL client negotiated an SSLv2 connection using DES-CBC3-MD5, so we knew it was a false negative (plus Nessus had correctly identified it during several test scans in the past, and it was a server I'd setup that I knew was vulnerable). We raised this with them, a colleague of mine even joined a conference call with one of their developers, and it was eventually determined that they basically didn't check for SSLv2 support for that service. They said it'd take a while to fix. In the end, it took over six months before they said they'd fixed it.
So well done and thank you Tenable.
I contacted Nessus using their support portal. What followed was a quick, polite and professional exchange of messages. I was kept informed that their plugin development team were looking into the issue. They then asked me to send them some packet captures using the various tools, which I provided. Just over 48 hours later they informed me that they've made a change that should fix the issue.
Almost exactly a year ago, I ran into a somewhat similar issue with a rival tool (I won't name names). That tool completely failed to identify SSLv2 support for an SMTPS server running on the standard TCP port 465. Again, the OpenSSL client negotiated an SSLv2 connection using DES-CBC3-MD5, so we knew it was a false negative (plus Nessus had correctly identified it during several test scans in the past, and it was a server I'd setup that I knew was vulnerable). We raised this with them, a colleague of mine even joined a conference call with one of their developers, and it was eventually determined that they basically didn't check for SSLv2 support for that service. They said it'd take a while to fix. In the end, it took over six months before they said they'd fixed it.
So well done and thank you Tenable.