New
- Fingerprinting. We added the ability for the Scan Engine to fingerprint the FortiGate-FortiManager (FGFM) communication protocol.
- DNS detection. We added the ability to detect DNS over TLS services.
Improved
- Server Name Indication (SNI) support. TLS protocol version and cipher suite detection now efficiently process hostname information when assets with a qualified domain name are scanned.
Customer Requested
- Updated Red Hat Enterprise Linux 7 STIG. We updated our Defense Information Systems Agency (DISA) Red Hat 7 STIG to version 3, release 7.
Fixed
- Shells that do not have language support are now functioning properly.
- SMTP and FTP now fingerprint correctly when run on non-default ports.
- Improved Oracle Weblogic patch fingerprinting to reduce false positives.
- Vulnerability findings for Sites, Scan Progress, and Completed Assets on Scan Details page are no longer misaligned.
- The Security Console now considers results from the Insight Agent when integrating Scan Engine data from unauthenticated scans to avoid reporting false positives when a more reliable assessment is available. To enable this functionality, set up a custom property in the Security Console's Administration page:
set custom property com.rapid7.nexpose.nsc.agent.vuln.correlation=true. - The following CIS policies now return accurate results:
- Apple macOS 13.0 version 1.0.0
- Apple macOS 12.0 version 2.0.0
- Apple macOS 11.0 version 3.0.0
Security Updates
- We fixed CVE-2023-1699, a vulnerability affecting the Security Console. This could have allowed attackers to force browsing of administration pages. This issue affects all Security Console versions up to and including 6.6.186. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version. Special thanks to Casey Cooper for reporting this issue to Rapid7.