2021-04-30: Greenbone OS 21.04
Aktuellster Patch-Level: 21.04.4 (12.07.2021)
- Greenbone OS:
- Bugfix: Upgrading to GOS 21.04.3 on a GSM 400, 450, 600, 650, 5300, 5400, 6400 or 6500 showed a false positive integrity selfcheck problem (#PL-561).
- Bugfix: Enabled the GOS upgrade functionality, if GOS is in the status “retired” or “end-of-life” (#PL-536).
- Minor improvement: Added a dedicated method to require a reboot after a GOS upgrade (#PL-531).
- Minor improvement: The GSM manual included in GOS has been updated to the current version from 2021-07-09 (#PL-562).
- Greenbone OS:
- Bugfix: When using the new GOS network mode, user-defined routes are now created with the ‚onlink‘ parameter as a fallback and only if the route creation fails without the parameter. This may solve some specific route creation errors (#PL-541).
- Bugfix: The download of beaming images failed on GSM models ONE and TRIAL (#PL-547).
- Minor improvement: The GSM manual included in GOS has been updated to the current version from 2021-07-07 (#PL-558).
- Minor improvement: The expiration dates for the feed signing and support package encryption keys have been extended until 2023-02-28 (#PL-460, #PL-461).
- Vulnerability Management:
- Bugfix: If the trend of VT families in scan configs was set to include and activate new VTs automatically after a feed update, preferences for VTs in these families were not applied correctly. This could prevent the disabling of the brute force and default login checks for the „Full and …“ configs, for example (#AP-1490, #2021061510000153).
- Bugfix: When resuming a scan task with multiple target hosts, scan results for hosts scanned before resuming the task were duplicated (#AP-1476).
- Greenbone OS:
- Bugfix: When using the new GOS network mode, the deletion of certain routes could fail (#PL-514, #2021052610000027).
- Bugfix: When using the new GOS network mode, the configuration of a global gateway failed if it was located in another network and could only be reached via a user-defined route (#PL-529, #2021060410000012).
- Bugfix: A false positive selfcheck warning could occur when switching to the new GOS network mode (#PL-445).
- Bugfix: Beaming images could not be created if the network interface eth0 was not used (#PL-482, #2021051010000075).
- Bugfix: If the restoration of a backup failed due to an error, the incron service would also fail (#PL-493).
- Bugfix: If the restoration of a backup failed due to an error, the system integrity check could fail (#PL-489).
- Minor bugfix: When importing a certificate authority (CA) file for the VPN feature, the file had the wrong permissions (#PL-476).
- Minor bugfix: When importing a certificate authority (CA) file for the VPN feature, it is now checked whether the file is a certificate file before processing it (#PL-475).
- Minor improvement: The GOS superuser password may now contain all printable ASCII characters (#PL-169).
- Minor improvement: For the integrated web server, GZIP HTTP compression has been replaced by HTTP/2 compression (#PL-496, #2021051810000051).
- Minor improvement: The postgres configuration file is now included in the GOS support package for debugging purposes (#PL-426).
- Minor improvement: The GSM manual included in GOS was updated to the current version from 2021-06-04 (#PL-528).
- Vulnerability Management:
- Improvement: The hash algorithm used for GVM user passwords has been updated from MD5 to SHA-512. Password hashes for new users will automatically use the new algorithm. Passwords hashes for existing users will be automatically updated using the new algorithm when a user logs in or when the password of a user is changed (#AP-1254).
- Bugfix: The error „Whole-only families must include entire family and be growing“ occured when editing and saving any „Full and …“ scan config (#AP-1359, #2021052610000045).
- Bugfix: Scans could get stuck if the target had a HTTPS certificate with a subject DN containing invalid UTF-8 characters (#AP-929).
- Bugfix: In some cases reports could not be displayed in the web interface due to missing severity elements (#AP-1427, #AP-1434, #2021051010000011).
- Bugfix: Overrides and notes could not be created directly from results (#AP-1353, #AP-1407, #2021052110000018).
- Bugfix: When importing a GOS 20.08 backup with GMP scanners in GOS 21.04, the scanners would be migrated to OpenVAS scanners. They are now migrated to Greenbone Sensors as expected (#AP-1323).
- Bugfix: When saving changes to multiple schedules at once, a double free error occured (#AP-1424).
- Bugfix: The time of day was ignored in the filter term „created“ in the web interface (#AP-1162).
- Bugfix: In the „Create Multiple Permissions“ dialog in the web interface, the drop-down menu for selecting the affected resources did not work (#AP-1379, #2021051110000073).
- Minor bugfix: Saving schedules that had only a number as a name was not possible (#AP-933, #2021020210000087).
- Minor bugfix: When sorting SecInfo items by severity in the web interface, the severity „N/A“ is now sorted below „0.0“ (#AP-1267).
- Minor improvement: When creating a new scanner in the web interface, the default type is now „Greenbone Sensor“ (#AP-1318).
- Minor improvement: The Vulnerabilities page in the web interface is now sorted in descending order of severity by default (#AP-1296).
- Minor improvement: The cookie used by the web interface now has the attribute „SameSite=Strict“ set (#AP-1433, #2021051810000051).
- Vulnerability Scanning:
- Improvement: Scans in the queue are now started at an interval of one minute to avoid overloading the system by starting too many scans at once (#SC-215).
- Bugfix: If the scanner process was terminated unexpectedly, it was not restarted automatically when required (#SC-226, #2021051010000011).
- Greenbone OS:
- Bugfix: When using the new GOS network mode, DHCPv6 and a Global Gateway with an IPv6 address at the same time, an error occured (#PL-450).
- Bugfix: When using the new GOS network mode and a network route containing ‚::/0‘, an error occured (#PL-468, #GS-41, #2021050710000189).
- Bugfix: When using the new GOS network mode and DHCPv6, if all DHCP requests timed out, the network manager entered a failed state (#PL-397).
- Bugfix: When using the new GOS network mode and saving IPv6 configuration changes, „Getting system network status failed“ messages could appear in the logs (#PL-469, #GS-39).
- Bugfix: When restoring an incremental backup, the system state was not restored completely (#PL-483).
- Bugfix: When restoring a USB backup with the network mode ‚gnm‘, the mode was sometimes set to ‚default‘ (#PL-431).
- Bugfix: When importing a beaming image, the authorized host keys integrity check could fail afterwards (#PL-408).
- Bugfix: On some GSM 35 appliances, the ‚gsm-hardware‘ package was erroneously removed when upgrading to GOS 21.04, causing the appliances not to boot (#PL-464, #GS-29, #GS-35, #2021050510000058).
- Bugfix: On the GSM TRIAL appliance, the ‚texlive-fonts-recommended‘ package was erroneously removed with GOS 21.04.0, causing missing text in PDF reports (#PL-470).
- Bugfix: On appliances that received their feed via the USB airgap feature, and had no prior feed present, starting system upgrades failed (#PL-435).
- Bugfix: For the VPN feature, the deprecated ‚comp-lzo‘ option has been disabled to prevent a traceback when uploading certain PKCS#12 files (#PL-455).
- Bugfix: The feed or upgrade push from a GSM master appliance to a GSM sensor appliance could show a false positive error in the logs (#PL-486).
- Minor improvement: The PKCS#12 file required for the VPN feature no longer needs to contain a certificate authority (CA) file. PKCS#12 files that contain only a certificate and a key can now be uploaded. In addition, a new GOS menu option to upload a single certificate authority (CA) file has been added (#PL-455).
- Minor improvement: The maximum password length for the GOS mail settings has been increased to 128 characters (#PL-436).
- Minor improvement: A selfcheck has been added to show possible inconsistencies of the GOS network state (#PL-299).
- Minor improvement: The notifications for the new GOS network mode have been made more detailed as well as easier to understand (#PL-454, #PL-466).
- Minor improvement: Subject alternative name fields have been added to the remote syslog certificate generation menu (#PL-418).
- Minor improvement: A subject alternative name has been added to the default HTTPS certificate of the GSM TRIAL (#PL-443).
- Minor improvement: The subject alternative name fields for E-Mail and URI are now checked for correct input (#PL-409, #PL-410).
- Minor improvement: The Greenbone Vulnerability Manager permission cache is now rebuilt during each GOS upgrade. This can prevent some permission problems which cause incomplete information to be shown in the web interface (#PL-421).
- Minor improvement: The GOS state variable ’scanner_connection_retry‘ has been added. With this variable it is possible to control the number of retries that are made when the master-sensor connection fails during a scan (#PL-446).
- Minor improvement: The log files for the beaming feature are now included in the GOS support package for debugging purposes (#PL-426).
- Minor improvement: The GSM manual included in GOS was updated to the current version from 2021-05-17 (#PL-484).
- Vulnerability Management:
- Bugfix: For results of CVE scan reports, the result names were missing (#AP-1305).
- Bugfix: Changing the result UUID of an existing note was not possible (#AP-1124).
- Bugfix: Editing the RADIUS secret key in the web interface was not possible (#AP-1275).
- Vulnerability Scanning:
- Bugfix: When scanning targets with virtual hosts (vhosts), not all virtual host names were detected (#SC-194).
With GOS 21.04, two new report format are introduced: Vulnerability Report PDF and Vulnerability Report HTML.
The new report formats are modern and clear in appearance and structure. They contain information about all vulnerabilities found.
With GOS 21.04, CVSS v3.0/v3.1 is supported. The extent of the CVSS v3.0/v3.1 support depends on the Greenbone Security Feed.
However, VTs and CVEs may contain CVSS v2 and/or CVSS v3.0/v3.1 data. If a VT/CVE contains both CVSS v2 data and CVSS v3.0/v3.1 data, the CVSS v3.0/v3.1 data is always used and shown.
The page CVSS Calculator now contains both a calculator for CVSS v2 and a calculator for CVSS v3.0/v3.1.
The CVSS Base Vector shown in the details preview and on the details page of a VT can now be v2, v3.0 or v3.1.
The table on the page CVEs now contains the entries Name, Description, Published, CVSS Base Vector and Severity. The CVSS Base Vector can be v2, v3.0 or v3.1. Clicking on the CVSS base vector opens the page CVSS Calculator. The input boxes of the corresponding calculator are already pre-filled.
- Boreas Alive Scanner
The Boreas alive scanner is a host alive scanner that identifies the active hosts in a target network. It was introduced with GOS 20.08, but was still optional. With GOS 21.04, the Boreas alive scanner is made default.
In comparison to the port scanner Nmap that was traditionally used, the Boreas alive scanner is not limited regarding the maximum number of concurrently performed alive status scans and thus, faster. It is especially suitable for large network ranges with only a small number of active hosts.
- Hardware Appliances
With GOS 21.04, a new generation of Midrange hardware appliances is introduced.
The new hardware now uses SSD-type hard drives instead of HDDs, which are 10 times faster and also quieter and lighter. There is also more hard drive space available. The RAM type is now DDR4 instead of DDR3, which makes the RAM much faster due to a higher clock rate (3200 MHz). There is also twice to four times as much RAM available. Additionally, a new, faster CPU of the latest generation has been installed.
Additionally, the ports of the appliances changed from 6 ports GbE-Base-TX and 2 ports 1 GbE SFP to 8 ports GbE-Base-TX and 2 ports 10 GbE SFP+.
The product names remain as they are.
- Virtual Appliances
The officially supported hypervisors for the virtual appliances are changed with GOS 21.04.
The GSM EXA/PETA/TERA/DECA and 25V can be used with Microsoft Hyper-V, VMware vSphere Hypervisor (ESXi) and Huawei FusionCompute.
The GSM CENO can be used with Microsoft Hyper-V and VMware vSphere Hypervisor (ESXi).
The GSM ONE can be used with Oracle VirtualBox, VMware Workstation Pro and VMware Workstation Player.
Additionally, GOS 21.04 supports the ARM instruction set on Huawei FusionCompute.
- Scanning Through a VPN
With GOS 21.04, OpenVPN is integrated in GOS to enable scanning through a Virtual Private Network (VPN).
This feature is only available on virtual appliances of the Midrange Class. The VPN feature allows for targets that are reachable via the VPN tunnel to be scanned, but has no effect on other targets, network settings, or master-sensor connections.
The VPN connection is configured and established via the GOS administration menu using the IP address of the VPN and a PKCS#12 file containing the necessary certificate authority, certificate, and private key files.
The menus under Setup > Services > HTTPS > Certificate > Generate and Setup > Services > HTTPS > Certificate > CSR allow the configuration of a Subject Alternative Name (SAN).
- Network Backend
With GOS 21.04, the network configuration backend in GOS is improved. This prevents loss of connectivity in specific network setups as well as connection issues with SSH sessions.
The GSM no longer needs to be restarted after specific network settings have been changed.
The networking mode can be updated to the new mode gnm directly after upgrading to GOS 21.04. If the networking mode is not updated directly after upgrading, it can be changed in the new menu under Setup > Network > Switch Networking Mode.
- Simultaneous Scanning via Multiple IP Addresses
Some devices – especially IoT devices – may crash when scanned via several IP addresses at the same time. For example, this can happen if the device is connected via IPv4 and IPv6.
With GOS 21.04, it is possible to avoid scanning via several IP addresses at the same time using the new setting Allow simultaneous scanning via multiple IPs when creating a target.
The default of this setting is Yes and reflects the behavior of previous GOS releases.