I run weekly vulnerability scans against a number of WebSeal 3.8 hosts in our network. In a recent vulnerability scan (9/1), nessus caused a number of WebSeal servers to hang at 100% cpu utilization. In recent scans (prior to 9/1), no problem occurred. However, nessus does not report any vulnerabilities. I am attempting to determine which plugins caused this result.
The only difference in the reports on 9/1 and those prior to 9/1 was that
nessus was able to enumerate the existence of SSL certificates on port
7234/tcp. If I block nessus from talking to webseal on 7234 (using
ipfilter on the scanner) the issue does not occur. If 7234 is removed from
the ipfilter, the DoS condition occurs again. This socket is also left in
a "CLOSE_WAIT" state on the webseal host.
The only changes to nessus prior to the scan was an update of the plugins.
Here are the plugins that were updated that week.
(See attached file: plugupdates.txt)
This is Nessus 1.2.0 for Linux 2.4.7-10smp
compiled with gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)
Current setup :
Experimental session-saving : enabled
Experimental KB saving : enabled
Thread manager : fork
nasl : 1.2.0
libnessus : 1.2.0
SSL support : enabled
SSL is used for client / server communication
Running as euid : 0
Thanks for any ideas you can provide.
-Rob.
plugupdates.txt
Description: Binary data
