Tenable Nessus 4.5.11.187303 Detection

Report · Aug 18, 2021

Has anyone had issues with Tenble not being able to detect updates to Adobe digitial Editions?

The issue: Tenable says you need to update Adobe Digital Editions from 4.5.11.0 to 4.5.11.187303.

However, if you open Adobe Digital Editions, click Help > About... you will find that you have the correct version.

Further digging: If you look at the DigitalEditions.exe File properties ("C:\Program Files\Adobe\ Digital Editions" on 32bit Systems), you will see that it still shows 4.5.11.0.

So Tenable is right to think you have a vulernable version installed.

Now on to the fun part. If you review the Adobe Security Bulletin, Adobe Security Bulletin, it says

File enumeration (host or local network) under Vulenerbility Details.

I am being forced to remove this application from all workstations because the false positive, but I cant for the life of me understand why the developers do not update the file version on the .exe during updates.

Has anyone else ran in to this? Has anyone else convience management that this is either an Adobe issue, Tenable issue, or both?

Has anyone else called customer service to see if we can get this fixed?

Adobe is there anything you can do or do I need to just remove the product until you release a new version?

Report · Feb 01, 2022

Hello,

old topic I know. But we have the same problem. I called the customer service but they were not able to help. Are there any News?

Report · Nov 03, 2022

Nothing. Still complete silence from Adobe and from Tenable. Adobe is the one that needs to do the job. If I had the source code or the code signing cert, i would just do it myself.

Report · Jun 23, 2023

This continues to be a problem that is ignored by Adobe and to make matters more interesting, Adobe soft published a new finding for its own product but did not actually make the download easily accessible. So just FYI for every person who has installed this fresh since March 2023, you are installing a vulenerable version of this software, unless you download it from this location:

https://assets.adobe.com/public/e3041f65-a1fd-4a36-4e03-dfddd4b0d0ec

You can read about the finding here:

https://helpx.adobe.com/digital-editions/kb/security-update-april-2023.html

Adobe, retire this product if you do not plan to keep it updated with best practices followed. (THIS INCLUDES VERSIONING PROPERLY!)

Do we need to start looking for vulenerbilities within the product for the company to take this seriously?

Report · Jun 23, 2023

Yes and here is how we fixed it. We do a post install registry update to set the correct version number, 4.5.11.187658 build that is current as of April 2023, in two registry keys

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe Digital Editions 4.5]

"ProductVersion"="4.5.11.187658"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Digital Editions 4.5]

"DisplayVersion"="4.5.11.187658"

Attached to this post is a registry import file. Remove the ".txt" from the end of the file and import it to correct the errors in the two keys found in the installer.

The good news is I reported this problem throough Adobe's Incident Response team and I just got a email back that the team will be fixing this problem, that has been in the installer for several years, in the next release due in July 2023.

Report · Jun 23, 2023

From what I can tell the Tenable Nessus plugin looks specfically at the version info on the DigitalEditions.exe in

It does not use the registry for this detection. I write custom registry keys already when I have successful installation of products so I can track thier install versions when dealing with bad coding.

"Plugin Output:
Path : C:\Program Files (x86)\Adobe\Adobe Digital Editions 4.5
Installed version : 4.5.11.0
Fixed version : 4.5.11.187303"

Tenable Plugins:

174126
135695

Did they give a timeline? Also how did you contact them, I 100% need this secret sauce as I tried contacting both Tenable and Adobe about this 2 years ago.

Report · Jul 13, 2023

In this case I contacted the Adobe Product Security Incident Response Team (PSIRT) as my concern was that vulnerability management tools were showing the product to be vulnerable even when fully updated due to the installer errors. There was also a related issue where they had multiple versions of the installer posted online, some that still had the latest vulnerabilities. This seemed to be enough for the PSIRT to get the product team to fix these two issues as they were directly related to security issues. This approach would not work in most cases, but it does when the underlying problem is a security issue.

Report · Jul 13, 2023

Adobe just released a new version of ADE (4.5.12) and this time it is a minor version upgrade instead of a build version upgrade. They did this specifically to address the issue that asset management and vulnerability management tools were not able to correctly detect the installed version because in the past the installer was not correctly setting the required registry keys. The download page with the new build is at ADOBE DIGITAL EDITIONS Download - https://www.adobe.com/