Tenable Security Scan kills the Notifier Resource

Problem

The Notifier resource is killed by a Tenabled Security Scan

Error Message

The CUPS daemon reports messages which look like an attempt to exploit the CUPS service in order to gain access.

May  3 16:09:37 server101 cups-lpd[4647]: [ID 732814 lpr.error] Unknown LPD command 0x00!
May  3 16:09:37 server101 cups-lpd[4647]: [ID 210702 lpr.error] Command line =
May  3 16:09:42 server101 cups-lpd[4668]: [ID 732814 lpr.error] Unknown LPD command 0x00!
May  3 16:09:42 server101 cups-lpd[4668]: [ID 210702 lpr.error] Command line =
May  3 16:09:45 server101 cups-lpd[4652]: [ID 732814 lpr.error] Unknown LPD command 0x00!
May  3 16:09:45 server101 cups-lpd[4652]: [ID 210702 lpr.error] Command line =

Shortly after the notifier resource is marked offline outside of VCS in the engine_A.log.

May  3 16:09:49 server101 AgentFramework[7413]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13067 Thread(4) Agent is calling clean for resource(XX_NTFR) because the resource became OFFLINE unexpectedly, on its own.                                                         
May  3 16:09:49 server101 AgentFramework[7413]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13067 Thread(4) Agent is calling clean for resource(XX_NTFR) because the resource became OFFLINE unexpectedly, on its own.
May  3 16:09:49 server101 Had[5802]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13067 (server101) Agent is calling clean for resource(XX_NTFR) because the resource became OFFLINE unexpectedly, on its own.
May  3 16:09:49 server101 Had[5802]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13067 (server101) Agent is calling clean for resource(XX_NTFR) because the resource became OFFLINE unexpectedly, on its own.
May  3 16:09:49 server101 AgentFramework[7413]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13068 Thread(4) Resource(XX_NTFR) - clean completed successfully.
May  3 16:09:49 server101 AgentFramework[7413]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13068 Thread(4) Resource(XX_NTFR) - clean completed successfully.
May  3 16:09:49 server101 AgentFramework[7413]: [ID 702911 daemon.notice] VCS ERROR V-16-2-13073 Thread(4) Resource(XX_NTFR) became OFFLINE unexpectedly on its own. Agent is restarting (attempt number 1 of 3) the resource.

The packet trace shows multiple attempts to exploit the system on port 14144

Examples from wireshark

0000   01 02 00 00 00 00 00 51 00 00 00 03 00 00 00 02   .......Q........
0010   ff ff ff ff 00 00 00 00 45 00 00 51 1d fa 40 00   ........E..Q..@.
0020   3f 06 75 78 ac 1a 40 4a ac 1a 0f b6 9d e2 37 40   ?.ux..@J......7@
0030   a0 23 f2 94 c5 e2 63 8a 80 18 00 e5 8f 70 00 00   .#....c......p..
0040   01 01 08 0a af ba ef 6b 04 be 0b 91 72 65 71 75   .......k....requ
0050   65 73 74 3d 73 6d 74 70 64 5f 61 63 63 65 73 73   est=smtpd_access
0060   5f 70 6f 6c 69 63 79 0a 0a                        _policy..

0000   01 02 00 00 00 00 00 5b 00 00 00 03 00 00 00 02   .......[........
0010   ff ff ff ff 00 00 00 00 45 00 00 5b 21 e1 40 00   ........E..[!.@.
0020   3f 06 71 87 ac 1a 40 4a ac 1a 0f b6 9b cc 37 40   ?.q...@J......7@
0030   f5 35 e2 6c 06 18 4a 46 80 18 00 e5 ea 7f 00 00   .5.l..JF........
0040   01 01 08 0a af b9 c3 b4 04 bd ed 99 6c 6f 67 69   ............logi
0050   6e 20 73 71 75 65 65 7a 65 63 65 6e 74 65 72 5f   n squeezecenter_
0060   63 6c 69 5f 64 65 74 65 63 74 2e 6e 61 73 6c 20   cli_detect.nasl 
0070   31 33 0a                                          13.

Truss excerpt from notifier binary

 V C S   W A R N I N G
/4:        V - 1 6 - 1 - 1 7 0 0 7   N o t i f i e r : e x i t   b y   N O
/4:        T I F I E R _ D I S C O N N E C T   m s g .   C o n n e c t e d
/4:          t o     s e r v e r 1 0 1\n

Cause

When an nmap port scan is performed on port 14144 (on which the notifier process is listening), the notifier is killed because of the connection request.

Solution

A patch has been released to prevent the agent crash when an nmap port scan is performed. This is currently available only for Infoscale 7.4.2 on Solaris 11. Please contact support for any current fix.