{"id":12073,"date":"2022-10-18T02:52:08","date_gmt":"2022-10-18T09:52:08","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12073"},"modified":"2023-04-05T12:26:00","modified_gmt":"2023-04-05T19:26:00","slug":"securin-expert-discovers-a-zero-day-vulnerability-in-tenables-nessus-scanner","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-expert-discovers-a-zero-day-vulnerability-in-tenables-nessus-scanner\/","title":{"rendered":"Securin’s (previously CSW) Expert Discovers a Zero-Day Vulnerability in Tenable\u2019s Nessus Scanner"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Securin’s expert has discovered a zero-day vulnerability with medium severity in Tenable\u2019s Nessus Professional scanner. This bug has been identified as \u2018Sensitive Information Disclosure,\u2019 given the CVE identifier of CVE-2022-28291, and has a severity score of 6.5 in CVSS V3. This vulnerability has been mapped to the weakness enumeration CWE-522 (Insufficiently Protected Credentials).<\/p>

How Could This Vulnerability Be Exploited?<\/h2>

CVE-2022-28291 allows an attacker to access credentials stored in Nessus Scanners, thus potentially compromising its customers’ network of assets. An authenticated user with debug privileges can retrieve Nessus policy credentials from the \u2018nessusd\u2019 process in cleartext through process dumping and access sensitive information. This vulnerability affects all versions of Nessus Essentials and Professional.<\/p>

Proof of Concept<\/h2>

We tested the following vulnerability on Tenable\u2019s Nessus Professional 10.1.1 (#61) Windows.<\/p>

1. Install Nessus Essentials or Professional, log on to the scanner, and create a Nessus policy with credentials using any Credential Type (in our case, Windows).<\/p>

\"\"
Figure 1<\/strong>: Creating the Nessus Policy with the Windows Credential Type<\/p>

2. Run a credentialed scan using the created Nessus policy.<\/p>

3. Create a process dump file of the process \u2018nessusd\u2019 from the Windows Task Manager.<\/p>

\"\"<\/p>

Figure 2<\/strong>: Creating the Process Dump of the \u201cnessusd\u201d Process<\/p>

\"\"
Figure 3<\/span><\/strong>: <\/b>Created the Process Dump of the \u201cnessusd\u201d Process<\/p>

4. Parse the dump file (.DMP) using the Sysinternals tool \u201cStrings\u201d and extract information by extracting lines with the string \u201cLogin configurations.\u201d<\/p>

\"\"
Figure 4:<\/strong> Parsing the DMP File Using Strings and Extracting Credentials<\/p>

5. The Nessus policy\u2019s Windows Domain Credentials have been retrieved in cleartext and viewed using a text editor application.<\/p>

\"\"
Figure 5:<\/strong> The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext<\/p>

Impact of the Vulnerability<\/h2>
  • An attacker can retrieve stored credentials in Nessus Policies in cleartext from the \u201cnessusd\u201d process.<\/li>
  • An attacker can potentially compromise corresponding assets, internal domains, and networks with the retrieved credentials.<\/li>
  • With disclosed credentials, an attacker can potentially compromise an organization’s associated assets and networks, leading to infiltration and breach.<\/li><\/ul>

    Timeline<\/h2>
    • April 25, 2022:<\/strong> Securin’s expert discovered CVE-2022-28291 in Nessus Professional version 10.1.1 (#61)<\/li>
    • May 02, 2022<\/strong>: Reported to Tenable\u2019s team<\/li>
    • June 02, 2022<\/strong>: Tenable proposed a potential fix in Nessus 10.4 or in a later release<\/li>
    • August 04, 2022<\/strong>: Tenable deemed the reported vulnerability as an acceptable risk<\/li>
    • August 31, 2022:<\/strong> Tenable performed additional reviews and acknowledged there would be no fix for this issue<\/li>
    • September 01, 2022<\/strong>: Tenable agreed to raise a CVE for this submission<\/li><\/ul>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

      Securin experts have discovered a Zero Day vulnerability with medium severity in Tenable\u2019s Nessus Professional scanner.<\/p>\n","protected":false},"author":1,"featured_media":14308,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,154],"tags":[],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=12073"}],"version-history":[{"count":11,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073\/revisions"}],"predecessor-version":[{"id":17367,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073\/revisions\/17367"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/14308"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=12073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=12073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=12073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}