{"id":12073,"date":"2022-10-18T02:52:08","date_gmt":"2022-10-18T09:52:08","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12073"},"modified":"2023-04-05T12:26:00","modified_gmt":"2023-04-05T19:26:00","slug":"securin-expert-discovers-a-zero-day-vulnerability-in-tenables-nessus-scanner","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-expert-discovers-a-zero-day-vulnerability-in-tenables-nessus-scanner\/","title":{"rendered":"Securin’s (previously CSW) Expert Discovers a Zero-Day Vulnerability in Tenable\u2019s Nessus Scanner"},"content":{"rendered":"\t\t
Securin’s expert has discovered a zero-day vulnerability with medium severity in Tenable\u2019s Nessus Professional scanner. This bug has been identified as \u2018Sensitive Information Disclosure,\u2019 given the CVE identifier of CVE-2022-28291, and has a severity score of 6.5 in CVSS V3. This vulnerability has been mapped to the weakness enumeration CWE-522 (Insufficiently Protected Credentials).<\/p>
CVE-2022-28291 allows an attacker to access credentials stored in Nessus Scanners, thus potentially compromising its customers’ network of assets. An authenticated user with debug privileges can retrieve Nessus policy credentials from the \u2018nessusd\u2019 process in cleartext through process dumping and access sensitive information. This vulnerability affects all versions of Nessus Essentials and Professional.<\/p>
We tested the following vulnerability on Tenable\u2019s Nessus Professional 10.1.1 (#61) Windows.<\/p>
1. Install Nessus Essentials or Professional, log on to the scanner, and create a Nessus policy with credentials using any Credential Type (in our case, Windows).<\/p>
2. Run a credentialed scan using the created Nessus policy.<\/p> 3. Create a process dump file of the process \u2018nessusd\u2019 from the Windows Task Manager.<\/p> <\/p> Figure 2<\/strong>: Creating the Process Dump of the \u201cnessusd\u201d Process<\/p> 4. Parse the dump file (.DMP) using the Sysinternals tool \u201cStrings\u201d and extract information by extracting lines with the string \u201cLogin configurations.\u201d<\/p> 5. The Nessus policy\u2019s Windows Domain Credentials have been retrieved in cleartext and viewed using a text editor application.<\/p> Securin experts have discovered a Zero Day vulnerability with medium severity in Tenable\u2019s Nessus Professional scanner.<\/p>\n","protected":false},"author":1,"featured_media":14308,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,154],"tags":[],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=12073"}],"version-history":[{"count":11,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073\/revisions"}],"predecessor-version":[{"id":17367,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12073\/revisions\/17367"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/14308"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=12073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=12073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=12073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Figure 1<\/strong>: Creating the Nessus Policy with the Windows Credential Type<\/p>
Figure 3<\/span><\/strong>: <\/b>Created the Process Dump of the \u201cnessusd\u201d Process<\/p>
Figure 4:<\/strong> Parsing the DMP File Using Strings and Extracting Credentials<\/p>
Figure 5:<\/strong> The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext<\/p>Impact of the Vulnerability<\/h2>
Timeline<\/h2>