Securin Zero-Days

CVE-2022-28291 - Sensitive Information Disclosure in Tenable Nessus Scanner

Vendor

Affected Product

CVE

Securin ID

Status

Date

Tenable

Nessus Professional

CVE-2022-28291

Pending Fix

May 2, 2022

Description

An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

Proof of Concept (POC):

We tested the following vulnerability on Tenable’s Nessus Professional 10.1.1 (#61) Windows.

Install Nessus Essentials or Professional, log on to the scanner, and create a Nessus policy with credentials using any Credential Type (in our case, it is Windows)

Figure 1: Creating the Nessus Policy with the Windows Credential Type

Run a credentialed scan using the created Nessus policy.
Create a process dump file of the process ‘nessusd’ from the Windows Task Manager.

Figure 2: Creating the Process Dump of the “nessusd” Process

Figure 3: Created the Process Dump of the “nessusd” Process

Parse the dump file (.DMP) using the Sysinternals tool “Strings” and extract information by extracting lines with the string “Login configurations.”

Figure 4: Parsing the DMP File Using Strings and Extracting Credentials

The Nessus policy’s Windows Domain Credentials have been retrieved in cleartext and viewed using a text editor application.

Figure 5: The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext

Impact

An attacker can retrieve stored credentials in Nessus Policies in cleartext from the “nessusd” process.
An attacker can potentially compromise corresponding assets, internal domains, and networks with the retrieved credentials.
With disclosed credentials, an attacker can potentially compromise its associated assets and networks of an organization.

Remediations

Encrypt data in memory so that the retrieval of information through process dumping will require decryption.
Developers need to find a way to clear the memory location of the sensitive data to prevent persistent attacks on the main memory.
Developers need to ensure the memory location cannot be accessed by other applications, i.e., attempts through another processes to read or write.

Timeline

April 25, 2022

Discovered in Nessus Professional version 10.1.1 (#61)

May 02, 2022

Reported to Tenable’s team

June 02, 2022

Tenable proposed a potential fix in Nessus 10.4 or in a later release.

August 04, 2022

Tenable has deemed the reported vulnerability as an acceptable risk.

August 31, 2022:

Tenable performed additional reviews and acknowledged there would be no fix for this issue.

September 01, 2022

Tenable has agreed to raise a CVE for this submission.

October 18, 2022

MITRE publishes CVE-2022-28291

Let Securin level up your security posture!

Start Now

Securin Zero-Days

Let Securin level up your security posture!

Company