Securin Zero-Days

CVE-2022-28291 – Sensitive Information Disclosure in Tenable Nessus Scanner

Severity:Medium

Vendor

Tenable

Affected Product

Nessus Professional

CVE

CVE-2022-28291

Securin ID

-

Status

Pending Fix

Date

May 2, 2022

Description

An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

Proof of Concept (POC):

We tested the following vulnerability on Tenable’s Nessus Professional 10.1.1 (#61) Windows.

  1.  Install Nessus Essentials or Professional, log on to the scanner, and create a Nessus policy with credentials using any Credential Type (in our case, it is Windows).

Figure 1: Creating the Nessus Policy with the Windows Credential Type

 

  1. Run a credentialed scan using the created Nessus policy.
  2. Create a process dump file of the process ‘nessusd’ from the Windows Task Manager.

Figure 2: Creating the Process Dump of the “nessusd” Process

 

Figure 3: Created the Process Dump of the “nessusd” Process

 

  1. Parse the dump file (.DMP) using the Sysinternals tool “Strings” and extract information by extracting lines with the string “Login configurations.”

Figure 4: Parsing the DMP File Using Strings and Extracting Credentials

 

  1. The Nessus policy’s Windows Domain Credentials have been retrieved in cleartext and viewed using a text editor application.


Figure 5: The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext

Impact

  • An attacker can retrieve stored credentials in Nessus Policies in cleartext from the “nessusd” process.

  • An attacker can potentially compromise corresponding assets, internal domains, and networks with the retrieved credentials.

  • With disclosed credentials, an attacker can potentially compromise its associated assets and networks of an organization.

Remediations

  • Encrypt data in memory so that the retrieval of information through process dumping will require decryption.

  • Developers need to find a way to clear the memory location of the sensitive data to prevent persistent attacks on the main memory.

  • Developers need to ensure the memory location cannot be accessed by other applications, i.e., attempts through another processes to read or write.

Timeline

April 25, 2022: Discovered in Nessus Professional version 10.1.1 (#61)

May 02, 2022: Reported to Tenable’s team

June 02, 2022: Tenable proposed a potential fix in Nessus 10.4 or in a later release.

August 04, 2022: Tenable has deemed the reported vulnerability as an acceptable risk.

August 31, 2022: Tenable performed additional reviews and acknowledged there would be no fix for this issue.

September 01, 2022: Tenable has agreed to raise a CVE for this submission.

October 18, 2022: MITRE publishes CVE-2022-28291

Let Securin level up your security posture!