Tenable Nessus 5.2.7 Parameter Tampering / Authentication Bypass

2014.07.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Product: Nessus Vendor: Tenable Network Security Version: Nessus 5.2.3-5.2.7 - Web UI 2.3.4 (potentially lower) Vendor Notified Date: June 24, 2014 Vendor Resolved Date: June 25, 2014 Release Date: July 18, 2014 Risk: Medium Authentication: Not Required Remote: Yes Description: A parameter tampering vulnerability exists in Nessus 5.2.7 and potentially below that allows remote attackers to retrieve potentially sensitive information from the server via the Nessus Web UI. By not checking each parameter, an attacker can retrieve information meant for authenticated users. Successful exploitation of this vulnerability resulted in retrieving the following data without authentication, which can assist an attacker to launching further attacks: Plugin Set, Server uuid, Web Server Version, Nessus UI Version, Nessus Type, Notifications, MSP, Capabilities, Multi Scanner, Multi User, Tags, Reset Password, Report Diff, Report Email Config, Report Email, PCI Upload, Plugin Rules, Plugin Set, Idle Timeout, Scanner Boot time, Server Version, Feed, and Status. Exploit steps for proof-of-concept: 1. Navigate to http://vulnerablehost.com/server/properties?token= and observe the returned content. 2. Navigate to http://vulnerablehost.com/server/properties?token=1 and observe the newly returned content meant for authenticated sessions. Vendor Response: Fix was added to Web UI 2.3.5 on June 25, 2014. Reference: CVE-2014-4980 http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui/ http://www.tenable.com/security/tns-2014-05 Credit: Robert Gilbert HALOCK Security Labs


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top