[R4] Tenable Nessus Web UI /server/properties token Parameter Remote Information Disclosure

Info

Synopsis

Nessus was found to be vulnerable to a parameter tampering issue that could result in a limited information disclosure. The issue is due to the web server's /server/properties resource including information meant for authenticated users. This resource is designed to provide limited information about the scanner for API requests. However, manipulation of the 'token' parameter would result in it returning additional information about the scanner, primarily the version of the Plugin feed and a few other minor details. Of the list of items disclosed, most of it is intended to be disclosed and poses no risk to the system and does not cross privilege boundaries. The few items disclosed that may constitute a disclosure include the Plugin set (the version of the plugins installed), Notifications (basically indicates if Nessus 5.0 or 5.2), Scanner Boot Time (could be useful in timing attacks against other parts of system), and Status (if the scanner is currently processing plugins).

* Please note that according to the CVSSv2 guidelines, a partial confidentiality disclosure consists of "considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database". By this definition, Tenable does not agree that this issue warrants a 'partial confidentiality' rating. As such, we are rating this as 'none' which puts the CVSSv2 score at 0.0. Unfortunately, this is a limitation of CVSS in scoring as there is no way to abstract between a very minor information disclosure (e.g. server banner, path disclosure) versus something more serious. We recognize that this issue may pose a small risk in some environments. Finally, as always, Tenable recommends that Nessus web server interfaces not be exposed to external networks unless absolutely required.

Solution

Tenable has released Web UI 2.3.5, available for Nessus 5.x that addresses this issue. Customers do not need to do anything special to receive this update, as it was distributed as part of the plugin feed around June 26.

This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email advisories@tenable.com