Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Elevated Privilege Failures

by Andrew Freeborn
March 28, 2016

Organizations using Nessus gain a tremendous amount of details such as vulnerabilities, software used, and hardware supporting the environment. Nessus provides valuable insight into systems to an analyst to protect the organization. With any piece of software or hardware, Nessus needs to be properly configured to ensure the best scan results are returned to the analyst. Each organization is going to have different methods of account management and what Nessus can use to SSH (secure shell) into systems.

Analysts create scans within Nessus for many tasks such as compliance, Windows patch verification, or general vulnerability scanning. Within scans for Linux/Unix based systems, analysts can configure the scans to use SSH username/password credentials. Configuring the scans to use SSH credentials allows Nessus to gather detailed information of the system.

If a Nessus scan is configured with SSH credentials for a regular user account, basic information about a system can be retrieved. However, a SSH scan can be provided a regular user account along with credentials to “su/sudo”. The “su/sudo” SSH credentials allow the user to gain higher privileges into the system with an administrator or root account.

When Nessus attempts to connect to a system with SSH, the first set of credentials are used to make a connection. Once Nessus is able to create a session with SSH, Nessus will try to elevate privileges with “su/sudo” to retrieve further information of the system. If Nessus is unable to perform this action, Nessus plugin 12634 will report that the attempt to elevate permissions was unsuccessful. This report stems from a post from Tenable CEO, Ron Gula, about the capabilities of this plugin and the value of this information to analysts here (https://discussions.nessus.org/message/14694).

This report identifies scans that used Nessus plugin 12634 with the specific failure message within the plugin output. With this report, analysts can identify systems that did not have adequate permissions to do in-depth scanning of systems with SSH username/password credentials. Along with each system identified with this plugin, the details of the plugin are provided to further assist analysts in remediating the SSH credential issue. To ensure there is no confusion, this report only addresses “su/sudo” failures when Nessus attempts to elevate privileges from a scan. This report does not address attempts from users who try to elevate privileges with “su/sudo” and are unsuccessful.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:

  • SecurityCenter 4.8.2
  • Nessus 6.5.5
  • This report requires “Full Text Search” to be enabled for each analyzed repository.

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View (CV), Nessus, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE). SecurityCenter CV provides the most comprehensive and integrated view of network health, and is the global standard in detecting and assessing network data.

This report contains the following chapters:

  • Executive Summary: This chapter provides an overview of systems detected in the organization that could not elevate SSH permissions
  • Elevated Privileges Failures: This chapter provides details of the hosts identified with Nessus plugin 12634