SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tenable Nessus Vendors:   Deraison, Renaud et al
Nessus Discloses Remote Account Passwords to Local Users
SecurityTracker Alert ID:  1009575
SecurityTracker URL:  http://securitytracker.com/id/1009575
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2004
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.10a and possibly other versions
Description:   An access control vulnerability was reported in Nessus. A local user can obtain passwords used by the Nessus scanner in conducting network scans.

It is reported that the software stores usernames and passwords in plaintext in the '.nessusrc' configuration file on the target system. The information includes passwords for FTP, IMAP, POP2, POP3, NNTP, SNMP, and SMB (Windows NT Domain) accounts, the report said.

The vendor was reportedly notified on December 4, 2003.

Impact:   A local user can obtain passwords for accounts to be scanned by Nessus.
Solution:   No solution was available at the time of this entry. According to the report, the vendor does not consider this to represent a security risk.
Vendor URL:  www.nessus.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Nessus stores credentials in plain text


This is a multi-part message in MIME format.

------=_NextPart_000_00EF_01C4138E.AF505DE0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

I have posted this issue to a couple entities like bugtraq and CERT with =
no response.  I mentioned this issue to an organization today which was =
considering using Nessus as a vulnerability scanner to assess their =
network security issues and this was in violation with their security =
policy so they are reconsidering using it.  Please read below...


Software Vendor: Nessus (www.nessus.org)
Software Package: Nessus=20
Versions Affected: 2.0.10a (possibly others)
Synopsis: Username and password for various accounts stored in =
unencrypted plain text

Issue Date: Feb 22, 2004

Vendor Response: Vendor notified December 4, 2003
   Vendor declined to resolve issue=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

1. Summary

The open source Nessus Vulnerability scanner stores the credentials of
various types of accounts in unencrypted plain text in a configuration =
file.=20

2. Problem Description

The .nessusrc files stores username and password information for various =
types=20
of accounts in unencrypted plain text.  Those parameters are typically =
set from=20
the native nessus client but also can be added manually.  When setting =
these parmeters
from the Nessus client, the user is also not informed of this sensitive =
information
being stored insecurely.  This potentially affects the following types =
of accounts:

FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)

3. Solution

None at this time.  A lengthy discussion with the vendor resulted in the =
vendor's=20
decision that this was not a security risk that warrants resolution on.=20


------=_NextPart_000_00EF_01C4138E.AF505DE0
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>I have posted this issue to a couple entities like =
bugtraq and=20
CERT with no response.&nbsp; I mentioned this issue to an organization =
today=20
which was considering using Nessus as a vulnerability scanner to assess =
their=20
network security issues and this was in violation with their security =
policy so=20
they are reconsidering using it.&nbsp; Please read below...</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Software Vendor: Nessus (<A=20
href=3D"http://www.nessus.org">www.nessus.org</A>)<BR>Software Package: =
Nessus=20
<BR>Versions Affected: 2.0.10a (possibly others)<BR>Synopsis: Username =
and=20
password for various accounts stored in unencrypted plain =
text</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Issue Date: Feb 22, 2004</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Vendor Response: Vendor notified December 4,=20
2003<BR>&nbsp;&nbsp; Vendor declined to resolve issue </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT=20
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>1. Summary</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>The open source Nessus Vulnerability scanner stores =
the=20
credentials of<BR>various types of accounts in unencrypted plain text in =
a=20
configuration file. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>2. Problem Description</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>The .nessusrc files stores username and password =
information=20
for various types <BR>of accounts in unencrypted plain text.&nbsp; Those =

parameters are typically set from <BR>the native nessus client but also =
can be=20
added manually.&nbsp; When setting these parmeters<BR>from the Nessus =
client,=20
the user is also not informed of this sensitive information<BR>being =
stored=20
insecurely.&nbsp; This potentially affects the following types of=20
accounts:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>FTP<BR>IMAP<BR>POP2<BR>POP3<BR>NNTP<BR>SNMP<BR>SMB =
(Windows NT=20
Domain)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>3. Solution</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>None at this time.&nbsp; A lengthy discussion with =
the vendor=20
resulted in the vendor's <BR>decision that this was not a security risk =
that=20
warrants resolution on. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_00EF_01C4138E.AF505DE0--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC