Jul 26, 2010 3:33 PM
[Security] nessusd_www_server.nbin cross site scripting and version disclosure


Issues Description

 
The Nessus Web Server (nessusd_www_server.nbin) was vulnerable to the following two issues:

 
1. Cross Site Scripting Vulnerability

 
The Nessus Web Server was vulnerable to a cross site scripting vulnerability. This vulnerability might allow an attacker who knows the URL of a running server to construct an attack by sending a specially malformed link to an operator logged into the Nessus console and steal his authentication cookie.

 
2. A version disclosure in the web server

 
It is possible to obtain the version of the Nessus server running by requesting the /feed method. While this is not a vulnerability per se, some users might prefer this information to be hidden and we realized there was no way to do so. If you want to hide the version of nessusd, update your plugins, set the parameter "xmlrpc_hide_version = yes" into nessusd.conf and restart nessusd.

 
Solutions and fixes
As the Nessus Web Server is exclusively distributed through the plugin feed (as nessusd_www_server.nbin), there is no need to upgrade your Nessus installation, simply make sure your plugins are up-to-date.

 
A few weeks ago, we pushed a new build of the Nessus Web Server into the plugin feed. If you server updates automatically, you should already be patched. You can verify the version of the server you're running by logging into the Nessus server and click on the "About" button of the web interface. Make sure that you're running version 1.2.6 of the web server or newer. If your server is not up-to-date, run /opt/nessus/bin/nessus-update-plugins from the command-line and restart your Nessus server.

 
If you have any other question with regards to the updates or the security of the server, feel free to contact me directly.

 
Credit
Tenable would like to thank the following individuals for alerting us about these vulnerabilities and dealing with them responsibly:

 
- Emmanuel Bouillon from the NATO C3 Agency, for the XSS vulnerability
- Jason Jones from Inner Security for the version disclosure issue

 
Timeline
Both issues have been fixed within less than 24 hours of receiving the reports from researchers:

 
2010/06/24: Received initial report about the XSS issue in the web server
2010/06/24: Version 1.2.4 of the web server, which solves this issue, is pushed into the feed. Initial reporter agrees to wait for a few weeks to make sure the update is deployed as widely as possible
2010/07/06: Received initial report about the version disclosure issue
2010/07/07: Version 1.2.6 of the web server, which adds support for the xmlrpc_hide_version option, is pushed into the feed. Initial reporter agrees to wait for a few weeks to make sure the update is deployed as widely as possible
2010/07/26: Public announcement

 
FAQ

 
Q: Which component of Nessus is affected by the vulnerability?
A: A Nessus plugin, called "nessusd_www_server.nbin" is affected by this vulnerability. This plugin is in charge of providing the HTTP services that the Flash Nessus Client uses to do its job. It acts as a gateway between web requests and the Nessus scanning server. The Nessus scanning server itself (nessusd) is not affected by this vulnerability.

 
Q: How do I apply the patch this vulnerability? Where do I find it?
A: A corrected version of the web server has been pushed over three weeks ago in the plugin feed. If your scanner is registered properly, you are already patched. If you do not update your plugins regularly, simply update your plugins and you will be patched. To verify if you're running the corrected version of the web server, log into your Nessus console, click on "About", and make sure you're running version 1.2.6 of the web server or newer

 
Q: Do I need to upgrade my Nessus server to fix this vulnerability (using a newer .rpm, .deb, or .exe file?)
A: No. The solely affected component is nessusd_www_server.nbin which does not ship with the Nessus core installation, but ships through the plugin feed.

 
Q: How do I hide the version number of my Nessus installation to web users?
A: Edit nessusd.conf and add "xmlrpc_hide_version = yes", then restart nessusd

 
Q: Could an attacker leverage this vulnerability to gain control of my computer?
A: No. The web server component can not execute arbitrary commands on your local computer.

 
Q: Could an attacker leverage this vulnerability to recover the credentials I put in my policy?
A: No. The web server component does not have access to the credentials stored in your policies.