Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0082
A vulnerability has been identified in Tenable Nessus Web UI
prior to version 2.3.5.
22 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable Nessus
Operating System: Windows
Linux variants
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-4980
Member content until: Thursday, August 21 2014
OVERVIEW
A vulnerability has been identified in Tenable Nessus Web UI prior to
version 2.3.5. [1]
IMPACT
The following details have been disclosed by the vendor:
"Synopsis
Nessus was found to be vulnerable to a parameter tampering issue
that could result in a limited information disclosure. The issue is
due to the web server's /server/properties resource including
information meant for authenticated users. This resource is designed
to provide limited information about the scanner for API requests.
However, manipulation of the 'token' parameter would result in it
returning additional information about the scanner, primarily the
version of the Plugin feed and a few other minor details." [1]
MITIGATION
Tenable has advised customers that an automatic update fixing the
issue was issued as part of their plugin feed. [1]
REFERENCES
[1] Tenable Nessus Web UI /server/properties token Parameter Remote
Information Disclosure
http://www.tenable.com/security/tns-2014-05
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU82xahLndAQH1ShLAQLuWxAAtRaCovgK2ehMBgNs48sLPqzn5uUaecls
MLS8fF1iBV8aHEjRzwTL4xV5CODu6+BBUg9nSPi75mK/gG6qcQOBgfbBf2HbQhTx
6nfeBp94Kc6GZlCoyuwlhklRxK35BZx0sJwJc1tHNg8216ZtXLi1bR8VI8uvmgC4
hSQvUem94wO4eYuX9LbcBOBi4D59pr2RjfiOMUq3yMEshgDSM4PR0dONzsrr4ojP
s71RnyT577RyLFKa9dTHNWNk4x4qbCdhMsuSthi/MLMVNY28R3zEh3CkIrjZ8yNF
vqWNHov0z///I2haULrjYtgBCJXmM5oPhdQ1QLqzBpw1PjXHRCf5ErDlNsmZUAIy
/PNvmViyNCctg07J66Z8RoR2FlXRSjpecpMd6+HIYxELVzNFlV5KYiVN2qHAE1Cr
1eFYvBVpykzyQxxo0aboeSLEkBN6wOTAl1o1Qqqy5hKJ5+ia4sxq0id9wRhKyonr
CfaHvsCKgV/V/kQT6VE8ZqlEavfrSSrDUdXoEA0UpW37Mf8PI5/MzRXsQtTTnftZ
u5AMY82Q7jLnH+dFxdshomY21bN/wxAeqjGE9q+w7Z2MPWh/4IQNy4auxObsiYB1
RGX2KRZVs+ehbpSoHuCLpU/76zUklWY6MPI7yDQy0/iILoKDmctVD/lpebSEZ4kR
7VJmY/mrw4A=
=Tyix
-----END PGP SIGNATURE-----