22 July 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0082 A vulnerability has been identified in Tenable Nessus Web UI prior to version 2.3.5. 22 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Nessus Operating System: Windows Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4980 Member content until: Thursday, August 21 2014 OVERVIEW A vulnerability has been identified in Tenable Nessus Web UI prior to version 2.3.5.  IMPACT The following details have been disclosed by the vendor: "Synopsis Nessus was found to be vulnerable to a parameter tampering issue that could result in a limited information disclosure. The issue is due to the web server's /server/properties resource including information meant for authenticated users. This resource is designed to provide limited information about the scanner for API requests. However, manipulation of the 'token' parameter would result in it returning additional information about the scanner, primarily the version of the Plugin feed and a few other minor details."  MITIGATION Tenable has advised customers that an automatic update fixing the issue was issued as part of their plugin feed.  REFERENCES  Tenable Nessus Web UI /server/properties token Parameter Remote Information Disclosure http://www.tenable.com/security/tns-2014-05 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU82xahLndAQH1ShLAQLuWxAAtRaCovgK2ehMBgNs48sLPqzn5uUaecls MLS8fF1iBV8aHEjRzwTL4xV5CODu6+BBUg9nSPi75mK/gG6qcQOBgfbBf2HbQhTx 6nfeBp94Kc6GZlCoyuwlhklRxK35BZx0sJwJc1tHNg8216ZtXLi1bR8VI8uvmgC4 hSQvUem94wO4eYuX9LbcBOBi4D59pr2RjfiOMUq3yMEshgDSM4PR0dONzsrr4ojP s71RnyT577RyLFKa9dTHNWNk4x4qbCdhMsuSthi/MLMVNY28R3zEh3CkIrjZ8yNF vqWNHov0z///I2haULrjYtgBCJXmM5oPhdQ1QLqzBpw1PjXHRCf5ErDlNsmZUAIy /PNvmViyNCctg07J66Z8RoR2FlXRSjpecpMd6+HIYxELVzNFlV5KYiVN2qHAE1Cr 1eFYvBVpykzyQxxo0aboeSLEkBN6wOTAl1o1Qqqy5hKJ5+ia4sxq0id9wRhKyonr CfaHvsCKgV/V/kQT6VE8ZqlEavfrSSrDUdXoEA0UpW37Mf8PI5/MzRXsQtTTnftZ u5AMY82Q7jLnH+dFxdshomY21bN/wxAeqjGE9q+w7Z2MPWh/4IQNy4auxObsiYB1 RGX2KRZVs+ehbpSoHuCLpU/76zUklWY6MPI7yDQy0/iILoKDmctVD/lpebSEZ4kR 7VJmY/mrw4A= =Tyix -----END PGP SIGNATURE-----