Potential RCE in Nessus 7 and attacks on Vulnerability Scanners

A few days ago I saw an interesting youtube video (UPD. 14.05.18 Not available anymore) in my Facebook feed. It is demonstrating the exploitation of the RCE vulnerability in Tenable Nessus Professional 7.0.3. Currently we have very few information about this vulnerability: only youtube video, which is mentioned only on ExploitWareLabs facebook page.

Nessus 7.0.3 RCE

While there is no exploit in public access, it’s hard to say how it actually works. It’s also not clear what versions of Nessus are affected. 7.0.3 is the latest version currently. Because of API disabling in Nessus 7 many users are still on 6.11.3. It is not clear whether they are affected or not.

This even can be a fake video. Therefore, I specifically write “potential RCE”. I will update this post when more data is available.

UPD. 14.05.18 In the comments to my Facebook post anonymous account Destring Portal posted a comment with the second video of Nessus RCE exploitation and it seems, that it was made by the same author. In this video, the author runs a remote shell on the Nessus host and executes various commands. I will add review of this second video bellow.

Nessus RCE second video

UPD. 10.05.18 Renaud Deraison, Co-Founder and CTO of Tenable, commented on my post at Linkedin:

Our research team studied the video and we have several reasons to doubt its authenticity. We’ve conducted a thorough audit over the last 48 hours based the few details that are in the video and didn’t find anything. We reached out the researcher and instead of replying he removed the video*. We’ll communicate if indeed there is a risk.

In general, you are right though – the security of scanners is of paramount importance. This actually is a topic I’ve been extremely worried about ever since the early days of Nessus. We have a number of security mechanisms in place (interpreted language for the detection scripts, ciphered temporary files, very limited runtime environment) which really aim to limit the risk of being exploited but also to mitigate the risk should the scanner be compromised. I actually did a few talks in the past about scanning “rogue hosts” and we continue to treat all input as hostile.

Again, we’re continuing to investigate the matter and will let you know if we find anything.

* currently video is still available on the same address; it could be probably blocked for some time. (UPD. 14.05.18 Not available anymore)

In any case, it’s a good reason to talk about vulnerabilities of such kind, how they appear and how to protect Vulnerability Scanners from attackers.

Continue reading

Outpost24 OUTSCAN for detecting vulnerabilities on your network perimeter

Today I would like to write  a post about Outpost24. This company was founded in 2001. For comparison, Tenable was founded in 2002 and Qualys in 1999. So, it’s a company with a pretty long history. Outpost24 make Vulnerability Management & Web Application Security products and provide various services in these areas. As far as I can tell, they are known mainly in Central and Northern Europe.

I’ve been testing their cloud-based solution for network perimeter scanning  – OUTSCAN. Here I want to show the main features of the GUI and share my impressions. 

Outpost24 Outscan

Continue reading

CISO Forum and the problems of Vulnerability Databases

Last Tuesday, April 24,  I was at “CISO FORUM 2020: glance to the future“. I presented there my report “Vulnerability Databases: sifting thousands tons of verbal ore”. In this post, I’ll briefly talk about this report and about the event itself.

CISO Forum 2020

My speech was the last in the program. At the same time, in a parallel stream, there was another interesting presentation by the most famous Russian information security blogger. Thus, there was a real danger of speaking in an empty room. 🙂 But everything went well. There were about 30 spectators and we had an active QA session afterwards.

As I wrote earlier, I started preparing my CyberCentral presentation several months before the event. I did not want to tell the same story again at CISO Forum and PHDays. So I prepared 2 different presentations. At CyberCentral, I was talking about Vulnerability Scanners. And at CISO Forum I was talking mainly about Vulnerable Databases. Of course, I reused some materials, but the accents were different.

Continue reading

CyberCentral Summit 2018 in Prague

Almost whole last week I spent in Prague at CyberCentral conference. It was a pretty unique experience for me. I was for the first time at the International conference as a speaker. And not only I presented my report there, but lead the round table on Vulnerability Management and participated in a panel session.

CyberCentral2018 my presentation

From my point of view, everything was pretty good. I successfully closed my gestalt on public speaking in English. I definitely can do it. 🙂

The event was hold in Lucerna passage right in a center of Prague. Beautiful building in Art Nouveau style with famous ironic  “Statue of King Wenceslas Riding an Upside-Down Dead Horse”. 🙂

CyberCentral Lucerna passage

Even to speak in this building was a great honor. In my opinion the place was chosen ideally. It is beautiful and really good located. Lots of good hotels, restaurants and all main tourist attractions were in nearby. It was easy to go for a walk in a spare time. Some photos you can see at my Facebook page [1,2] .

Continue reading

Vulchain scan workflow and search queries

This post will be about my Vulnerability Scanner project – Vulchain. Recently I’ve spent couple of my weekends almost exclusively on coding: refactoring the scan engine, creating API and GUI.

Vulchain scan workflow and search queries

I was doing it because of the conferences, where I will be speaking soon:

Pretty intense schedule for a guy who spends most of his time in PyCharm and Linux console. 😉 Very excited! So, it seemed right to add a couple of slides about my project and show that something is already working.

Continue reading