Nessus Vulnerability Let Attackers Alter Rules Variables

An arbitrary file write vulnerability has been discovered in Nessus, which allows an authenticated, remote attacker to perform a denial of service condition on affected installations. This vulnerability has been assigned with CVE-2023-6062, and a severity rating was added.

Nessus has released patches to fix this vulnerability and has urged its users to patch them accordingly.


Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

CVE-2023-6062: Arbitrary File Write Vulnerability in Nessus

This vulnerability allows an authenticated, remote attacker with administrative privileges on a Nessus application to alter Nessus Rules variables and overwrite arbitrary files on the remote host that could cause denial of service conditions.

Ammarit Thongthua and Sarun Pornjarungsak of the Secure D Research Team reported this vulnerability. The severity rating for this vulnerability is 6.8 (Medium). 

There is no evidence of this vulnerability being exploited by threat actors in the wild, nor has a publicly available exploit been found. 

According to Nessus, Tenable first reported this vulnerability on 26th October and was confirmed to be valid on 30th October 2023. CVE-2023-6062 was requested, and the score was calculated on 09-11-2023. Nessus acted swiftly upon this report and patched this vulnerability on 16th November 2023.

Products of Nessus affected by this vulnerability include all the Nessus 10.5.6 and earlier installations. To fix this vulnerability, users are recommended to upgrade to version 10.5.7 or later versions (10.6.3) to prevent this vulnerability from getting exploited by threat actors.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Source link