CVE-2004-2722 in Nessus
Summary
by MITRE
** disputed ** nessus 2.0.10a stores account passwords in plaintext in .nessusrc files which allows local users to obtain passwords. note: the original researcher reports that the vendor has disputed this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/08/2024
The vulnerability described in CVE-2004-2722 relates to a security flaw in Nessus 2.0.10a, a widely used network security scanning tool that was prevalent in the early 2000s. This issue represents a classic case of insecure credential storage where the application fails to properly protect sensitive authentication information. The vulnerability specifically affects how Nessus handles user account credentials when storing configuration data in the .nessusrc file format, which is the primary configuration file used by the Nessus scanner. The security implications of this flaw are significant as it directly violates fundamental security principles regarding credential protection and access control mechanisms.
The technical implementation of this vulnerability stems from the application's decision to store passwords in plaintext format within the .nessusrc configuration files. This approach creates a clear and direct path for unauthorized access to authentication credentials when local users can read these files. The flaw exists at the data storage level where sensitive information is not encrypted or obfuscated, making it immediately readable to any user with file system access. This type of vulnerability is categorized under CWE-312, which specifically addresses the exposure of sensitive information through improper handling of credentials. The weakness manifests when the Nessus application persists user authentication details in a manner that provides no protection against local privilege escalation attacks or unauthorized file access scenarios.
The operational impact of this vulnerability extends beyond simple credential theft, as it fundamentally undermines the security posture of systems that rely on Nessus for vulnerability assessment. Local users who gain access to the .nessusrc files can immediately obtain valid account credentials that may be used to access additional systems or escalate privileges within the network. This creates a chain reaction where compromised Nessus credentials can potentially lead to broader system compromise, especially if the same credentials are reused across multiple systems or services. The vulnerability is particularly concerning in multi-user environments where file permissions may not be properly enforced, as it allows for unauthorized information disclosure that violates the principle of least privilege. This type of attack vector is commonly associated with the attack technique described in MITRE ATT&CK framework under T1552, which covers the technique of "Unsecured Credentials" and specifically targets credential exposure through insecure storage mechanisms.
The disputed nature of this CVE highlights the complexity often encountered in vulnerability assessment and the importance of proper validation of security claims. While the original researcher identified this as a legitimate security concern, the vendor's dispute suggests potential disagreements over the severity classification or the actual existence of the vulnerability in the specific version mentioned. This situation demonstrates the need for careful verification of reported security issues and the importance of maintaining accurate vulnerability databases. Organizations should not rely solely on CVE descriptions but must also validate the actual presence and impact of vulnerabilities in their specific environments. The disputed status also underscores the challenges in vulnerability management where different parties may have varying interpretations of security risks and their potential impact on system security. Proper security hygiene requires organizations to implement additional protections beyond vendor-provided security measures, including regular file system audits and access control reviews to prevent unauthorized credential exposure through similar storage mechanisms.