CVE-2010-2989 in Web Server plugin
Summary
by MITRE
nessusd_www_server.nbin in the Nessus Web Server plugin 1.2.4 for Nessus allows remote attackers to obtain sensitive information via a request to the /feed method, which reveals the version in a response.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/03/2018
The vulnerability identified as CVE-2010-2989 resides within the Nessus Web Server plugin version 1.2.4, specifically in the nessusd_www_server.nbin component. This issue represents a classic information disclosure vulnerability that occurs when the web server fails to properly sanitize its responses to client requests. The flaw manifests when attackers send a request to the /feed method endpoint, which inadvertently exposes the Nessus server version information within the response headers or body. This type of vulnerability falls under the category of information exposure as defined by CWE-200, where sensitive system information is disclosed to unauthorized parties. The vulnerability demonstrates poor security hygiene in the web server implementation, as it provides unnecessary information that could aid attackers in their reconnaissance phase.
The technical mechanism behind this vulnerability involves the web server's response handling for the /feed method, which is typically used to deliver security feeds or updates to Nessus clients. When this endpoint processes requests, it includes version information in its response without proper access controls or sanitization measures. This allows remote attackers to easily determine the exact Nessus version running on the server, which is critical information for exploit development. The vulnerability operates at the application layer and requires no authentication or special privileges to exploit, making it particularly dangerous as it can be leveraged by any remote attacker. This aligns with ATT&CK technique T1082 which involves discovering system information through reconnaissance activities.
The operational impact of this vulnerability extends beyond simple version disclosure, as it significantly weakens the security posture of Nessus installations. Attackers can use the disclosed version information to identify known vulnerabilities in specific Nessus versions, potentially enabling them to craft targeted attacks against the system. This information disclosure creates a foundation for more sophisticated attacks, as it allows threat actors to determine if the system is running vulnerable software versions that may contain additional security flaws. The vulnerability affects the confidentiality aspect of the security triad by exposing sensitive system information that should remain hidden from unauthorized users. Organizations using Nessus for vulnerability assessment and penetration testing are particularly at risk, as this information could be used to bypass security controls or identify weaknesses in their security infrastructure. The vulnerability also impacts the principle of least privilege, as it reveals information that should be restricted to authorized personnel only.
Mitigation strategies for CVE-2010-2989 should focus on implementing proper input validation and response sanitization within the Nessus web server plugin. Organizations should immediately update to patched versions of Nessus that address this information disclosure vulnerability, as the vendor likely released updates to remove or obfuscate version information in responses. Network administrators should also implement web application firewalls or security controls that can filter or block requests to sensitive endpoints like /feed. The mitigation approach should include disabling unnecessary web server functionality where possible and ensuring that response headers do not contain version information. Regular security assessments should be conducted to identify similar information disclosure vulnerabilities in other web applications. This vulnerability highlights the importance of following security best practices such as those outlined in the OWASP Top Ten, particularly the prevention of information exposure, and aligns with defense-in-depth strategies that require multiple layers of security controls to protect against various attack vectors. Organizations should also implement monitoring solutions that can detect and alert on unusual requests to sensitive endpoints, providing additional security coverage beyond the immediate patching solution.