CVE-2017-6543 in Nessus
Summary
by MITRE
Tenable Nessus before 6.10.2 (as used alone or in Tenable Appliance before 4.5.0) was found to contain a flaw that allowed a remote, authenticated attacker to upload a crafted file that could be written to anywhere on the system. This could be used to subsequently gain elevated privileges on the system (e.g., after a reboot). This issue only affects installations on Windows.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/05/2020
The vulnerability identified as CVE-2017-6543 represents a critical path traversal flaw in Tenable Nessus versions prior to 6.10.2 and Tenable Appliance versions prior to 4.5.0, specifically affecting Windows installations. This vulnerability stems from inadequate input validation and file handling mechanisms within the Nessus scanning platform, which is widely deployed for network security assessments and vulnerability management. The flaw exists in the file upload functionality that processes user-supplied data without proper sanitization, creating an exploitable condition that allows authenticated attackers to manipulate the file system write operations.
The technical implementation of this vulnerability involves a directory traversal attack pattern where an attacker can manipulate the file upload process to write malicious files to arbitrary locations on the Windows system. This occurs due to insufficient validation of file paths and lack of proper access controls during the file handling operations. The vulnerability is classified under CWE-22 as "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter. The flaw allows attackers to bypass normal file system permissions and write executable code to critical system directories, potentially enabling privilege escalation and persistent access.
The operational impact of this vulnerability is severe as it provides attackers with a means to achieve system compromise and persistence. Once exploited, the attacker can place malicious executables in system directories such as the Windows System32 folder or other critical locations where they will execute with elevated privileges upon system reboot or service restart. This creates a persistent backdoor that can survive system reboots and potentially evade detection by standard security monitoring tools. The vulnerability affects organizations using Nessus for security assessments, as the attacker would need valid credentials to exploit this flaw, but the impact extends beyond the immediate compromise to include potential lateral movement and data exfiltration.
Mitigation strategies for CVE-2017-6543 include immediate patching of Nessus and Tenable Appliance installations to versions 6.10.2 and 4.5.0 respectively, which address the directory traversal vulnerability through proper input validation and path sanitization. Organizations should also implement network segmentation to limit access to Nessus servers and restrict authentication credentials to only authorized personnel. Additional defensive measures include monitoring file system changes, implementing application whitelisting policies, and conducting regular security assessments of the Nessus installation to identify potential privilege escalation paths. The vulnerability demonstrates the importance of proper input validation in web applications and highlights the need for comprehensive security testing of security tools themselves, as they can become attack vectors when not properly secured.