CVE-2018-1148 in Nessus
Summary
by MITRE
In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. An authenticated attacker could maintain system access due to session fixation after a user password change.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2020
The vulnerability identified as CVE-2018-1148 represents a critical session management flaw in Nessus versions prior to 7.1.0, classified under CWE-384 as Session Fixation. This vulnerability stems from inadequate session handling mechanisms that allow authenticated attackers to maintain persistent access to systems even after legitimate users have changed their passwords. The flaw exists within the application's core authentication framework where session identifiers are not properly regenerated or invalidated during password change operations, creating a persistent security risk that undermines the fundamental principle of secure session management.
The technical implementation of this vulnerability occurs when a user authenticates to the Nessus application and subsequently changes their password. Under normal circumstances, the system should invalidate the existing session and generate a new session identifier to prevent unauthorized access. However, in affected versions, the session fixation occurs because the application fails to properly destroy or regenerate the session token upon password modification, allowing an attacker who has already obtained a valid session to continue using the same session identifier even after the legitimate user has updated their credentials. This flaw directly violates security best practices outlined in the OWASP Top Ten and aligns with ATT&CK technique T1563.002 related to credentials from password reuse.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables persistent threat actor presence within networks that rely on Nessus for vulnerability scanning and security assessments. An attacker who successfully exploits this vulnerability can maintain access to critical security infrastructure, potentially evading detection while continuing to perform reconnaissance activities or manipulate scan results. This poses significant risk to organizations that depend on Nessus for their security posture, as the vulnerability can be leveraged to establish long-term access to sensitive environments, undermining the integrity of security monitoring systems and potentially enabling lateral movement within networks. The vulnerability's persistence is particularly concerning given that Nessus is commonly used for internal network assessments and security audits, making it a prime target for attackers seeking to maintain access to enterprise environments.
Organizations should prioritize immediate remediation by upgrading to Nessus version 7.1.0 or later, which implements proper session management controls to prevent session fixation attacks. Additional mitigations include implementing session timeout mechanisms, ensuring proper session invalidation during authentication events, and monitoring for unusual session activity patterns. Security teams should also conduct comprehensive audits of their Nessus configurations to verify that session management policies are properly enforced. The vulnerability demonstrates the critical importance of proper session handling in security applications and serves as a reminder that authentication mechanisms must be carefully designed to prevent session-related attacks that could compromise the entire security infrastructure.