CVE-2024-2390 in Nessus Agent
Summary
by MITRE • 03/18/2024
As a part of Tenable’s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2025
The vulnerability identified as CVE-2024-2390 resides within Tenable's Nessus security scanning platform, specifically affecting a particular Nessus plugin that processes scan results or system information. This issue represents a privilege escalation vulnerability that emerges from the interaction between the plugin's execution context and the target system's file permissions. The vulnerability was discovered through Tenable's proactive vulnerability disclosure program, which demonstrates the organization's commitment to identifying and addressing security flaws before they can be exploited in the wild. The flaw manifests when a malicious actor with sufficient permissions on a scan target system can manipulate the filesystem to place a binary in a specific location, which then gets executed by the vulnerable plugin.
The technical root cause of this vulnerability stems from inadequate input validation and improper privilege handling within the Nessus plugin. When the plugin executes, it likely accesses or processes files in a manner that does not properly validate the integrity or source of these files. This creates an opportunity for privilege escalation because the plugin operates with elevated permissions to perform its scanning functions. The vulnerability is classified as a privilege escalation issue, which maps to CWE-269: "Improper Privilege Management" and potentially CWE-78: "Improper Neutralization of Special Elements used in OS Command Injection." The affected plugin may be executing commands or processing files without proper sandboxing or access control measures, allowing an attacker to inject malicious code through the filesystem manipulation.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it could enable attackers to gain unauthorized administrative access to target systems. This represents a significant risk for organizations that rely heavily on Nessus for security scanning, particularly in environments where scan targets include critical infrastructure or sensitive systems. The vulnerability's exploitation requires that the attacker already possess sufficient permissions on the scan target, which means it may not be immediately exploitable in all environments but represents a serious escalation risk. Organizations running Nessus in environments where privilege separation is not properly enforced may be particularly vulnerable to this attack vector. The potential for this vulnerability to be leveraged as part of a broader attack chain makes it a critical concern for cybersecurity teams managing enterprise security infrastructure.
Mitigation strategies for CVE-2024-2390 should focus on immediate patching of the affected Nessus plugin and implementation of additional access controls. Organizations should ensure that their Nessus installations are updated to the latest versions that contain the fix for this vulnerability. System administrators should review and tighten access controls for scan targets, particularly ensuring that Nessus plugins do not have unnecessary write permissions to critical filesystem locations. The principle of least privilege should be enforced when configuring Nessus scan targets, limiting the permissions of the scanning process to only what is necessary for legitimate operations. Additionally, organizations should implement monitoring for unusual filesystem changes in locations where Nessus plugins may execute or process files, as this could indicate exploitation attempts. This vulnerability aligns with ATT&CK technique T1068: "Exploitation for Privilege Escalation" and may also map to T1059: "Command and Scripting Interpreter" if command execution is involved in the exploitation process.