CVE-2024-3291 in Nessus Agent
Summary
by MITRE • 05/17/2024
When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2024
The vulnerability described in CVE-2024-3291 represents a critical security flaw in the Nessus Agent installation process on Windows systems. This issue specifically affects versions prior to 10.6.4 and stems from improper permission handling during the installation of the Nessus Agent to non-default directories. The vulnerability arises from the agent's failure to enforce secure permissions on subdirectories created during installation, creating a potential attack vector for local privilege escalation. When users opt to install the Nessus Agent outside of its standard installation path, the software does not properly restrict access permissions for the created directory structure, leaving these directories potentially accessible to unauthorized users.
The technical flaw manifests in the Windows file system permission model where the Nessus Agent installer fails to properly set access control lists for subdirectories created during the installation process. This occurs specifically when the installation path deviates from the default Windows installation directories, typically resulting in the creation of custom directory structures that lack proper security controls. The vulnerability is categorized under CWE-732, which describes improper permission assignment for critical resources, and represents a direct violation of the principle of least privilege. Attackers can exploit this weakness by creating malicious files or directories with elevated privileges, potentially gaining access to sensitive system resources or executing code with higher privileges than initially intended.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass broader security implications for enterprise environments that utilize Nessus Agent for vulnerability scanning. Organizations running affected versions of Nessus Agent on Windows hosts face potential exposure to local attackers who can leverage this weakness to elevate their privileges within the system. This poses particular risk in environments where multiple users have access to the system or where administrative privileges are not strictly controlled. The vulnerability can be exploited by attackers who have already gained a foothold on the system through other means, as they can use the weak directory permissions to escalate their access level. According to ATT&CK framework, this vulnerability maps to T1068, which covers local privilege escalation techniques, and T1566, which covers spearphishing attacks that could be used to gain initial access before exploiting this weakness.
Mitigation strategies for this vulnerability primarily focus on immediate patching of the Nessus Agent to version 10.6.4 or later, which addresses the improper permission handling issue. Organizations should conduct immediate inventory checks to identify all systems running vulnerable versions of Nessus Agent and prioritize patching efforts accordingly. Additionally, system administrators should implement proper directory security controls for any non-default installation paths, ensuring that appropriate access controls are enforced using Windows permission models. The recommended approach involves setting restrictive permissions on the Nessus Agent installation directories, limiting access to only authorized users and system processes. Organizations should also consider implementing monitoring solutions to detect unauthorized access attempts to these directories. Security teams should review existing access control policies and ensure that directory permissions are properly configured according to security best practices, particularly in multi-user environments where the risk of privilege escalation attacks is heightened.