Tenable recently worked with Synacktiv to perform security testing for Nessus, as part of an ongoing initiative to proactively address security issues. During the test, their team found two issues that may impact a Nessus vulnerability scanner. Both issues require user authentication to exploit:
CVE-2016-82012 - Stored XSS
CVE-2016-82013 - XML External Entity (XXE) Expansion DoS
Note that the CVSS score reflects the higher of the two issues (XXE). Further, Tenable strongly recommends that these products be installed on a subnet that is not Internet addressable.
Tenable has released version 6.6 that corresponds to the supported operating systems and architectures. To update your Nessus installation, follow these steps:
Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
Stop the Nessus service.
Install according to your operating system procedures.
Restart the Nessus service.
Tenable Appliance:
Tenable Appliance users can upgrade to version 4.2.0, which is not affected. Updates can be obtained from https://support.tenable.com/support-center/index.php?x=&mod_id=230.
This Cyber News was published on www.tenable.com. Publication date: Fri, 08 Dec 2023 14:18:04 +0000