Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0098
A vulnerability has been identified in Tenable Nessus
19 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable Nessus
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2914
Member content until: Thursday, September 18 2014
OVERVIEW
A vulnerability has been identified in Tenable Nessus prior to version
1.2.4 of the Web GUI. [1]
IMPACT
The vendor has provided the following details regarding this
vulnerability which was first disclosed in 2010:
"Nessus contains a flaw that allows a reflected cross-site scripting
(XSS) attack. This flaw exists because the Web GUI
(nessusd_www_server.nbin) does not validate unspecified input to a
GET parameter before returning it to users. This may allow a
context-dependent attacker to create a specially crafted request
that would execute arbitrary script code in a user's browser session
within the trust relationship between their browser and the
server." [1]
MITIGATION
The vendor has stated that by default Nessus updates plugins daily, so
users do not need to do anything to receive this update. [1]
REFERENCES
[1] [R2] Tenable Nessus Web UI Reflected XSS
http://www.tenable.com/security/tns-2010-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU/KwjxLndAQH1ShLAQLHhg/+P2ENMc1cGdjCoXngHRkWFnEZtjgREPNV
jnaEoII18RibNyG8/f+E6tZJVPfZ8c4yuK8IFp3guNKumOeRkaYWnB+RdNOJ+ksr
X+KKIQjhL1EEmLJdFiEI6Xi+FlRJPn0ONCMHrUtQUoMJYXPDijxR8IivPpQR+aAw
Gy6uUW62M6kYNLxZ8I0PLfGFRkk5GQ3P6HP2SWWpFPa6YpJcH4eFo9yk2B5Da6ac
OwqjpmiuwQy3g1gmuAifZpgAfN2tSNCcIkm/Y97zOBolq4XS/knQlB/jmFKAKnHh
pm2kAH91bkX8sblHjQrEGjDORWZCLxABC/4aMyYc9wlMacHufaQGTTkxaLYc3L2V
VMGOuJ65lTtvFMLmZ7pN5uTgBzQRVSoIKhfGKUsqorNgBDrGtxrNUC9nEFcH+k5W
hhIvy7zuYn78HDWWlWNorT19jXggp1yb0GBAsAMc7msDQhq0MpwYcec5DPlaP+KC
LQV+bWQuWpZTnpPDb+Q+Sjl5k2KTBEZ/ZAvKXlsui1CGXRlBkmu38Q6WG2VfyOIb
P5X9DZq25MK2VVF2RJgHtwtFLang7TYF0jlQfsWQf2eb5VFAXGWEpAFhjTs5U4YB
Cinytq4l/9Ii/39FonOuOm4pzlJ76A3Gz0Rok8XgVXngAe4zLM7/hyZJS4Ypm1q+
Ppozx7/Nwpw=
=Jckn
-----END PGP SIGNATURE-----