Nessus is potentially impacted by several vulnerabilities in OpenSSL (20160926) that were recently disclosed and fixed. Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time. These vulnerabilities may impact Nessus and include:
- CVE-2016-6308 - OpenSSL ssl/statem/statem_dtls.c dtls1_preprocess_fragment() Function DTLS Message Handling Memory Exhaustion Remote DoS
- CVE-2016-6305 - OpenSSL ssl/record/rec_layer_s3.c SSL_peek() Function Empty Record Handling Remote DoS
- CVE-2016-6304 - OpenSSL ssl/t1_lib.c ssl_parse_clienthello_tlsext() Function OCSP Status Request Extension Handling Memory Exhaustion Remote DoS
- CVE-2016-6306 - OpenSSL Certificate Message Handling Limited Out-of-bounds Read DoS Weakness
- CVE-2016-6307 - OpenSSL ssl/statem/statem_lib.c tls_get_message_header() Function Memory Exhaustion Remote DoS
- CVE-2016-6303 - OpenSSL crypto/mdc2/mdc2dgst.c MDC2_Update() Function Buffer Overflow Weakness
- CVE-2016-6329 - Triple Data Encryption Algorithm (3DES) 64-bit Block Size Birthday Attack HTTPS Cookie MitM Disclosure (SWEET32)
- CVE-2016-6302 - OpenSSL ssl/t1_lib.c tls_decrypt_ticket() Function Ticket HMAC Digest Handling Remote DoS
- CVE-2016-2179 - OpenSSL DTLS Buffered Message Saturation Queue Exhaustion Remote DoS
- CVE-2016-2181 - OpenSSL DTLS Implementation Record Epoch Sequence Number Handling Remote DoS
- CVE-2016-2182 - OpenSSL crypto/bn/bn_print.c BN_bn2dec() Function BIGNUM Handling Buffer Overflow DoS
- CVE-2016-2180 - OpenSSL crypto/ts/ts_lib.c TS_OBJ_print_bio() Function Out-of-bounds Read Issue
- CVE-2016-2178 - OpenSSL crypto/dsa/dsa_ossl.c DSA Signing Algorithm Constant Time Failure Side-channel Attack Information Disclosure
- CVE-2016-2177 - OpenSSL Integer Overflow Unspecified Weakness
- CVE-2016-6309 - OpenSSL ssl/statem/statem.c read_state_machine() Function Message Handling Use-after-free Remote Code Execution
- CVE-2016-7052 - OpenSSL CRL Handling Unspecified NULL Pointer Dereference DoS
Additionally, Nessus and Tenable's managed Nessus Cloud offering were found to be impacted by an authenticated stored cross-site scripting (XSS) issue reported to us by Noriaki Iwasaki (CVE-2016-9260). Tenable thanks him for privately reporting the issue to us and giving us time to resolve the issue. Tenable would also like to thank JPCERT/CC for the coordination of their advisory on this issue.
Notes and caveats:
- Nessus Agents are not affected by these issues, as they do not act as an SSL server.
- The CVSSv2 score reflects CVE-2016-6302 and other remote DoS issues.
- Please note that Tenable strongly recommends that Nessus be installed on a subnet that is not Internet addressable.