[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Nessus stores credentials in plain text
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Nessus stores credentials in plain text
- From: ~Kevin Davis³ <computerguy@xxxxxxxxxx>
- Date: Sat, 27 Mar 2004 00:01:42 -0500
I have posted this issue to a couple entities like bugtraq and CERT with no
response. I mentioned this issue to an organization today which was
considering using Nessus as a vulnerability scanner to assess their network
security issues and this was in violation with their security policy so they
are reconsidering using it. Please read below...
Software Vendor: Nessus (www.nessus.org)
Software Package: Nessus
Versions Affected: 2.0.10a (possibly others)
Synopsis: Username and password for various accounts stored in unencrypted
plain text
Issue Date: Feb 22, 2004
Vendor Response: Vendor notified December 4, 2003
Vendor declined to resolve issue
================================================================================
1. Summary
The open source Nessus Vulnerability scanner stores the credentials of
various types of accounts in unencrypted plain text in a configuration file.
2. Problem Description
The .nessusrc files stores username and password information for various types
of accounts in unencrypted plain text. Those parameters are typically set from
the native nessus client but also can be added manually. When setting these
parmeters
from the Nessus client, the user is also not informed of this sensitive
information
being stored insecurely. This potentially affects the following types of
accounts:
FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)
3. Solution
None at this time. A lengthy discussion with the vendor resulted in the
vendor's
decision that this was not a security risk that warrants resolution on.