A significant security flaw has been identified in Tenable’s Nessus Agent for Windows, which could potentially enable attackers to run harmful code with system-level privileges. This vulnerability poses serious risks to enterprise security teams that depend on this widely-used vulnerability assessment tool.
Understanding the Vulnerability
The discovered flaw allows attackers to exploit Windows junctions, which are symbolic links within the file system. By doing so, malicious actors can delete specific files with elevated SYSTEM-level privileges, escalating the threat to full code execution. Such control could grant attackers unrestricted access over the compromised system.
These attacks exploit a privilege escalation method known as a ‘symlink attack’ or junction misuse. In Windows, NTFS junctions can redirect file operations from one directory to another. When a privileged process like the Nessus Agent service interacts with these junctions without adequate validation, it can be manipulated to target unintended files.
Mechanics of the Exploit
An attacker with local access can strategically place a malicious junction in an area where the Nessus Agent operates. By rerouting the agent’s deletion actions towards critical system files, the attacker can destabilize the operating environment, paving the way for executing malicious payloads under SYSTEM context.
This level of access is particularly dangerous, as SYSTEM privileges surpass even those of standard administrator accounts, enabling attackers to alter files, deploy rootkits, disable security measures, and maintain persistence across system reboots.
Mitigation and Response
This vulnerability affects Windows-based Nessus Agent installations. Organizations that utilize these agents for continuous scanning are at significant risk, especially if they are deployed on key servers and workstations.
Tenable has resolved this issue in Nessus Agent version 11.1.3, available via the Tenable Downloads Portal. The company urges all users to promptly update their systems to mitigate exposure risks. Tenable emphasizes its commitment to swift resolution and responsible vulnerability disclosure, maintaining active collaboration with cybersecurity researchers.
Security administrators are advised to prioritize the deployment of this update, particularly in environments where Nessus Agents are installed on high-value or internet-exposed Windows systems.
Stay updated with our daily cybersecurity news by following us on Google News, LinkedIn, and X. Reach out to us if you wish to feature your cybersecurity stories.
