CVE-2022-32973 – CVE-2022-32973 allows authenticated attackers t... (How to Fix)

Q: What is the severity of CVE-2022-32973?

CVE-2022-32973 has a CVSS score of 8.8 (HIGH). CVE-2022-32973 allows authenticated attackers to bypass PowerShell cmdlet security checks by creating specially crafted audit files, enabling execution of arbitrary commands with administrator privileges. This affects systems running vulnerable versions of Tenable products where authenticated users can create audit files. The vulnerability requires authentication but grants significant privilege escalation.

📋 TL;DR

CVE-2022-32973 allows authenticated attackers to bypass PowerShell cmdlet security checks by creating specially crafted audit files, enabling execution of arbitrary commands with administrator privileges. This affects systems running vulnerable versions of Tenable products where authenticated users can create audit files. The vulnerability requires authentication but grants significant privilege escalation.

💻 Affected Systems

Products:

Tenable Security Center
Tenable.sc

Versions: Versions prior to 5.23.0

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Tenable Security Center (Tenable.sc) installations where authenticated users have permissions to create audit files. The vulnerability exists in the audit file processing mechanism.

📦 What is this software?

Nessus by Tenable

View all CVEs affecting Nessus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an authenticated attacker gains administrator privileges, executes arbitrary commands, installs malware, exfiltrates sensitive data, and maintains persistent access.

🟠

Likely Case

Privilege escalation leading to lateral movement within the network, data theft, and installation of backdoors by authenticated malicious insiders or compromised accounts.

🟢

If Mitigated

Limited impact due to strong access controls, least privilege principles, and network segmentation preventing lateral movement even if exploitation occurs.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing Tenable instances could be targeted if credentials are compromised or weak authentication exists.

🏢 Internal Only: HIGH - Internal authenticated users (including compromised accounts) can exploit this to gain administrator privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of creating specially crafted audit files. No public exploit code has been observed as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tenable Security Center 5.23.0

Vendor Advisory: https://www.tenable.com/security/tns-2022-11

Restart Required: Yes

Instructions:

1. Download Tenable Security Center 5.23.0 or later from the Tenable support portal. 2. Backup current configuration and data. 3. Apply the update following Tenable's upgrade documentation. 4. Restart the Tenable Security Center service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Audit File Creation

all

Limit permissions for creating audit files to only necessary administrative users

Implement Least Privilege

all

Ensure users only have minimum necessary permissions and cannot create or modify audit files unless required

🧯 If You Can't Patch

Implement strict access controls and monitor audit file creation activities
Segment Tenable systems from critical infrastructure and implement network monitoring for suspicious PowerShell activity

🔍 How to Verify

Check if Vulnerable:

Check Tenable Security Center version via web interface (Admin → System Summary) or command line. Versions below 5.23.0 are vulnerable.

Check Version:

On Tenable Security Center server: cat /opt/sc/admin/.version or check via web interface at https://[server]/admin

Verify Fix Applied:

Verify version is 5.23.0 or higher and test audit file creation with non-admin accounts to ensure proper restrictions.

📡 Detection & Monitoring

Log Indicators:

Unusual audit file creation events
PowerShell execution from audit processes
Privilege escalation attempts in system logs

Network Indicators:

Unexpected PowerShell network connections from Tenable systems
Lateral movement from Tenable servers

SIEM Query:

source="tenable*" AND (event_type="audit_file_creation" OR process="powershell") AND user!=admin_user

📊 Metadata

CVE ID: CVE-2022-32973

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: June 21, 2022

Last Updated: November 21, 2024

🔗 References

https://www.tenable.com/security/tns-2022-11 Vendor Advisory
https://www.tenable.com/security/tns-2022-11 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON