CVE-2022-4313
📋 TL;DR
This vulnerability allows authenticated users with Scan Policy Configuration roles in Tenable products to manipulate audit policy variables and execute arbitrary commands on credentialed scan targets. This affects Tenable products where users have specific configuration privileges. Attackers could gain unauthorized command execution on systems being scanned.
💻 Affected Systems
- Tenable Security Center
- Tenable.sc
- Tenable.io
📦 What is this software?
Nessus by Tenable
Plugin Feed by Tenable
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of credentialed scan targets, allowing attackers to execute arbitrary commands with the privileges of the scanning service account, potentially leading to lateral movement and data exfiltration.
Likely Case
Privilege escalation within the scanning environment, allowing authenticated users to execute unauthorized commands on target systems during credentialed scans.
If Mitigated
Limited impact with proper role-based access controls and network segmentation, restricting which users can configure scan policies and which systems can be targeted.
🎯 Exploit Status
Exploitation requires authenticated access with specific privileges and knowledge of scan policy manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: As specified in Tenable Security Advisory TNS-2023-14
Vendor Advisory: https://www.tenable.com/security/tns-2023-14
Restart Required: Yes
Instructions:
1. Review Tenable Security Advisory TNS-2023-14. 2. Apply the recommended updates to affected Tenable products. 3. Restart services as required. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Scan Policy Configuration Roles
allLimit users with Scan Policy Configuration roles to only trusted administrators
Network Segmentation
allIsolate Tenable scanning systems from critical infrastructure
🧯 If You Can't Patch
- Implement strict role-based access control for scan policy configuration
- Monitor and audit scan policy changes and command execution during scans
🔍 How to Verify
Check if Vulnerable:
Check Tenable product version against affected versions in TNS-2023-14 advisoryCheck Version:
Check version through Tenable product administration interface or documentationVerify Fix Applied:
Verify Tenable product version matches or exceeds patched version from TNS-2023-14📡 Detection & Monitoring
Log Indicators:
- Unauthorized scan policy modifications
- Unexpected command execution during credentialed scans
- Changes to audit policy variables
Network Indicators:
- Unusual network traffic from Tenable scanners to unexpected targets
- Command execution patterns during scans
SIEM Query:
Search for scan policy modifications by non-administrative users OR unexpected command execution events during Tenable credentialed scans