CVE-2023-5623
📋 TL;DR
This vulnerability in NNM (Network Node Manager) allows low-privileged users to execute arbitrary code with SYSTEM privileges when NNM is installed in a non-standard directory. It affects systems where NNM is installed outside default locations, enabling privilege escalation attacks.
💻 Affected Systems
- Tenable NNM (Network Node Manager)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation to SYSTEM, allowing attackers to install malware, steal credentials, or maintain persistent access.
Likely Case
Local privilege escalation by authenticated low-privileged users gaining full system control.
If Mitigated
No impact if proper directory permissions are enforced or NNM is installed in default locations.
🎯 Exploit Status
Requires local authenticated access with low privileges. Exploitation involves manipulating directory permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Tenable advisory TNS-2023-34 for specific patched versions
Vendor Advisory: https://www.tenable.com/security/tns-2023-34
Restart Required: Yes
Instructions:
1. Review Tenable advisory TNS-2023-34. 2. Download and apply the latest NNM patch from Tenable. 3. Restart the NNM service and affected systems.
🔧 Temporary Workarounds
Restrict NNM Installation Directory Permissions
windowsManually set proper ACLs on NNM installation directory to prevent low-privileged users from modifying files.
icacls "C:\Path\To\NNM" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" /grant "Users:(OI)(CI)RX"
Move NNM to Default Installation Path
windowsReinstall NNM to its default directory where proper ACLs are automatically enforced.
Uninstall NNM from non-standard location
Reinstall to default C:\Program Files\Tenable\NNM directory
🧯 If You Can't Patch
- Apply strict ACLs to NNM installation directory, removing write permissions for low-privileged users
- Monitor for unauthorized file modifications in NNM directories and audit privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if NNM is installed in non-standard directory and verify directory permissions allow low-privileged users write access.Check Version:
Check NNM version through Tenable interface or review installed programs in Windows Control PanelVerify Fix Applied:
Confirm NNM is updated to patched version and installation directory has proper ACLs restricting low-privileged user write permissions.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing privilege escalation attempts
- File modification events in NNM directories by non-admin users
Network Indicators:
- Unusual outbound connections from NNM service account
SIEM Query:
EventID=4688 AND ProcessName LIKE '%nrm%' AND NewProcessName='cmd.exe' OR ParentProcessName LIKE '%nrm%'