Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45960 - Nessus: Username and password for various accounts stored in unencrypted plain text
Summary: Nessus: Username and password for various accounts stored in unencrypted plai...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-28 02:34 UTC by Tobias Weisserth
Modified: 2011-10-30 22:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-28 02:34:16 UTC 
~Kevin Davis
Comment 1 Tobias Weisserth 2004-03-28 02:34:16 UTC 
~Kevin Davis³ on bugtraq and full-disclosure:

I have posted this issue to a couple entities like bugtraq and CERT with no response.  I mentioned this issue to an organization today which was considering using Nessus as a vulnerability scanner to assess their network security issues and this was in violation with their security policy so they are reconsidering using it.  Please read below...

Software Vendor: Nessus (www.nessus.org)
Software Package: Nessus
Versions Affected: 2.0.10a (possibly others)
Synopsis: Username and password for various accounts stored in unencrypted plain text Issue Date: Feb 22, 2004
Vendor Response: Vendor notified December 4, 2003   Vendor declined to resolve issue  

================================================================================

 1. Summary

The open source Nessus Vulnerability scanner stores the credentials ofvarious types of accounts in unencrypted plain text in a configuration file.

2. Problem Description

The .nessusrc files stores username and password information for various types of accounts in unencrypted plain text.  Those parameters are typically set from the native nessus client but also can be added manually.  When setting these parmetersfrom the Nessus client, the user is also not informed of this sensitive informationbeing stored insecurely.  This potentially affects the following types of accounts:
FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)

3. Solution

None at this time.  A lengthy discussion with the vendor resulted in the vendor's decision that this was not a security risk that warrants resolution on. 

Reproducible: Always
Steps to Reproduce:




Posted on bugtraq: 27/03/2004
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-03-28 03:30:33 UTC 
I tend to agree with the Nessus author that this is not an issue.  I believe other programs (ncftp) store username/password information in clear-text and they certainly pass it over the wire in clear text.  If the vendor isn't going to patch the product, I don't see us as having the responsibility of fixing it.

Will leave this bug open for ~24H for comments and then will close as wontfix.
Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2004-03-28 04:23:37 UTC 
I agree that this is definetly not an issue. Nessus is a vulnerability scanner and it has no intent of securely store data used for its tests. It is a user responsibility to keep nessus files and logs safe. Besides as kurt pointed out  most of them are plaintext protocols. And of course we have no responsibility  about this.
Comment 4 Kurt Lieber (RETIRED) gentoo-dev 2004-03-29 02:06:24 UTC 
closing as invalid.