[R1] Nessus Network Monitor 6.3.0 Fixes Multiple Vulnerabilities

[R1] Nessus Network Monitor 6.3.0 Fixes Multiple Vulnerabilities Arnie Cabral Wed, 10/25/2023 - 15:33

Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several of the third-party components (OpenSSL, curl, chosen, datatables) were found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus Network Monitor 6.3.0 updates OpenSSL to version 3.0.11, curl to version 8.4.0, chosen to version 1.8.7 and datatables to version 1.13.6.

Additionally, several other vulnerabilities were discovered, reported and fixed:

• Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts. - CVE-2023-5622
• NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location. - CVE-2023-5623
• Under certain conditions, Nessus Network Monitor was found to not properly enforce input validation. This could allow an admin user to alter parameters that could potentially allow a blindSQL injection. - CVE-2023-5624