Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN172

_____________________________________________________________________

DATE                : 25/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nessus Agent versions prior to
                                      10.8.3.

=====================================================================
https://www.tenable.com/security/tns-2025-02
_____________________________________________________________________


Synopsis

When installing Nessus Agent to a non-default location on a Windows
host, Nessus Agent versions prior to 10.8.3 did not enforce secure
permissions for sub-directories.  This could allow for local
privilege escalation if users had not secured the directories in
the non-default installation location.


Solution

Tenable has released Nessus Agent 10.8.3 to address these issues.
The installation files can be obtained from the Tenable Downloads
Portal (https://www.tenable.com/downloads/nessus-agents).

This page contains information regarding security vulnerabilities
that may impact Tenable's products. This may include issues specific
to our software, or due to the use of third-party libraries within
our software. Tenable strongly encourages users to ensure that they
upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you
have found a vulnerability in one of our products, we ask that you
please work with us to quickly resolve it in order to protect
customers. Tenable believes in responding quickly to such reports,
maintaining communication with researchers, and providing a solution
in short order.

For more details on submitting vulnerability information, please
see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please
email [email protected]



Risk Information
CVE ID: CVE-2025-24915
Tenable Advisory ID: TNS-2025-02
Risk Factor: High
Credit:
Will Dormann
CVSSv3 Base / Temporal Score:
7.8 / 7.0
CVSSv3 Vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE:
CWE-276: Incorrect Default Permissions

Affected Products
Nessus Agent 10.8.2 and earlier

Disclosure Timeline
2024-11-15 - Report received by Tenable
2024-12-21 - Report confirmed as valid
2025-01-10 - CVE ID requested / CVSS v3 scoring calculated
2025-03-20 - Nessus Agent 10.8.3 released

Advisory Timeline
2025-03-20 - [R1] Initial Release


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================