---
The cybersecurity landscape is constantly evolving, but sometimes the biggest flaws come from simple oversights. One such fresh discovery is CVE-2024-12174, an "Improper Certificate Validation" vulnerability in Tenable Security Center. If you’re running Tenable’s software to secure your IT, pay attention—this bug could let an attacker intercept your email notifications by impersonating your email server.
Let’s break down what happened, how it works, and why you should care (with exploitable code).
What is CVE-2024-12174?
CVE-2024-12174 is a vulnerability in Tenable Security Center (all known versions up to the patch, see NVD entry here). The flaw? Tenable’s Security Center does not properly validate SSL/TLS certificates when sending email via SMTP servers. This means that a fake (rogue) SMTP server with any certificate—even a self-signed or expired one—can pose as a real email server.
This matters because Security Center sends out sensitive alerts and reports over email. If an attacker can position themselves in the network and impersonate your SMTP server, they could capture or manipulate these messages.
Admins using Tenable Security Center to send email alerts or reports.
- Environments where attackers can access internal networks (like shared corporate WiFi, misconfigured VLANs, or malicious insiders).
How Does the Exploit Work?
1. Attacker sets up a rogue SMTP server (on the same LAN or via ARP spoofing/route manipulation).
2. Tenable Security Center is tricked into contacting the attacker's SMTP server (by DNS spoofing or pointing the SMTP config to attacker IP).
3. Security Center fails to check the certificate properly—it connects and sends the email, exposing the message content to the attacker.
Vulnerability Details
Here’s what’s happening under the hood—in simple language.
- Normally, when connecting to an SMTP server over TLS, the client checks the certificate to make sure it’s trusted and belongs to the right server.
Tenable Security Center’s SMTP handler skips (or mis-handles) this validation.
- As a result, any host with a certificate (even a completely fake one) can masquerade as the real SMTP server.
Here’s a short Python script using smtpd and ssl libraries to set up a fake SMTP server
import ssl
from smtpd import SMTPServer
import asyncore
class FakeSMTPServer(SMTPServer):
def process_message(self, peer, mailfrom, rcpttos, data, **kwargs):
print("Mail from:", mailfrom)
print("Mail to:", rcpttos)
print("Data:\n", data)
return
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile='fake.crt', keyfile='fake.key')
server = FakeSMTPServer(('...', 465), None)
server.socket = context.wrap_socket(server.socket, server_side=True)
print("Fake SMTP server running on port 465 with fake cert...")
asyncore.loop()
How to use
1. Generate a self-signed certificate (fake.crt/fake.key).
Send a test email from Security Center.
Result: The server prints the intercepted email, showing sensitive data.
Mitigation
Tenable has released a patch.
Update Security Center ASAP to the latest version as per Tenable’s advisory.
References
- CVE-2024-12174 at NVD
- Tenable’s Official Advisory (TNS-2024-08)
- Python smtpd documentation
Why This Flaw Is Serious
Improper certificate validation is a critical error—especially for security tools. If a privileged (insider) attacker or someone with a foothold in your network can abuse this, your email alerts and possibly sensitive vulnerability reports can be silently intercepted. Worse, attackers could even tamper with these messages (mislead your staff, etc).
Patch your Security Center right now.
If you want to test whether your system is vulnerable, try setting up a fake SMTP server as above—and see Security Center happily accept the connection. If it does, you need that update now!
*Stay safe, and keep your tools as secure as the networks you protect.*
Timeline
Published on: 12/09/2024 22:15:22 UTC