- 259/2024
- Critical
Tenable has released security updates to address multiple vulnerabilities in third-party components (OpenSSL and Expat) that are used by Nessus, and Nessus Agent.
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks or execute arbitrary code and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. Libexpat Integer Overflow Vulnerability (CVE-2024-45492):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. OpenSSL Denial of Service Vulnerability (CVE-2024-6119):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
The affected products:
- Nessus Agent 10.7.2 and earlier.
- Nessus 10.7.5 and earlier.
- Nessus 10.8.0, 10.8.1, 10.8.2.
Vulnerabilities
- CVE-2024-6119
- CVE-2024-45492
- CVE-2024-45491
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.