CVE-2020-5793

Vulnerability

Nessus versions 8.9.0 through 8.12.0 for Windows and Nessus Agent versions 8.0.0 and 8.1.0 for Windows contain a vulnerability that allows an authenticated local attacker to copy user-supplied files to a specially constructed path within a specifically named user directory. This occurs due to insufficient path validation when handling file copy operations. The affected products are Tenable Nessus and Nessus Agent on Windows platforms. [1][2]

Exploitation

An attacker must have valid credentials on the Windows system and be able to log in locally. The attacker creates a malicious file and then copies it to a system directory by exploiting the vulnerable file copy functionality. The exact steps involve constructing a specially crafted path in a specifically named user directory to bypass restrictions. No additional user interaction is required beyond the attacker's own actions. [1][2]

Impact

Successful exploitation allows the attacker to place arbitrary files into a system directory, which can lead to arbitrary code execution with the privileges of the Nessus service or the system. This could result in full compromise of the affected Windows host. The vulnerability is classified as high severity. [1][2]

Mitigation

Tenable has released fixes: Nessus 8.12.1 (for Nessus versions 8.9.0 through 8.12.0) and Nessus Agent 8.2.0 or 8.1.1 (for Nessus Agent 8.0.0 and 8.1.0). Users should upgrade to the latest versions from the Tenable Downloads Portal. For Nessus Agent, note that 8.2.0 requires the Universal Microsoft C Runtime Library (UCRT); 8.1.1 is provided for systems that cannot upgrade directly. [1][2]