CVE-2021-20077

Vulnerability

Nessus Agent versions 7.2.0 through 8.2.2, when installed on an Amazon EC2 instance, inadvertently capture the IAM role security token on the local host during the initial linking process. This token is normally used to grant temporary AWS credentials to the instance. The vulnerability exists in the agent's handling of the token during setup.

Exploitation

An attacker with local privileged access (e.g., root or administrator) to the EC2 instance can retrieve the captured IAM role security token from the local filesystem. No network access or user interaction is required beyond having local privileges. The token is captured during the initial linking of the Nessus Agent, so exploitation is possible if the attacker gains access after installation.

Impact

Successful exploitation allows the attacker to obtain the IAM role security token, which can be used to assume the IAM role associated with the EC2 instance. This could lead to unauthorized access to AWS resources and services that the role has permissions for, potentially resulting in data disclosure, modification, or further privilege escalation within the AWS environment.

Mitigation

Tenable released Nessus Agent version 8.2.3 to fix this issue [1]. Users should upgrade to 8.2.3 or later. The fix prevents the inadvertent capture of the IAM token. No workarounds are mentioned in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.