CVE-2023–3251: SMTP Pass Back on Tenable Nessus

2 min readSep 14, 2023

TLDR

I discovered an SMTP passback vulnerability on Tenable Nessus Server.

What is Nessus

Nessus is a widely used network vulnerability scanner and security assessment tool. It is designed to help organizations identify security weaknesses and vulnerabilities in their computer systems, network devices, and applications.

Overview

As a pentester, Nessus is a tool with which I have some fluency, some of my most basic job responsibilities consist of using this tool. And, a few months ago, trying to familiarize myself with some of the lesser known features, I found that it was possible to set up an email account to send the results of the reports automatically, that’s when I started scheming about it.

In the past in some audits I have found some pass-back flaw over other protocols like LDAP, so I decided to check if my tool was vulnerable to this kind of attack over SMTP.

After testing it, I determined that it was vulnerable and decided to report it to Tenable’s VDP program. I must say that the triagers were very helpful during the whole process.

Proof of concept

Firstly, log in to the target Nessus server.

2. Navigate to https://nessus.instance.tld/#/settings/smtp-server

3. Now if the server has been previously configured to be able to send reports by e-mail you will see this menu with the corresponding information and the hidden password.

4. It is time to launch a rogue SMTP server, I will use MITMsmtp on my server for the PoC.

MITMsmpt --server_name $servername

5. Now modify the form by changing the host to your rogue SMTP server. Important here, instead of hitting save, use the “Send test email” functionality. Otherwise, you might delete the information unintentionally.

6. Enter a test address in the pop-up and press send.

7. Now as soon as the instance tries to send the email, the server will send the credentials to our rogue SMTP server allowing us to access them.