In this guide, I will explain and demonstrate the process of vulnerability management using Nessus. It is a well-known vulnerability scanner which is produced by the Tenable corporation.
Tenable offers a free version of the scanner software called Nessus Essentials. I used Nessus Essentials with the virtual machines I deployed in my Microsoft Azure virtual network.
Software/OS Versions:
Nessus-10.1.1
Linux Ubuntu Server 18.04 LTS Gen 2
Windows 10 Pro
Step 1 – Download Tenable Nessus Essentials
Visit the following link to register for an activation code and acquire access to the Nessus downloads page.
https://www.tenable.com/products/nessus/nessus-essentials
Once registered on the Tenable website, there is an automatic redirect to their download page.
https://www.tenable.com/downloads/nessus
Download the version applicable to the operating system of choice.
Step 2 – Create a Virtual Machine for Nessus
I created my virtual machines in Microsoft Azure. My host machine for Nessus was Ubuntu Server 18.04. Make sure you refer to the Nessus documentation technical specifications to provision your virtual machine with an adequate amount of CPU, RAM, and storage.
https://portal.azure.com/
https://docs.tenable.com/Nessus.htm
https://docs.tenable.com/generalrequirements/Content/NessusScannerHardwareRequirements.htm
Once the virtual machine was created, I needed to open port 8834 to access Nessus. In Azure, I added an inbound firewall rule to allow access to port 8834 from my home IP address only.
Step 3 – Install Nessus Essentials
I used SSH and SCP to login to and copy my Nessus download to the virtual machine I provisioned.
First I used SSH to test my connection to the server and to obtain my current working directory once I logged in.
ssh -i C:\Users\Alex\SSH\key.pem kansasdynamics@<IP ADDRESS>
I was then able to use Secure Copy to transfer my Nessus download from my local machine to my new virtual server.
scp -i C:\Users\Alex\SSH\key.pem C:\Users\Alex\Downloads\Nessus-10.1.1-ubuntu1110_amd64.deb kansasdynamics@<IP ADDRESS>:/home/kansasdynamics
Now I logged back into the server with the same SSH command used previously. Since I was using an Ubuntu server, I used the following commands to install and start Nessus and to confirm it was working.
sudo dpkg -i Nessus-10.1.1-ubuntu1110_amd64.deb
sudo /bin/systemctl start nessusd.service
sudo /bin/systemctl status nessusd.service
Once the service was running, I then accessed Nessus from my local web browser using port 8834.
https://<SERVER_IP_ADDRESS>:8834
I acquired my registration code from the email and entered it into the input box.
ABCD-1234-EFGH-5678-IJKL
Now the setup wizard asked me to create an administrator user account. I entered my chosen credentials and continued. Once complete, Nessus downloaded plugins and assets needed for initial setup.
After the initial installation has finished, I was able to access Nessus Essentials and all the scans available in the free version of the software.
Step 4 – Create a Vulnerable Virtual Machine
In order to fully utilize Nessus, I need to create another virtual machine with vulnerabilities. This can be most easily achieved by installing an older version of an operating system and then installing old versions of open-source software within it.
I won’t repeat the steps for making a virtual machine in Azure, but as long as the two machines are on the same virtual network, it is easy to connect to them.
I chose to make a Windows 10 virtual machine where I installed Apache Tomcat 8.5.0. I chose this version of Tomcat specifically because it was affected by the Ghostcat vulnerability as recorded in CVE-2020-1938. This was one I personally had to deal with so it was memorable.
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Step 5 – Scanning the Vulnerable System
I used preset scans for Basic Host Discovery and also used an advanced scan to look for my Apache Tomcat specific vulnerabilities.
In the advanced scan, I removed many of the plugins that were not pertinent to the system so that I could allow the scan to process quicker and not tie up the bandwidth on my network. Many of the plugins I disabled were related to Linux distributions which were not relevant since my vulnerable machine was a Windows 10 host.
As you can see in the following screenshots, Nessus successfully reached my Windows 10 host and found the Tomcat vulnerabilities associated with CVE-2020-1938 (among others).
Step 6 – Prioritizing Vulnerabilities
Although there is no exact formula on prioritizing vulnerabilities to remediate, there are some guidelines that I follow to help with that process.
It is important to consider the following factors when looking at a report and deciding on what to fix first and what to fix at all.
- System criticality – Is the system critical to the infrastructure or business (PROD vs TEST)?
- Information sensitivity – Does the system contain PII or top secret/secret/confidential information?
- Vulnerability severity – What is the CVSS score for the reported vulnerability?
- Remediation difficulty – How difficult would it be to fix this issue? Would remediation cause too much downtime or could it cause a catastrophic loss in some functionality?
- Vulnerability exposure – Where would an attacker need to be to exploit the vulnerability? Is the vulnerability exploitable from the internet or only while on the network?
In this instance, the CVSS score for the Ghostcat vulnerability was 9.8 (Critical). The resolution to this was to upgrade the Apache Tomcat server to a version listed as not being vulnerable to the exploit.
Step 7 – Remediating Vulnerabilities
In this example, I will be upgrading Tomcat to the latest available version (9.0.59) according to the suggestion from the Nessus scan and also NIST.
“Upgrade to Apache Tomcat version 7.0.100, 8.5.51, 9.0.31 or later.”
After making a backup of my configuration files and webapps directory, I uninstalled Tomcat 8.5.0 and installed Tomcat 9.0.59. I confirmed this by opening a new window to see the host manager page with the listed version at the top.
Now that the new version of Tomcat is online, I’ll rescan the Windows 10 host to see how many critical vulnerabilities the upgrade remediated. The screenshots below show the threat levels have been significantly reduced on this host simply by upgrading to a newer version of Tomcat.
And within the Apache Tomcat specific scans, there are no more Critical or High vulnerabilities which indicates we successfully remediated the most important problems with the web server.
Conclusion
Vulnerability management is a crucial process to any organization. Properly managing assets and mitigating vulnerabilities can help prevent those emergency calls with the incident response team.