[Full-Disclosure] Nessus stores credentials in plain text

[~Kevin Davis³]

I have posted this issue to a couple entities like bugtraq and CERT with no response.  I mentioned this issue to an organization today which was considering using Nessus as a vulnerability scanner to assess their network security issues and this was in violation with their security policy so they are reconsidering using it.  Please read below...     Software Vendor: Nessus (www.nessus.org) Software Package: Nessus Versions Affected: 2.0.10a (possibly others) Synopsis: Username and password for various accounts stored in unencrypted plain text   Issue Date: Feb 22, 2004   Vendor Response: Vendor notified December 4, 2003    Vendor declined to resolve issue   ================================================================================   1. Summary   The open source Nessus Vulnerability scanner stores the credentials of various types of accounts in unencrypted plain text in a configuration file.   2. Problem Description   The .nessusrc files stores username and password information for various types of accounts in unencrypted plain text.  Those parameters are typically set from the native nessus client but also can be added manually.  When setting these parmeters from the Nessus client, the user is also not informed of this sensitive information being stored insecurely.  This potentially affects the following types of accounts:   FTP IMAP POP2 POP3 NNTP SNMP SMB (Windows NT Domain)   3. Solution   None at this time.  A lengthy discussion with the vendor resulted in the vendor's decision that this was not a security risk that warrants resolution on.