Tenable Appliance Vulnerability [CVE-2017-8051]

Vulnerability Overview:

Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.

Details:

Tenable Appliance Web UI /simpleupload.py tns_appliance_session_user Parameter Remote Command Execution (VulnDB 153135 / CVE-2017-8051)
ÔÇóTenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI.
ÔÇóThrough the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
Vulnerability Type:
ÔÇóCommand Injection (CWE-77)
ÔÇóThe software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Recommended Solution:

Tenable has released version 4.5.0 of the Appliance that resolves this issue. Users are strongly encouraged to use the online updating functionality or download the new version to upgrade.
On 2017-04-18, security researcher "agix" published an exploit for the remote command execution flaw (VulnDB 153135). As such, customers are more strongly encouraged to upgrade immediately.

System Affected/Related OS and Version:

This issue affects
Tenable_Appliance:4.4.0

Appendix:
External Source:CONFIRM
http://www.tenable.com/security/tns-2017-07
External Source:MISC
https://vulndb.cyberriskanalytics.com/153135
External Source:EXPLOIT-DB
https://www.exploit-db.com/exploits/41892/

Threat Category: