1. Home
  2. Network Vulnerabilities
  3. How to remediate – Wake-on-LAN
Searching...

How to remediate – Wake-on-LAN

Contents

1. Introduction

Wake-on-LAN is a feature that allows a computer to be switched on remotely using network messages. This can create a security risk if unauthorised users can wake up systems, potentially gaining access or disrupting services. Affected systems are typically those with network interface cards and operating systems supporting WoL functionality. A successful exploit could lead to information disclosure, denial of service, or remote code execution.

2. Technical Explanation

The vulnerability exists because the script sends a Wake-on-LAN packet to MAC addresses listed in a file supplied via policy. An attacker can list their own MAC address in this file if they have sufficient access to modify the Nessus policy, allowing them to wake up their machine on the network. The scanner must be located on the same physical subnet as the target for successful exploitation.

  • Root cause: The script does not validate the source or ownership of MAC addresses provided in the configuration file.
  • Exploit mechanism: An attacker modifies the Nessus policy to include their own MAC address, then triggers a scan. This causes a WoL packet to be sent to their machine, waking it up.
  • Scope: Systems running Nessus and connected to networks where attackers can modify Nessus policies are affected.

3. Detection and Assessment

To confirm vulnerability, check the Nessus policy configuration for a Wake-On-LAN file. Thorough assessment involves reviewing access controls on the Nessus instance itself.

  • Quick checks: Check the ‘Advanced’ section of your Nessus policies to see if a WoL file is configured.
  • Scanning: Nessus vulnerability ID 16849 can identify this configuration, but it only reports information about the feature being enabled, not necessarily malicious use.
  • Logs and evidence: Review Nessus logs for activity related to policy changes, specifically modifications to the Wake-On-LAN setting.
nessuscli scan -p {policy_id} --show-settings | grep "wake_on_lan"

4. Solution / Remediation Steps

Remove or disable the Wake-on-LAN feature in Nessus policies if it is not required. Restrict access to modify Nessus policies to only authorised personnel.

4.1 Preparation

  • Ensure you have appropriate permissions to edit Nessus policies. A roll back plan is to restore the backed-up configuration if needed.
  • A change window may be required depending on your organisation’s procedures, and approval from a senior IT administrator might be necessary.

4.2 Implementation

  1. Step 1: Log in to the Nessus web interface as an administrator.
  2. Step 2: Navigate to Policies.
  3. Step 3: Edit the policy that uses Wake-on-LAN.
  4. Step 4: Go to Advanced settings.
  5. Step 5: Remove the file path from the ‘Wake-On-LAN’ field, or disable the feature entirely.
  6. Step 6: Save the changes to the policy.

4.3 Config or Code Example

Before

wake_on_lan = "/path/to/mac_addresses.txt"

After

wake_on_lan = ""

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

  • Practice 1: Least privilege access control to Nessus policies reduces the risk of unauthorised modification.
  • Practice 2: Regularly review policy configurations for unnecessary features or settings that could introduce security risks.

4.5 Automation (Optional)

# Example PowerShell script to remove WoL setting from all policies
# Requires Nessus API access
# WARNING: This will modify your Nessus configuration - test thoroughly!
# Get-NessusPolicy | ForEach-Object {
#   $policy = $_
#   if ($policy.settings.wake_on_lan) {
#     $policy.settings.wake_on_lan = ""
#     Set-NessusPolicy -Policy $policy
#   }
# }

5. Verification / Validation

Confirm the fix by checking the Nessus policy configuration again to ensure the Wake-On-LAN setting is empty or disabled. Re-run a scan with the modified policy and verify no WoL packets are sent.

  • Post-fix check: Run `nessuscli scan -p {policy_id} –show-settings | grep “wake_on_lan”` – output should be empty.
  • Re-test: Re-run Nessus vulnerability ID 16849 to confirm it no longer reports the WoL configuration.
  • Monitoring: Monitor Nessus logs for any attempts to modify policy settings related to Wake-on-LAN.
nessuscli scan -p {policy_id} --show-settings | grep "wake_on_lan"

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

  • Baselines: Update your Nessus security baseline to include a setting for disabling unnecessary features like Wake-on-LAN.
  • Pipelines: Integrate policy reviews into your CI/CD pipeline to prevent unintended configuration changes.
  • Asset and patch process: Review Nessus configurations regularly as part of your asset management and patching cycle.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Removing Wake-on-LAN may impact automated tasks that rely on it.
  • Risk or side effect 2: Incorrect policy configuration could lead to scan failures.

8. References and Resources

Updated on October 26, 2025

Was this article helpful?

Yes No

Related Articles