1. Introduction
OpenVAS Scanner Detection indicates an OpenVAS service is actively listening on a network port. This component performs security scans and audits, potentially identifying vulnerabilities within your systems. If unused, this open service presents a potential attack surface. A successful exploit could allow remote attackers to gain information about your network or compromise the scanner itself, impacting confidentiality, integrity, and availability of scan data.
2. Technical Explanation
The OpenVAS Scanner daemon listens for connections on a specific port, enabling remote administration and scan initiation. Attackers can attempt to exploit vulnerabilities within the daemon itself or use it as a pivot point into your network. Exploitation requires network access to the affected port. There are no known CVEs specifically related to simply *detecting* the service; however, vulnerabilities in OpenVAS Scanner components are regularly discovered and patched.
- Root cause: The OpenVAS Scanner daemon is running and listening on a network port.
- Exploit mechanism: An attacker could attempt to exploit known vulnerabilities within the scanner software or use it as an entry point for further attacks.
- Scope: Systems running the OpenVAS Scanner service are affected, typically Linux servers.
3. Detection and Assessment
Confirming a vulnerable system involves checking for the listening service on the network port. A thorough assessment includes reviewing the scanner configuration.
- Quick checks: Use
netstat -tulnporss -tulnpto check if any processes are listening on ports typically used by OpenVAS (e.g., 9392). - Scanning: Nessus vulnerability ID 16875 can detect the presence of an OpenVAS Scanner service.
- Logs and evidence: Check system logs for entries related to the OpenVAS Scanner daemon, such as startup messages or scan activity.
netstat -tulnp | grep 93924. Solution / Remediation Steps
The primary solution is to disable the service if it’s not required. These steps are straightforward and can be easily reversed.
4.1 Preparation
- Back up your OpenVAS configuration files before making changes. Stop the OpenVAS Scanner service using
systemctl stop openvas-scanner. - Ensure no active scans are running before stopping the service. A roll back plan involves restarting the service with
systemctl start openvas-scanner. - Change windows should be scheduled during low usage periods, and approval from the security team may be needed.
4.2 Implementation
- Step 1: Disable the OpenVAS Scanner service using
systemctl disable openvas-scanner. - Step 2: Mask the service to prevent accidental restarts with
systemctl mask openvas-scanner.
4.3 Config or Code Example
Before
systemctl status openvas-scannerAfter
systemctl is-enabled openvas-scanner4.4 Security Practices Relevant to This Vulnerability
Several security practices can help mitigate risks associated with unnecessary services.
- Practice 1: Least privilege – only run services that are absolutely required, and configure them with minimal permissions.
- Practice 2: Safe defaults – ensure all services have secure default configurations, changing passwords and disabling unused features.
4.5 Automation (Optional)
#!/bin/bash
# Stop and disable OpenVAS Scanner service
systemctl stop openvas-scanner
systemctl disable openvas-scanner
systemctl mask openvas-scanner
echo "OpenVAS Scanner service stopped, disabled, and masked."5. Verification / Validation
Confirm the fix by verifying that the service is no longer listening on the network port.
- Post-fix check: Run
netstat -tulnp | grep 9392; there should be no output indicating a process listening on port 9392. - Re-test: Re-run the Nessus scan (ID 16875) to confirm it no longer detects the OpenVAS Scanner service.
- Smoke test: Verify that other essential network services are still functioning as expected.
- Monitoring: Monitor system logs for any unexpected attempts to start the OpenVAS Scanner service.
netstat -tulnp | grep 93926. Preventive Measures and Monitoring
Regular security baselines and patch management are key preventive measures.
- Baselines: Update your security baseline to include a requirement for disabling unused services like OpenVAS Scanner.
- Asset and patch process: Implement a regular review cycle (e.g., monthly) to assess installed software and apply security patches promptly.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Disabling the service may interrupt ongoing security scans.
- Risk or side effect 2: Other applications relying on the scanner’s functionality might be affected.
- Roll back: Restart the service using
systemctl start openvas-scannerand unmask it withsystemctl unmask openvas-scanner.
8. References and Resources
- Vendor advisory or bulletin: http://www.openvas.org/