How to remediate – OpenVAS Manager / Administrator Detection

Contents

1. Introduction

The OpenVAS Manager / Administrator Detection vulnerability indicates an OpenVAS service is listening on a remote port. These services control the scanner and schedule tasks within an OpenVAS installation. This matters because exposed management interfaces can allow attackers to compromise the entire scanning infrastructure. Affected systems are typically those running the OpenVAS scanner suite, including servers dedicated to vulnerability assessment. A successful exploit could lead to data breaches, service disruption, or unauthorized scans of internal networks.

2. Technical Explanation

The vulnerability occurs when the OpenVAS Manager or Administrator daemon is accessible from a network. This isn’t an inherent flaw in the software itself, but rather a configuration issue where these services are not restricted to trusted hosts. An attacker could potentially connect to these daemons and attempt to gain control of the scanner. There is no specific CVE associated with simply listening on a port; it’s a detection of potential misconfiguration.

Root cause: The OpenVAS Manager or Administrator daemon is bound to an interface accessible from outside the intended network.
Exploit mechanism: An attacker could attempt to connect to the service and exploit any vulnerabilities in its authentication or authorization mechanisms, potentially gaining control of the scanner.
Scope: Systems running OpenVAS Manager or Administrator daemons on Linux platforms are affected.

3. Detection and Assessment

Confirming vulnerability involves checking for listening ports associated with these services. A quick check can identify if the service is exposed, while a thorough method will verify the version and configuration.

Quick checks: Use `netstat -tulnp` or `ss -tulnp` to see if any processes are listening on port 9392 (default for OpenVAS Manager) or other common OpenVAS ports.
Scanning: Nessus plugin ID 10874 can detect this issue. Other vulnerability scanners may have similar checks.
Logs and evidence: Check system logs for connections to the OpenVAS management port, particularly from unexpected sources.

netstat -tulnp | grep 9392

4. Solution / Remediation Steps

The solution is to disable the service if it’s not required or restrict access using firewall rules.

4.1 Preparation

Ensure you have alternative vulnerability scanning methods in place if disabling OpenVAS. A roll back plan is to restart the OpenVAS Scanner service.
Change windows should be scheduled during low-usage periods and approved by the IT security team.

4.2 Implementation

Step 1: If you do not use the OpenVAS Manager or Administrator interface, stop the service using `systemctl stop openvas-manager`.
Step 2: Disable the service from starting on boot with `systemctl disable openvas-manager`.
Step 3: If you need to keep the service running, configure your firewall (e.g., `iptables`, `firewalld`) to allow access only from trusted IP addresses or networks.

4.3 Config or Code Example

Before

# No firewall rules restricting access to port 9392

After

iptables -A INPUT -p tcp --dport 9392 -s /32 -j ACCEPT
iptables -A INPUT -p tcp --dport 9392 -j DROP

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

Practice 1: Least privilege – only allow necessary services to run and restrict access to those services.
Practice 2: Network segmentation – isolate the OpenVAS scanner from untrusted networks.

4.5 Automation (Optional)

#!/bin/bash
# Example script to stop OpenVAS Manager service
if systemctl is-active --quiet openvas-manager; then
  systemctl stop openvas-manager
  echo "OpenVAS Manager service stopped."
else
  echo "OpenVAS Manager service is not running."
fi

5. Verification / Validation

Confirm the fix by checking that the port is no longer listening or access is restricted.

Post-fix check: Run `netstat -tulnp | grep 9392`. The output should not show a process listening on port 9392 if the service was stopped.
Re-test: Re-run the Nessus plugin ID 10874 to confirm it no longer detects the issue.
Smoke test: Verify that other vulnerability scanning functions still work as expected.
Monitoring: Monitor system logs for any attempts to connect to port 9392 from unexpected sources.

netstat -tulnp | grep 9392 # Should return no output

6. Preventive Measures and Monitoring

Update security baselines and implement checks in your CI/CD pipelines to prevent similar issues.

Baselines: Update a security baseline or policy to require restricted access for OpenVAS management interfaces.
Pipelines: Add SAST or SCA checks to identify insecure configurations during deployment.
Asset and patch process: Review configuration changes regularly to ensure they align with security policies.

7. Risks, Side Effects, and Roll Back

Disabling the OpenVAS Manager service will prevent you from using its features. Restricting access via firewall may impact legitimate users if misconfigured.

Risk or side effect 1: Disabling the manager prevents use of its interface for configuration and reporting.
Risk or side effect 2: Incorrect firewall rules can block legitimate access to the scanner.
Roll back: Step 1: If disabled, restart the service with `systemctl start openvas-manager`. Step 2: If firewall rules were added, remove them using `iptables -D INPUT …` (replace “…” with the correct rule).

8. References and Resources

Vendor advisory or bulletin: http://www.openvas.org/

Updated on December 27, 2025

Was this article helpful?

Yes No