1. Home
  2. Network Vulnerabilities
  3. How to remediate – OpenVAS Scanner Detection
Searching...

How to remediate – OpenVAS Scanner Detection

Contents

1. Introduction

OpenVAS Scanner Detection indicates an OpenVAS service is actively listening on a network port. This component performs security scans and audits, potentially identifying vulnerabilities within your systems. If unused, this open service presents a potential attack surface. A successful exploit could allow remote attackers to gain information about your network or compromise the scanner itself, impacting confidentiality, integrity, and availability of scan data.

2. Technical Explanation

The OpenVAS Scanner daemon listens for connections on a specific port, enabling remote administration and scan initiation. Attackers can attempt to exploit vulnerabilities within the daemon itself or use it as a pivot point into your network. Exploitation requires network access to the affected port. There are no known CVEs specifically related to simply *detecting* the service; however, vulnerabilities in OpenVAS Scanner components are regularly discovered and patched.

  • Root cause: The OpenVAS Scanner daemon is running and listening on a network port.
  • Exploit mechanism: An attacker could attempt to exploit known vulnerabilities within the scanner software or use it as an entry point for further attacks.
  • Scope: Systems running the OpenVAS Scanner service are affected, typically Linux servers.

3. Detection and Assessment

Confirming a vulnerable system involves checking for the listening service on the network port. A thorough assessment includes reviewing the scanner configuration.

  • Quick checks: Use netstat -tulnp or ss -tulnp to check if any processes are listening on ports typically used by OpenVAS (e.g., 9392).
  • Scanning: Nessus vulnerability ID 16875 can detect the presence of an OpenVAS Scanner service.
  • Logs and evidence: Check system logs for entries related to the OpenVAS Scanner daemon, such as startup messages or scan activity.
netstat -tulnp | grep 9392

4. Solution / Remediation Steps

The primary solution is to disable the service if it’s not required. These steps are straightforward and can be easily reversed.

4.1 Preparation

  • Back up your OpenVAS configuration files before making changes. Stop the OpenVAS Scanner service using systemctl stop openvas-scanner.
  • Ensure no active scans are running before stopping the service. A roll back plan involves restarting the service with systemctl start openvas-scanner.
  • Change windows should be scheduled during low usage periods, and approval from the security team may be needed.

4.2 Implementation

  1. Step 1: Disable the OpenVAS Scanner service using systemctl disable openvas-scanner.
  2. Step 2: Mask the service to prevent accidental restarts with systemctl mask openvas-scanner.

4.3 Config or Code Example

Before

systemctl status openvas-scanner

After

systemctl is-enabled openvas-scanner

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate risks associated with unnecessary services.

  • Practice 1: Least privilege – only run services that are absolutely required, and configure them with minimal permissions.
  • Practice 2: Safe defaults – ensure all services have secure default configurations, changing passwords and disabling unused features.

4.5 Automation (Optional)

#!/bin/bash
# Stop and disable OpenVAS Scanner service
systemctl stop openvas-scanner
systemctl disable openvas-scanner
systemctl mask openvas-scanner
echo "OpenVAS Scanner service stopped, disabled, and masked."

5. Verification / Validation

Confirm the fix by verifying that the service is no longer listening on the network port.

  • Post-fix check: Run netstat -tulnp | grep 9392; there should be no output indicating a process listening on port 9392.
  • Re-test: Re-run the Nessus scan (ID 16875) to confirm it no longer detects the OpenVAS Scanner service.
  • Smoke test: Verify that other essential network services are still functioning as expected.
  • Monitoring: Monitor system logs for any unexpected attempts to start the OpenVAS Scanner service.
netstat -tulnp | grep 9392

6. Preventive Measures and Monitoring

Regular security baselines and patch management are key preventive measures.

  • Baselines: Update your security baseline to include a requirement for disabling unused services like OpenVAS Scanner.
  • Asset and patch process: Implement a regular review cycle (e.g., monthly) to assess installed software and apply security patches promptly.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Disabling the service may interrupt ongoing security scans.
  • Risk or side effect 2: Other applications relying on the scanner’s functionality might be affected.
  • Roll back: Restart the service using systemctl start openvas-scanner and unmask it with systemctl unmask openvas-scanner.

8. References and Resources

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles