Detections
Analytics

Tenable Identity Exposure < 3.77.8 Multiple Vulnerabilities (TNS-2025-01)

critical Nessus Plugin ID 215200

Synopsis

An identity security and threat detection platform running on the remote host is affected by multiple vulnerabilities.

Description

The version of the Tenable Identity Exposure running on the remote host is prior to 3.77.8. It is, therefore, affected by multiple vulnerabilities according to advisory TNS-2025-01, including the following:


 - libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. (CVE-2025-0665)

 - With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. (CVE-2025-23083)

 - When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. (CVE-2025-0725)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Tenable Identity Exposure version 3.77.8 or later.

See Also

https://www.tenable.com/security/tns-2025-01

Plugin Details

Severity: Critical

ID: 215200

File Name: tenable_identity_exposure_3_77_8.nasl

Version: 1.1

Type: combined

Agent: windows

Family: Windows

Published: 2/10/2025

Updated: 2/10/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-0665

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:tenable:tenable_ad, x-cpe:/a:tenable:tenable_identity_exposure

Required KB Items: installed_sw/Tenable.ad

Patch Publication Date: 2/6/2025

Vulnerability Publication Date: 2/6/2025

Reference Information

CVE: CVE-2024-11053, CVE-2024-25629, CVE-2025-0167, CVE-2025-0665, CVE-2025-0725, CVE-2025-0760, CVE-2025-1091, CVE-2025-23083, CVE-2025-23084, CVE-2025-23085