7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Hi everyone! Today I would like talk about software vulnerabilities. How to find really interesting vulnerabilities in the overall CVE flow. And how to do it automatically.
First of all, let’s talk why we may ever need to analyze software vulnerabilities? How people usually do their Vulnerability Management and Vulnerability Intelligence?
Each of these ways have some advantages and some disadvantages.
Huge part of detection plugins were written manually. Especially plugins that work remotely without authorization. It takes time to make them and so they may appear in scanner with a huge latency. It also might be economically impractical for VM vendors to deal with vulnerabilities in some rare software.
From the one hand it’s really great. Even Top managers might ask you if we have, for example, GHOST in our infrastructure or other popular vulnerability. They begin to see that you are doing something important!
On the other hand, vulnerability researchers are also people. And they are interested in making more hype around the vulnerabilities they have discovered. It’s just a part of their self-promotion. It’s relatively easy to come with a name, register a domain and make a beautiful logo for the vulnerability. And it’s hard to understand how critical this vulnerability really is. Especially when there are no so much details.
Here you can see some well-known vulnerabilities that made a lot of noise in the past.
Most of them were really critical. But, I have seen plenty of publications about BadLock saying that this vulnerability was overvalued.
Most people use CVSS vector and the CVSS Base Score for vulnerability filtering and vulnerability prioritization. They may also take into consideration the existence of exploits, for example. But the CVSS is still a basis.
What is the Common Vulnerability Scoring System? In fact, there is a framework, a questionnaire, in which some person manually describes the vulnerability.
I do not know who fills CVSS for National Vulnerability Database. But, imagine some people in US military uniform.
The final result is a score, number from 0 to 10, and a vector containing all the answers in a compact form.
What’s wrong with CVSS?
Heartbleed was rated as a medium-level vulnerability by NVD. But on the other hand, Tenable Network Security, the well-known Vulnerability Management vendor, believes that this vulnerability should have different CVSS vector.
So this is a controversial issue:
And the final result depends on this.
It was the 2nd version of the CVSS standard, now the actual version is 3rd. But in 3rd versions problems with confidentiality threats were not solved either.
So, my idea was to evaluate vulnerabilities using the data that we currently have. Of course, it would be great to work with some highly formalized descriptions of vulnerabilities. However, as a rule, we do not have such information. We have only different objects linked with each other and stored in some vulnerability database.
If we open, for example, Heartbleed page at vulners.com (read more about this service at “Vulners – Google for hacker”) we can see all the objects linked to this vulnerability and the timestamps when objects were created.
Using this data I can calculate two integrated characteristics of vulnerability: “Danger” and “Relevance”. And I can do it for any moment of time.
“Danger” is about technical criticality and exploitability. It shows how interesting this vulnerability may be for an attacker.
It depends on:
“Relevance” shows the attention paid to the vulnerability by media, vulnerability management vendors, and users of vulnerability databases.
It depends on:
Media coverage ↑
Descriptions ↑
Detection plugins ↑
Search queries* ↑
Search results* ↑
Clicks* ↑
Age ↓
haven’t used it in PoC
To show the current state of vulnerability I use “quadrants”. Like consulting and research companies do it for comparing software vendors.
So, for products “Ability to execute” and “Completeness of vision” are important, for vulnerabilities it will be “Danger” and “Relevance”.
I gave this names to quadrants:
Here is, for example, Vulnerability Quadrant for Heartbleed:
And this one is for Badlock:
As you can see, unlike Heartbleed, Badlock was never a Leading Threat.
We can visualize more than one vulnerability at the same time. For example, here I took last year CVEs and showed dynamics of their state since this beginning of the year (from 2017-01-01 till 2017-04-15).
To limit amount of the vulnerabilities in the lower left corner I made a “rule for disappearing”: vulnerability may stay in Daily Routine quadrant only for 10 days with value of Danger and Relevance <3.5 or they will disappear.
Here you can see different types of vulnerabilities. These ones are about race condition that allows attackers to execute arbitrary code in a privileged context via a crafted app. (iOS, macOS, tvOS, watchOS):
And these vulnerabilities in Microsoft Edge and WordPress are also dangerous and exploitable, but never get the same level of media attention. Researchers find vulnerabilities in this products on a regular basis and therefore it’s not a news. Vulnerabilities of such kind are slowly drifting from Local Disaster quadrant to Daily Routine.
Of course, “rule for disappearing” doesn’t work in real life and all vulnerabilities will exist in your infrastructure until you install the updates. If I switch off this rule and switch off all the captions, we will see something like this:
So, don’t forget to fix vulnerabilities in your systems until it’s too late:
The Greedy Raja covered with golden coins. From the classic Soviet animated film Golden Antelope
Vulnerability Quadrant is a simple and universal way to show the current state for any vulnerability and dynamics of this state. it’s possible to highlight most critical vulnerabilities and to identify trends. And it’s just fun to watch vulnerabilities crawling on the screen.
Problems and limitations
Q: Can we use Vulnerability Quadrants to decide which of vulnerabilities are really dangerous for your organization and should be discovered and patched immediately?
Well, yes, but not in the form we have seen earlier. First of all, we should switch off gravity. Vulnerability Danger will not become smaller until you patch the software in your organization. As well as Relevance. And you should consider only vulnerabilities in the software products that are currently in use in your organization.
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%