SoftSec 02 Vulnerabilities
SoftSec 02 Vulnerabilities
SoftSec 02 Vulnerabilities
Riccardo Scandariato
Institute of Software Security, TUHH, Germany
ric***do . scanda***to @ tuhh.de
2
A software vulnerability
Log4Shell (CVE-2021-44228)
• Log4J is an open-source framework that allows
software developers to log data within their
application
– Part of the Apache Logging Services
• Dec 2021: Zero-day vulnerability (CVE-2021-44228)
gets used by thousands of attacks (and gets noticed)
– Proof of Concept on GitHub ;)
– Reached 10M attack attempts / hour
• Unauthenticated remote code execution (bingo!)
3
How Log4Shell works
Funtionality intended to add values via lookups (e.g., env variables, java version…)
4
What would you have the Java class do? ;)
• Mine for Bitcoin (steal CPU time)
• Encrypt the HD and ask for ransom
• Extract info and send it to your server
• Launch a denial of service attack
• Send spam
• …
5
Flaws
• Flaw: a security weakness, something that is
wrong or missing
• Design flaw
– Backdoor because violation of full mediation
• Implementation flaw: Programming error (bug)
– Bug, coding defect, coding error
– E.g., buffer overflow, no input validation, wrong
usage of crypto API…
• Configuration flaw
– E.g., wrong AC policy, default admin pwd, …
6
Share your opinion
Go to menti.com – XXXX YYYY
7
Log4Shell : CVE-2021-44228
• CWE-502: Deserialization of Untrusted Data
– Modes Of Introduction: Architecture and Design
• OMISSION: This weakness is caused by missing a security tactic
during the architecture and design phase.
• CWE-20: Improper Input Validation
– Modes Of Introduction: Implementation
• CWE-917: Improper Neutralization of Special
Elements used in an Expression Language
Statement ('Expression Language Injection')
8
Vulnerabilities
• Not all flaws are vulnerabilities
– Flaw in code that is never executed (for now…)
9
Share your opinion
Go to menti.com – XXXX YYYY
• Vunerability vs Exploit
• Exploit vs Attack ?
10
Vulnerability vs exploit - Example
• Vulnerability
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
• Exploit
import requests as req
url = 'http://localhost/vulnerable?UserId='
params = 'riccardo OR 1=1'
r = req.get(url + params')
print(r.text)[0:300]
11
Vunerability vs Exploit vs Attack
Terminology
• Exploit
– Adversarial code (tool), or …
– ... chunk of data, or …
– … sequence of commands that takes advantage
(think “Proof of concept”, “Proof of vulnerability”)
• Attack
– Actively leveraging the vulnerability in deployed software
systems, via exploit code (possibly on large scale)
12
Evolution of vulnerabilities
Data: https://www.cvedetails.com/browse-by-date.php
13
Problem?
14
CVE, NVD, CWE, CVSS
Having fun with acronyms ...
Vulnerability Databases
• Common Vulnerabilities & Exposures (CVE)
– https://cve.mitre.org
• National Vulnerability Database (NVD)
– https://nvd.nist.gov
16
CVE (Common Vulnerabilities & Exposures)
https://cve.mitre.org
• Maintained by MITRE
• A list of publicly disclosed
vulnerabilities and exposures
18
Share your opinion
Go to menti.com – XXXX YYYY
19
Do all vunelabilities have a record in CVE List
20
Zero-day (a.k.ka. 0-day)
“A vulnerability either unknown to those who
should be interested in its mitigation (including
the vendor of the software) or known and a
patch has not been developed”
Wikipedia
21
Vulnerability Classifications
• Vulnerability could be classified in different ways
– E.g., domain: web vulnerability, IoT vulnerabilities...
– E.g., hardware vs software
– A bit arbitrary, of course
22
CWE
https://cwe.mitre.org
• Group same kind of
vulnerabilities into a weakness,
and give it a distinct number
23
Example
CWE
24
Categories of vulnerabilities
Coarse grain
Categories of vulnerabilities
1. Memory Management Vulnerabilities
https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 26
Categories of vulnerabilities
2. Structured Output Generation Vulnerabilities
https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 27
Categories of vulnerabilities
3. API Vulnerabilities
An API comes with an (explicit or implicit) contract
of how it should be used and what services it
offers. If the client of the API violates the contract,
the software system again enters an error-state,
and the further behaviour of the software system
will depend on implementation details of the API
https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 28
Categories of vulnerabilities
4. Side-channel Vulnerabilities
The execution of a program is ultimately a physical process,
typically involving digital electronic circuitry that consumes
power, emits electromagnetic radiation, and takes time to
execute to completion.
In computer science we model the execution of programs
abstractly, in terms of the execution of code on an abstract
machine whose semantics is defined mathematically (with
varying levels of rigour).
A side-channel is an information channel that communicates
information about the execution of a software program by means
of such effects from which the program’s code abstracts.
https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 29
Categories of vulnerabilities
5. Race Condition Vulnerabilities (concurrency
issue)
• Program checks a condition on a resource,
and later relies on that condition when using
the resource
– Attacker can interleave their own actions to
invalidate the condition between the check and
the use
– Time Of Check Time Of Use (TOCTOU)
vulnerability
https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 30
Example: access/open race
A privileged program can
32
Other classifications
Vulnerability types – Prevalence „in the wild“
35
MITRE Top 25
• Current version: 2020
• https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
36
Problem?
37
CVSS
NIST‘s Common Vulnerability Scoring System
Challenges
• Difficult (lots of expertise needed)
• Lots of new vulnerabilities
– Check Twitter for a „daily“ update @CVEnew
39
CVSS v3 - Metrics
Given by NVD for CVE records Not given Organization-specific (not given)
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator 40
Examle (for CVE-2015-2445)
41
Calculator – Example
Sum
42
Study material
(not discussed in class)
CVSS
• CVSS starts from the vulnerabilities when organizing
impact assessment
– https://www.first.org/cvss/specification-document
– https://nvd.nist.gov/vuln/search (US National
Vulnerability Database)
• Impact of a vulnerability can change over time
• Impact of a vulnerability will depend on the specific
environment a system is deployed in (e.g., value of
assets in the system, criticality of business, etc.)
• Not all sources of vulnerability reports are equally
reliable
43
Study material
(not discussed in class)
CVSS - Basic Metrics
• Basic metric group: collects generic aspects of a
vulnerability
– Ratings consider from where the vulnerability can be exploited
(local or remote attacker?)
– How complex an exploit would have to be (related to
exploitability in DREAD)
– Privileges an attacker must already have to exploit the
vulnerability
– Whether another user must take an action during an attack
– Scope captures whether a vulnerability in one component
impacts other components beyond its security scope
– Ratings also consider the standard impact categories
confidentiality, integrity, and availability
45
Study material
(not discussed in class)
CVSS - Environmental Metrics
• Environmental metrics group: rates impact on the
assets of a given organisation
– Security requirements (CIA): customize CVSS score
depending on the importance of the affected IT asset
to a user’s organization
– Modified base metrics: enable the analyst to
override individual Base metrics based on specific
characteristics of a user’s environment
46
Study material
(not discussed in class)
CVSS - Scoring
• Each item on the score sheet has a predefined
number of possible answers
• For example, the attack vector can be network
(remotely exploitable), adjacent, local, or
physical
• CVSS severity score calculated from the ratings
given
• Score calculator at
https://www.first.org/cvss/calculator/3.0
• Try it out!!
47