Software Vulnerabilities

Riccardo Scandariato
Institute of Software Security, TUHH, Germany
ric***do . scanda***to @ tuhh.de

Master Course “Software Security”

Winter Semester 22/23
Learning objectives
• Understand the concepts of vulnertability,
exploit and attack

• Understand the different macro-types of

vulnerabilities

• Understand how the severity of a

vulnerability is assessed

2
A software vulnerability
Log4Shell (CVE-2021-44228)
• Log4J is an open-source framework that allows
software developers to log data within their
application
– Part of the Apache Logging Services
• Dec 2021: Zero-day vulnerability (CVE-2021-44228)
gets used by thousands of attacks (and gets noticed)
– Proof of Concept on GitHub ;)
– Reached 10M attack attempts / hour
• Unauthenticated remote code execution (bingo!)
3
How Log4Shell works

Funtionality intended to add values via lookups (e.g., env variables, java version…)
4
What would you have the Java class do? ;)
• Mine for Bitcoin (steal CPU time)
• Encrypt the HD and ask for ransom
• Extract info and send it to your server
• Launch a denial of service attack
• Send spam
• …

5
Flaws
• Flaw: a security weakness, something that is
wrong or missing
• Design flaw
– Backdoor because violation of full mediation
• Implementation flaw: Programming error (bug)
– Bug, coding defect, coding error
– E.g., buffer overflow, no input validation, wrong
usage of crypto API…
• Configuration flaw
– E.g., wrong AC policy, default admin pwd, …

6
Share your opinion
Go to menti.com – XXXX YYYY

• Is Log4J a design/implementation/config flaw?

7
Log4Shell : CVE-2021-44228
• CWE-502: Deserialization of Untrusted Data
– Modes Of Introduction: Architecture and Design
• OMISSION: This weakness is caused by missing a security tactic
during the architecture and design phase.
• CWE-20: Improper Input Validation
– Modes Of Introduction: Implementation
• CWE-917: Improper Neutralization of Special
Elements used in an Expression Language
Statement ('Expression Language Injection')

8
Vulnerabilities
• Not all flaws are vulnerabilities
– Flaw in code that is never executed (for now…)

• Vulnerability: A flaw that can be accessed

(can be reached) and exploited (cause
damage) by attacker
• I.e., an exploit can be defined (a.k.a. PoV proof-
of-vulnerability)

9
Share your opinion
Go to menti.com – XXXX YYYY

• Vunerability vs Exploit
• Exploit vs Attack ?

10
Vulnerability vs exploit - Example
• Vulnerability
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

• Exploit
import requests as req
url = 'http://localhost/vulnerable?UserId='
params = 'riccardo OR 1=1'
r = req.get(url + params')
print(r.text)[0:300]

11
Vunerability vs Exploit vs Attack
Terminology
• Exploit
– Adversarial code (tool), or …
– ... chunk of data, or …
– … sequence of commands that takes advantage
(think “Proof of concept”, “Proof of vulnerability”)

• Attack
– Actively leveraging the vulnerability in deployed software
systems, via exploit code (possibly on large scale)

12
Evolution of vulnerabilities

Data: https://www.cvedetails.com/browse-by-date.php

13
Problem?

How do I know about vulnerabilities in

the software I “use” ?

14
CVE, NVD, CWE, CVSS
Having fun with acronyms ...
Vulnerability Databases
• Common Vulnerabilities & Exposures (CVE)
– https://cve.mitre.org
• National Vulnerability Database (NVD)
– https://nvd.nist.gov

“The CVE list feeds NVD, which then […]

provides enhanced information […] such as fix
information [and] severity scores” CVE portal

16
CVE (Common Vulnerabilities & Exposures)
https://cve.mitre.org
• Maintained by MITRE
• A list of publicly disclosed
vulnerabilities and exposures

• Identification number (e.g.,

CVE-2021-44228)
• Description
– “JNDI features used in
configuration, log messages,
and parameters do not
protect against attacker
controlled LDAP and other
JNDI related endpoints”
• At least one public reference
• Link to NVD
17
NVD
(National Vulnerability DB)
https://nvd.nist.gov
• Maintained by NIST
• Is synchronized with CVE
• More enhanced
information
– Patch availability
– CWE
– Severity scores
• E.g., see CVE-2021-
44228

18
Share your opinion
Go to menti.com – XXXX YYYY

• Do all vunelabilities have a record in CVE List ?

19
Do all vunelabilities have a record in CVE List

• No, publicly disclosed ones only

• Some are communicated to the vendor (grace

period) by ethical hackers before being disclosed
– Disclosure should force software vendors to improve

• Some are sold on the (black) market for good

money, used by gvmt agencies…

20
Zero-day (a.k.ka. 0-day)
“A vulnerability either unknown to those who
should be interested in its mitigation (including
the vendor of the software) or known and a
patch has not been developed”

Wikipedia

21
Vulnerability Classifications
• Vulnerability could be classified in different ways
– E.g., domain: web vulnerability, IoT vulnerabilities...
– E.g., hardware vs software
– A bit arbitrary, of course

• More taxonomical approach: CWE (Common

Weakness Enumeration)
• Built „bottom-up“ from the CVEs

22
CWE
https://cwe.mitre.org
• Group same kind of
vulnerabilities into a weakness,
and give it a distinct number

• „Extracted“ from CVE records

• Provides common type names

for publicly known vulnerabilities

23
Example
CWE

24
Categories of vulnerabilities
Coarse grain
Categories of vulnerabilities
1. Memory Management Vulnerabilities

– A spatial vulnerability is a bug where the

program is indexing into a valid contiguous range
of memory cells, but the index is out-of-bounds

– A temporal vulnerability is a bug where the

program accesses memory that was once
allocated to the program, but has since been
deallocated

https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 26
Categories of vulnerabilities
2. Structured Output Generation Vulnerabilities

• Program dynamically constructs structured

output. E.g.,
– SQL queries to be consumed by a database
– HTML pages to be consumed by a web browser
• Insecure programming practice: construct such
output as a concatenation of strings where some
of these strings are derived (directly or
indirectly) from input to the program

https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 27
Categories of vulnerabilities
3. API Vulnerabilities
An API comes with an (explicit or implicit) contract
of how it should be used and what services it
offers. If the client of the API violates the contract,
the software system again enters an error-state,
and the further behaviour of the software system
will depend on implementation details of the API

https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 28
Categories of vulnerabilities
4. Side-channel Vulnerabilities
The execution of a program is ultimately a physical process,
typically involving digital electronic circuitry that consumes
power, emits electromagnetic radiation, and takes time to
execute to completion.
In computer science we model the execution of programs
abstractly, in terms of the execution of code on an abstract
machine whose semantics is defined mathematically (with
varying levels of rigour).
A side-channel is an information channel that communicates
information about the execution of a software program by means
of such effects from which the program’s code abstracts.

https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 29
Categories of vulnerabilities
5. Race Condition Vulnerabilities (concurrency
issue)
• Program checks a condition on a resource,
and later relies on that condition when using
the resource
– Attacker can interleave their own actions to
invalidate the condition between the check and
the use
– Time Of Check Time Of Use (TOCTOU)
vulnerability

https://www.cybok.org/media/downloads/Software_Security_issue_1.0_1M7Kfk2.pdf 30
Example: access/open race
A privileged program can

1) Run with the real uid/gid and perform

access(logfilename, W_OK) to check whether
• the file exists
• the user has write access to it

2) Open the file for writing by calling as root

open(logfilename, O_WRONLY | O_APPEND)

E.g., xterm can create a log of what the user types

31
Example: access/open race
Attack

1) Exploit provides as logfilename the name

of a symbolic link pointing to a user’s file

2) Symbolic link is relinked to target file before

open is called

32
Other classifications
Vulnerability types – Prevalence „in the wild“

• OWASP Top 10 Web Application Security Risks

– List of top 10 security vulnerabilities found most
commonly in the wild
– Periodically updated to reflect progress and new
attacks
• MITRE‘s CWE Top 25 Most Dangerous Software
Errors
– Prioritized list of dangerous software errors
– Intended to minimize software vulnerability

Mostly, educational value (awareness) 34

 Current version: 2021
OWASP Top 10
https://owasp.org/www-project-top-ten/
• A1:2017-Injection
• A2:2017-Broken Authentication
• A3:2017-Sensitive Data Exposure
• A4:2017-XML External Entities (XXE)
• A5:2017-Broken Access Control
• A6:2017-Security Misconfiguration
• A7:2017-Cross-Site Scripting XSS
• A8:2017-Insecure Deserialization
• A9:2017-Using Components with Known Vulnerabilities
• A10:2017-Insufficient Logging & Monitoring

35
MITRE Top 25
• Current version: 2020
• https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html

36
Problem?

How to assess the “importance” of

(i.e., risk associated to) a vulnerability?

37
CVSS
NIST‘s Common Vulnerability Scoring System
Challenges
• Difficult (lots of expertise needed)
• Lots of new vulnerabilities
– Check Twitter for a „daily“ update @CVEnew

• Vulnerability scoring system gives some help

39
CVSS v3 - Metrics
Given by NVD for CVE records Not given Organization-specific (not given)

From these individual ratings the CVSS severity is computed

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator 40
Examle (for CVE-2015-2445)

41
Calculator – Example

Sum

42
 Study material
(not discussed in class)
CVSS
• CVSS starts from the vulnerabilities when organizing
impact assessment
– https://www.first.org/cvss/specification-document
– https://nvd.nist.gov/vuln/search (US National
Vulnerability Database)
• Impact of a vulnerability can change over time
• Impact of a vulnerability will depend on the specific
environment a system is deployed in (e.g., value of
assets in the system, criticality of business, etc.)
• Not all sources of vulnerability reports are equally
reliable

43
 Study material
(not discussed in class)
CVSS - Basic Metrics
• Basic metric group: collects generic aspects of a
vulnerability
– Ratings consider from where the vulnerability can be exploited
(local or remote attacker?)
– How complex an exploit would have to be (related to
exploitability in DREAD)
– Privileges an attacker must already have to exploit the
vulnerability
– Whether another user must take an action during an attack
– Scope captures whether a vulnerability in one component
impacts other components beyond its security scope
– Ratings also consider the standard impact categories
confidentiality, integrity, and availability

Given by NVD for CVE records 44

 Study material
(not discussed in class)
CVSS - Temporal Metrics
• Temporal metrics group: captures current state of
exploits and countermeasures
– Exploit code maturity measures the likelihood of the
vulnerability being exploited; based on the current state
of exploit techniques, exploit code availability, or active,
“in-the-wild” exploitation; related to reproducibility in
DREAD
– Remediation level: to which extent are fixes addressing
the vulnerability available? Highest level: “official fix”
– Report confidence measures the degree of confidence in
the existence of the vulnerability and the credibility of
the known technical details

45
 Study material
(not discussed in class)
CVSS - Environmental Metrics
• Environmental metrics group: rates impact on the
assets of a given organisation
– Security requirements (CIA): customize CVSS score
depending on the importance of the affected IT asset
to a user’s organization
– Modified base metrics: enable the analyst to
override individual Base metrics based on specific
characteristics of a user’s environment

46
 Study material
(not discussed in class)
CVSS - Scoring
• Each item on the score sheet has a predefined
number of possible answers
• For example, the attack vector can be network
(remotely exploitable), adjacent, local, or
physical
• CVSS severity score calculated from the ratings
given
• Score calculator at
https://www.first.org/cvss/calculator/3.0
• Try it out!!

47