Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  • CVE: Common Vulnerabilities and Exposures
  • CVSS – Common Vulnerability Scoring System
  • Example: Base Metrics
  1. Vulnerabilities

Vulnerability Tracking

During the development cycle, vulnerabilities are handled as bugs. May have a dedicated security team or not.

When software is available, vulnerabilities are also tracked globally. For every system and software publicly available.

Public tracking helps with:

  • focusing the discussion around the same issue.

    • e.g. a library that is used in multiple applications, and distributions.

  • defenders to easily test their systems, enhancing security.

  • attackers to easily know what vulnerability can be used.

Vulnerabilities are privately tracked.

  • Constitute an arsenal for future attacks against targets.

  • Exploits are weapons.

Knowledge about vulnerabilities and exploits is publicly traded.

  • From 0 to 2-3M€ (more?) through direct markets or acquisition programs.

  • Up to 2.5M€ for bug hunting programs or direct acquisition (Google, Zerodium).

    • 2.5M€: 1 click Android exploit.

    • 2M€: 1 click iPhone exploit.

    • 1.5M€: WhatsApp or iMessage exploit.

    • ~2K for an XSS at HackerOne (although there are records of $1M payouts).

Privately traded at unknown prices.

Most well-known trackers systems: CVE and NVD.

  • CVE: Common Vulnerabilities and Exposures, managed by MITRE.

  • NVD: National Vulnerability Database, managed by NIST.

Others:

  • CERT Vulnerability Notes Database (VNDB).

    • Maintained by CERTs, may provide additional information regarding a CVE.

  • VulnDB.

    • Focus on APIs and providing information to companies.

  • DISA IAVA and STIGS.

    • Information Assurance Vulnerability Alerts: includes MIL and GOV systems.

    • Security Technical Implementation Guides.

  • Industry Sharing and Analysis Centers (ISAC).

    • Industry-driven, thematic (AUTO, FINANCIAL, IT, etc… groups).

CVE: Common Vulnerabilities and Exposures

Dictionary of publicly known information security vulnerabilities and exposures.

  • For vulnerability management.

  • For patch management.

  • For vulnerability alerting.

  • For intrusion detection.

Uses common identifiers for the same CVEs.

  • Enable data exchange between security products.

  • Provide a baseline index point for evaluating coverage of tools and services.

Details about a vulnerability can be kept private.

  • Part of responsible disclosure: Until the owner provides a fix.

Not an easy task.

  • Exploits are not always known.

  • Impact and Value may be underestimated.

Old feeds may create a false sense of security.

A highly dynamic community is great:

  • To defenders as they can test and implement defenses.

  • To attackers as they can incorporate exploits.

CVSS – Common Vulnerability Scoring System

Provides a quick way to determine the severity of a vulnerability (0-10 score).

  • Helps defenders prioritize the deployment of mitigations.

  • Helps attackers select the most convenient vulnerability to explore.

  • Tends to be pessimistic (higher values).

Example: CVSS 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

  • Final Score: 3.1 (LOW)

  • Attack Vector: Network

  • Attack Complexity: Low

  • Privileges Required: High

  • User Interaction: None

  • Scope: Unchanged

  • Confidentiality: Low

  • Integrity: Low

  • Exploit Availability: None

Example: Base Metrics

The Base Score formula depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability.

Last updated 1 year ago