Vulnerabilities by linzhengnd


• flaws in systems that allow them
to be exploited

   • provide means for attackers to
   compromise hosts, servers and

     • 2 flavors

        • bugs – programming mistakes

            • Errors in code that could cause
            a system to hang to an insecure
            state or allow root access
            • Incorrect firewall/router/IDS rules

        • flaws – improper design

            • failing to account for all
            possibilities in design leads to
            code with vulnerable ‘features’
• 2-edged sword

   • publishing vulnerabilities and patches is
   only way to fix problem

   • once published – the network of
   hackers is aware of the vulnerability

   • patch management is a MAJOR
   security problem!
    • ‘Security by Obscurity’

       • attempts to use secrecy to prevent
       knowledge of vulnerabilities

       • vendors of proprietary code are often
       accused of this

    • zero-day attack

       • attack takes place during the window
       between when a vulnerability becomes
       known and a patch is discovered
  Between a ‘rock and a hard place’
• what do you do if you discover a vulnerability
in a product and a patch is not available?

    • do you keep it secret until a patch is

        • this leaves customers vulnerable
        • the vendor may not work to fix it since
        there is no pressure

    • do you publicize it to put pressure on the

        • knowing that by doing so you have
        notified all of the hacker community
Between a ‘rock and a hard place’
           Example 1:

              • In 2009 Microsoft announced vulnerability
              in SMB subsystem that could leave servers
              vulnerable to DOS attack

                  • there was no patch yet

                  • IT managers had two choices

                      • disable SMB – meaning some
                      systems would not work

                      • wait for patch and pray there would
                      not be an incident
  Between a ‘rock and a hard place’
Example 2:

   • in 2008 a Mass. Dist. Judge ordered MIT
   students to NOT present information at
   DefCon regarding a vulnerability in the MTA
   ‘CharlieTicket’ system

   • judge said intent was not to silence
   students but enforce a reasonable period
   during which a fix could be found

   • the gag order was overturned, but not
   until after DefCon had concluded
Vulnerability Management
        • many strategies for managing

           • vulnerability scanners
           • vulnerability notification
           • vulnerability information online through
           • vulnerability and penetration testing

        • these go hand-in-hand with adequate patch
         Vulnerability Scanners
• programs that scan a network, host or
application for known vulnerabilities

   • Types
      • port scanner – looks for open ports (nmap)
      • network enumerator – provides information on
      groups, usernames, shares and services (nmap and
      • network vulnerability scanner – looks for
      vulnerabilities in network resources and servers
      (nessus, SAINT)
      • Web application security scanner – looks for
      vulnerabilities in Web servers and scripts (SAINT,
      Metasploit Pro)
      • Database security scanner – Looks for
      vulnerabilities in DBMS and SQL code (Safety Lab
Vulnerability Notification
        • many vendors will either mail a
        notification or post to a Web site
        when a vulnerability has been found
        and how to patch it

        • services exist that maintain
        vulnerability lists for multiple
        products and will provide notification

           • with many of these you provide a list
           of the software and versions in your
Vulnerability Notification
        • examples

           • Vupen Security vulnerability services


           • SecureNet Solutions vulnerability
           notification service


           • Secundia CSI free for home users

      Vulnerability Notification

• CERT (Computer Emergency
Response Team) at CMU

  • provides weekly list of known

  • organization security team matches
  inventory of software and versions to
  this list
Threats – the counterpart to
       • Threats exploit vulnerabilities

          • vulnerability – you left your car unlocked
          • threat – criminals going through shopping
          center parking lots looking for unlocked cars

       • Fortinet’s FortiGuard Center
       Threat Research and Response
       Center provides Threat reports and

          • Awareness of threat landscape can help to
          prioritize vulnerabilities
Top 3 Application Vulnerabilities
1 – Buffer overflow

   • software may not enforce array bounds
   • can allow buffers (arrays used for I/O) to overflow and
   overwrite code area
   • some malware works this way ‘smashing the stack’
   • mainly aimed at systems that allow code to be executed
   with privileged rights

   • best addressed in design and programming
   • patches can often fix this in vendor-supplied software
   verflow_Attacks.html (6 min)
Top 3 Application Vulnerabilities
           According to CERT

           2 – cross-site scripting

              • code is injected into communications from a
              Web site
              • most ‘drive-by’ malware uses this method
              • often relies on social engineering to get user to
              follow link (Banks are especially targeted)

              • Web script writers can validate input and clense
              • script disabling (although not always practical)
              • use of least-privilege account

  Top 3 Application Vulnerabilities
According to CERT

3 – SQL injection

   • commands passed through Web form to SQL
   • can exploit lack of security and gain control of

   • solution is to add code to validate input (3
Vulnerability Management
       Gartner defines 6 steps for vulnerability

          • Define policy
          • Baseline the environment
          • Prioritize vulnerabilities
          • Mitigate vulnerabilities
          • Maintain and monitor
Patch Management
    • requires coordinated effort

        • knowing which patches are available
        • testing patches
        • scheduling patch installation

    • however – many systems remain

        • some applications (such as firefox) push

        • others (such as adobe) allow users to
                 Patch Management
• although recognized as a major security
problem – patch management is seen as a
burden by traditional IT management

    • it sucks up resources
    • it adds nothing to the bottom-line

To top