The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit:
Related Weaknesses
Consequences
Other: Other
Potential Mitigations
Phase: Implementation
Effectiveness:
Description:
Document and closely follow coding standards.
Phase: Testing, Implementation
Effectiveness:
Description:
Where possible, use automated tools to enforce the standards.
The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.
If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if the software intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file.
Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.
Integrity, Confidentiality: Read Files or Directories, Modify Files or Directories
The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
Integrity, Confidentiality, Availability: Modify Files or Directories, Execute Unauthorized Code or Commands
The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other)
The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.
Potential Mitigations
Phase: Architecture and Design
Effectiveness:
Description:
When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to “inbox.txt” and ID 2 could map to “profile.txt”. Features such as the ESAPI AccessReferenceMap provide this capability.
Phase: Architecture and Design, Operation
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase: Implementation
Effectiveness: High
Description:
Phase: Implementation
Effectiveness:
Description:
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes “..” sequences and symbolic links (CWE-23, CWE-59).
Phase: Installation, Operation
Effectiveness:
Description:
Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Phase: Operation, Implementation
Effectiveness:
Description:
If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Phase: Testing
Effectiveness:
Description:
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
Phase: Testing
Effectiveness:
Description:
Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Phase: Testing
Effectiveness:
Description:
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
UPDATE January 19: Updated Coverage section about the third malware that FortiGuard Labs has confirmed as a wiper malware..FortiGuard Labs is aware of a report that multiple organizations in the Ukraine were impacted by destructive malware. The malware looks to be some kind of ransomware at first glance; however, it does not have the telltale signs of ransomware. It overwrites the victim’s Master Boot Record (MBR) and files with specific file extensions without any recovery mechanism, which are enough to classify the malware as a destructive wiper malware.Why is this Significant?This is significant because the attack involves a wiper malware that destroys the victim’s MBR and certain files without any recovery mechanism.How Widespread is the Attack?At this point, the attack only affected multiple unnamed organizations in Ukraine.What the Details of the Attack?Initial attack vector has not yet been identified.This attack involves three malware.The first malware overwrites the victim’s Master Boot Record (MBR) which makes Windows OS unbootable and leaves a ransom note that reads below:Your hard drive has been corrupted.In case you want to recover all hard drivesof your organization,You should pay us $10k via bitcoin wallet1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message viatox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65with your organization name.We will contact you to give further instructions.The second malware simply downloads a wiper malware hosted on a Discord channel and executes it.The wiper malware searches for and overwrites files with the following file extensions on the victim’s machine:.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIPIt also changes the file extension of the affected file to a random four-byte extension.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware involved:W32/KillMBR.NGI!trMSIL/Agent.FP!tr.dldrMSIL/Agent.QWILJV!trW32/KillFiles.NKU!tr.ransomMSIL/VVH!trThe following AV coverage is available for the the third malware which FortiGuard Labs has confirmed as a wiper malware: MSIL/Agent.VVH!tr
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm’s runtime is proportional to the square of the length of the password.
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style=”background-image: attr(title url);” attack within a DIV element that has an attacker-controlled URL in the title attribute.
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
