Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. Public static variables can be read without an accessor and changed without a mutator by any classes in the application. When a field is declared public but not final, the field can…
Description The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation…
Description The accidental addition of a data-structure sentinel can cause serious programming logic problems. Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to…
Description A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-119 CWE-20 Consequences Confidentiality, Integrity: Read Memory, Modify Memory Potential Mitigations CVE References
Description The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on…
Description In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-682 Consequences Confidentiality, Integrity: Read Memory, Modify Memory Incorrect pointer scaling will often result in buffer…
Description The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-682 Consequences Access Control, Integrity, Confidentiality, Availability: Modify Memory, Read Memory,…
Description A software system that accepts path input in the form of leading space (‘ filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity:…
Description The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select…
Description The software does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such…
Description The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Modes of Introduction: – Implementation Related Weaknesses CWE-642 CWE-471 Consequences Integrity: Modify Application Data Without appropriate protection mechanisms, the client can easily tamper with cookies and similar…
Description A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise. Modes of Introduction: – Implementation Related Weaknesses CWE-471 CWE-98 Consequences Integrity: Modify Application Data Potential Mitigations…
Description The code uses a function that has inconsistent implementations across operating systems and versions. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-758 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Architecture and Design, Requirements Description: Do not accept inconsistent behavior from the API specifications when the…
Description The behavior of this function is undefined unless its control parameter is set to a specific value. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-573 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References
Description A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. Modes of Introduction: – Implementation Likelihood of Exploit: Medium…
Description The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. Modes of Introduction: – Implementation Related Weaknesses CWE-710 Consequences Other: Quality Degradation Potential Mitigations Phase: Implementation Description: Refer to the documentation for the obsolete function in order to determine why it…
Description The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses. This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are…
Description The program defines a signal handler that calls a non-reentrant function. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-828 CWE-663 CWE-123 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands It may be possible to execute arbitrary code through the use of a write-what-where condition.…
Description A software system that accepts path input in the form of internal space (‘file(SPACE)name’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity: Read…
Description The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. These types of errors are generally the result of a typo. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-670 Consequences Other: Alter Execution Logic This weakness can cause unintended logic to be…
Description The code uses an operator for assignment when the intention was to perform a comparison. In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison…
Description The code uses an operator for comparison when the intention was to perform an assignment. In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-480 Consequences Availability, Integrity: Unexpected State…
Description When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it. Modes…
Description The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false…
Description A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-446 CWE-671 Consequences Other: Varies by Context Potential Mitigations Phase: Testing…
Description A UI function is obsolete and the product does not warn the user. Modes of Introduction: – Implementation Related Weaknesses CWE-446 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Architecture and Design Description: Remove the obsolete feature from the UI. Warn the user that the feature is no…
Description The UI performs the wrong action with respect to the user’s request. Modes of Introduction: – Implementation Related Weaknesses CWE-446 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Testing Description: Perform extensive functionality testing of the UI. The UI should behave as specified. CVE References CVE-2001-1387 Network firewall…
Description A software system that accepts path input in the form of multiple internal dot (‘file…dir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-44 CWE-165 Consequences Confidentiality,…
Description The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-357 Consequences Other: Varies by Context Potential Mitigations Phase: Implementation Description: Phase: Implementation Description: Inputs should be decoded and canonicalized…
Description The user interface (UI) does not properly represent critical information to the user, allowing the information – or its source – to be obscured or spoofed. This is often a component in phishing attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 CWE-221 CWE-346 Consequences Non-Repudiation, Access Control: Hide…
Description The software, by default, initializes an internal variable with an insecure or less secure value than is possible. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1188 Consequences Integrity: Modify Application Data An attacker could gain access to and modify sensitive data or system information. Potential Mitigations Phase: System…
Description The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can…
Description The software does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error, which can cause the software to execute in a less secure fashion than intended by the administrator. Modes of Introduction: – Architecture and Design Related Weaknesses…
Description The software does not initialize critical variables, which causes the execution environment to use unexpected values. Modes of Introduction: – Implementation Related Weaknesses CWE-909 CWE-665 CWE-665 CWE-89 CWE-120 CWE-98 CWE-457 Consequences Integrity, Other: Unexpected State, Quality Degradation, Varies by Context The uninitialized data may be invalid, causing logic errors within the…
Description The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read…
Description This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract initialization problem. Please refer to CWE-665 for the more abstract problem. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The software does not properly “clean up” and remove temporary or supporting resources after they have been used. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-404 CWE-404 Consequences Other, Confidentiality, Integrity: Other, Read Application Data, Modify Application Data, DoS: Resource Consumption (Other) It is possible to overflow the number…
Description A software system that accepts path input in the form of trailing space (‘filedir ‘) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 CWE-289 Consequences…
Description The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary…
Description Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry — if the alist is designed properly — could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an…
Description The accidental deletion of a data-structure sentinel can cause serious programming logic problems. Often times data-structure sentinels are used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the…
Description The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-420 CWE-360 Consequences Access Control:…
Description This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 CWE-638 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity Potential Mitigations Phase: Architecture and Design Description: Deploy…
Description The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path. Modes of Introduction:…
Description The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-642 CWE-668 CWE-673 CWE-427 CWE-428 Consequences Integrity, Confidentiality, Availability, Access Control: Gain Privileges or…
Description The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. Modes of Introduction: – Implementation Related Weaknesses CWE-668 CWE-668 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations Phase: Architecture…
Description The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as…
Description A software system that accepts path input in the form of multiple trailing dot (‘filedir….’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-42 CWE-163 Consequences Confidentiality,…
Description The wrong “handler” is assigned to process an object. An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type. Modes of Introduction: – Implementation Related…
Description A handler is not available or implemented. When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution. Modes of Introduction: – Implementation Related Weaknesses CWE-691 CWE-433 Consequences Other: Varies by Context …
Description The application uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running. During the execution of a signal handler, it can be interrupted by another handler when a different signal is…
Description The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is stored in a file with an extension such as “.inc” or “.pl”, and the web server does not have a handler for that extension, then the server…
Description The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-669 CWE-669 CWE-351 CWE-436 CWE-430 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands Arbitrary code execution is…
Description An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. When a system or process combines multiple independent components, this often produces new, emergent behaviors at…
Description Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to…
Description A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint’s features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-436 …
Description A’s behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-435 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References CVE-2002-1976 Linux kernel 2.2 and above…
Description A software system that accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity: Read…
Description A feature, API, or function does not perform according to its specification. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations CVE References CVE-2003-0187 Program uses large timeouts on “undeserving” to compensate for inconsistency of support for linked lists. CVE-2003-0465…
Description The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of the request,…
Description The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers…
Description The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-668 Consequences Confidentiality: Read Application Data Potential Mitigations CVE References
Description A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might…
Description The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.…
Description Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system…
Description The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. In the absence of a policy to restrict asymmetric resource consumption, the application or system cannot distinguish between legitimate transmissions and traffic intended…
Description An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-405…
Description The software allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-405 CWE-696 Consequences Availability: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) System resources, CPU and…
Description The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a “decompression bomb,” a small ZIP file that can produce a large amount of data when it is decompressed. Modes of Introduction: – Architecture and Design…
Description The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed using an…
Description The software’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources. Frequently the consequence is a “flood” of connection or sessions. Modes of Introduction: – Architecture and Design Related Weaknesses…
Description The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control. This prevents the software from acting on associated resources or performing other behaviors that are controlled by the presence of the lock. Relevant…
Description The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource. When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software’s assumption that the resource will…
Description A product does not check to see if a lock is present before performing sensitive operations on a resource. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-667 Consequences Integrity, Availability: Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart Potential Mitigations Phase: Architecture and Design, Implementation Description: …
Description The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc()…
Description Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-825 CWE-672 CWE-672 CWE-672 CWE-120 CWE-123 Consequences Integrity: Modify Memory The use of previously freed memory may corrupt valid…
Description The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-923 Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Do not expose…
Description A software system that accepts path input in the form of trailing dot (‘filedir.’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 Consequences Access Control:…
Description The software protects a primary channel, but it does not use the same level of protection for an alternate channel. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-923 Consequences Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Identify all…
Description The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. This creates a race condition that allows an attacker to access the channel before the authorized user does. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-420 CWE-362 Consequences Access…
Description Creating and using insecure temporary files can leave application and system data vulnerable to attack. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-668 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories Potential Mitigations CVE References
Description Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-377 Consequences Confidentiality: Read Application Data If the temporary file can be read by the…
Description The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file’s existence or otherwise access that file. On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the…
Description A software system that accepts input in the form of a backslash absolute path (‘absolutepathnamehere’) without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files…
Description A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks. Modes of Introduction: – Implementation …
Description Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of…
Description Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-610 CWE-610 CWE-346 CWE-472 CWE-441 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase:…
Description Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-514 Consequences Confidentiality, Other: Read Application Data, Other Information…
Description A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-706 CWE-367 CWE-610 CWE-486 Consequences Access Control: Gain Privileges or Assume Identity The attacker can gain access to otherwise unauthorized resources.…
Description An attacker can inject a drive letter or Windows volume letter (‘C:dirname’) into a software system to potentially redirect access to an unintended location or arbitrary file. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands The attacker may be able to create…
Description The software detects a specific error, but takes no actions to handle the error. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-755 CWE-401 Consequences Integrity, Other: Varies by Context, Unexpected State, Alter Execution Logic An attacker could utilize an ignored error condition to place the…
Description [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-754 CWE-703 CWE-703 Consequences Integrity, Other: Varies by Context, Unexpected State,…
Description The software encounters an error but does not provide a status code or return value to indicate that an error has occurred. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 CWE-703 CWE-703 CWE-703 Consequences Integrity, Other: Varies by Context, Unexpected State Errors that are not properly reported could place…
Description A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status…
Description The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-754 Consequences Integrity, Other: Unexpected State, Alter Execution Logic Potential Mitigations CVE References CVE-2004-1395…
Description Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. Modes of Introduction: – Implementation Related Weaknesses CWE-705 CWE-755 Consequences Availability: DoS: Resource Consumption (CPU) Potential Mitigations Phase: Architecture and Design, Implementation Description: Do not extensively rely on catching exceptions (especially for…
Description Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get ugly and repetitive, but “condensing” catch blocks by catching a high-level class like Exception can obscure exceptions that deserve special treatment or that should not be caught at this point in the…
Description Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Declaring a method to throw Exception or Throwable makes it difficult for callers to perform proper error handling and error recovery. Java’s exception mechanism, for example, is set up to make it easy for callers to anticipate…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
