Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1294 Consequences Confidentiality, Integrity, Availability, Access Control: Modify Memory, Read Memory, DoS:…
Description Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1189 CWE-203 Consequences Confidentiality: Read Application Data, Read Memory Microarchitectural side-channels have been used to leak specific information such as cryptographic keys, and…
Description The product released to market is released in pre-production or manufacturing configuration. Modes of Introduction: – Implementation Related Weaknesses CWE-693 Consequences Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Other Potential Mitigations Phase: Implementation Description: Ensure that there exists a marker for denoting the Manufacturing Complete stage and that…
Description The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid…
Description The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 CWE-1294 Consequences Confidentiality, Integrity, Availability, Access Control: Modify Files…
Description Security-critical logic is not set to a known value on reset. Modes of Introduction: – Implementation Related Weaknesses CWE-665 Consequences Access Control, Authentication, Authorization: Varies by Context Potential Mitigations Phase: Implementation Description: Design checks should be performed to identify any uninitialized flip-flops used for security-critical functions. Phase: Architecture and Design…
Description The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-226 CWE-200 Consequences Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Read…
Description The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information. Modes of Introduction: – Integration Related Weaknesses CWE-200 Consequences Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Modify Memory, Read Memory, Modify Files or Directories, Read Files or Directories, Modify Application Data, Execute…
Description The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Access Control, Integrity: Modify Memory, Execute Unauthorized…
Description The SameSite attribute for sensitive cookies is not set, or an insecure value is used. The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: ‘Lax’, ‘Strict’, or ‘None’. If the ‘None’ value is used, a website may create a cross-domain POST HTTP request to another website,…
Description Signals between a hardware IP and the parent system design are incorrectly connected causing security risks. Modes of Introduction: – Implementation Related Weaknesses CWE-284 Consequences Confidentiality, Integrity, Availability: Varies by Context Potential Mitigations Phase: Testing Description: System-level verification may be used to ensure that components are correctly connected and that…
Description The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present. Without the ability to patch or update firmware, consumers will be left vulnerable to exploitation of any known vulnerabilities, or any vulnerabilities that are discovered in the future.…
Description Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Confidentiality: Varies by Context A common goal of malicious actors who…
Description Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for…
Description Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore “wraps around” to a very small, negative, or undefined value. Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not…
Description Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-691 Consequences Integrity, Availability: Varies by Context Potential Mitigations Phase: Testing Description: Implement a rigorous testing strategy that incorporates randomization to explore…
Description Immutable data, such as a first-stage bootloader, device identifiers, and “write-once” configuration settings are stored in writable memory that can be re-programmed or updated in the field. Modes of Introduction: – Implementation Related Weaknesses CWE-668 CWE-471 Consequences Integrity: Varies by Context Potential Mitigations Phase: Implementation Description: All immutable code or…
Description The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality: Read Memory, Read Application Data Potential Mitigations Phase: Architecture and Design Description: CVE References
Description The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. Modes of Introduction: – Implementation Related Weaknesses CWE-20 Consequences Other: Varies by Context Since quantities are used so often to…
Description The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. Modes of Introduction: – Implementation Related Weaknesses CWE-20 Consequences Other: Varies…
Description The product receives input that is expected to be well-formed – i.e., to comply with a certain syntax – but it does not validate or incorrectly validates that the input complies with the syntax. Modes of Introduction: – Implementation Related Weaknesses CWE-20 Consequences Other: Varies by Context Potential Mitigations Phase:…
Description The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data – such as state or cache – but the product does not ensure that all local copies remain consistent with each other. Modes of Introduction: Related Weaknesses CWE-664 …
Description The product’s architecture mirrors regions without ensuring that their contents always stay in sync. Modes of Introduction: Related Weaknesses CWE-1250 Consequences Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Varies by Context Potential Mitigations Phase: Architecture and Design Effectiveness: Moderate Description: CVE References
Description The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality, Integrity: Execute Unauthorized Code or Commands Potential Mitigations Phase:…
Description The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Access Control, Authorization: Bypass Protection Mechanism, Gain…
Description The product’s comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. Modes…
Description A device’s real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1300 CWE-1259 Consequences Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Modify Memory,…
Description The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-285 Consequences…
Description Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region. Modes of Introduction: – Architecture and Design Related Weaknesses…
Description The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-212 CWE-200 Consequences Confidentiality: Read Memory Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: CVE…
Description The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. Systems-On-A-Chip (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify which actions originated from which agent. These actions may be one…
Description The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the…
Description The product allows address regions to overlap, which can result in the bypassing of intended memory protection. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 CWE-119 Consequences Confidentiality, Integrity, Availability: Modify Memory, Read Memory, DoS: Instability Potential Mitigations Phase: Architecture and Design Description: Phase: Implementation Effectiveness: High Description: …
Description The hardware logic does not effectively handle when single-event upsets (SEUs) occur. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1384 CWE-1254 Consequences Availability, Access Control: DoS: Crash, Exit, or Restart, DoS: Instability, Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Phase:…
Description The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality, Integrity: Read Memory, Read Application Data, Modify Memory, Modify Application Data, Gain Privileges or…
Description The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas. Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how…
Description The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-821 CWE-1037 Consequences Confidentiality: Read Memory, Read Application Data Potential Mitigations Phase: Architecture and Design Description: CVE References CVE-2017-5754 Systems with microprocessors…
Description During execution of non-reentrant code, the software performs a call that unintentionally produces a nested invocation of the non-reentrant code. In complex software, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that…
Description The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-404 Consequences Confidentiality: Read Memory Potential Mitigations Phase: Architecture…
Description The product’s hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality, Integrity, Availability, Access Control: Modify Memory, Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Gain Privileges…
Description The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. Modes of Introduction: Related Weaknesses CWE-285 Consequences Potential Mitigations CVE References
Description The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Access Control: Modify…
Description Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable. Modes of Introduction: – Architecture and Design Related…
Description The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 CWE-667 Consequences Access Control: Modify Memory System Configuration…
Description System configuration protection may be bypassed during debug mode. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-667 Consequences Access Control: Bypass Protection Mechanism Bypass of lock bit allows access and modification of system configuration even when the lock bit is set. Potential Mitigations Phase: Architecture and Design, Implementation,…
Description The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. Modes of Introduction: – Implementation Related Weaknesses CWE-400 Consequences Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues.…
Description The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which…
Description The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result…
Description The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory…
Description To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-327 Consequences Confidentiality: Read Application Data Incorrect usage of crypto primitives could render the supposedly encrypted data as unencrypted plaintext…
Description The device uses an algorithm that is predictable and generates a pseudo-random number. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and Design Description: A true random number generator should be specified for cryptographic algorithms. Phase: Implementation Description: A…
Description The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality, Integrity, Availability, Access Control: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism Potential…
Description Access to security-sensitive information stored in fuses is not limited during debug. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1263 Consequences Confidentiality, Access Control: Modify Memory, Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design, Implementation Description: CVE References
Description The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-863 Consequences Confidentiality: Read Memory Integrity:…
Description Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim’s system. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-684 Consequences Availability, Access Control: Unexpected State, DoS:…
Description The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Availability: DoS: Instability Potential Mitigations Phase: Architecture and Design, Implementation, Testing Effectiveness: High Description: Include secure wear leveling algorithms and ensure they may not…
Description The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. Modes of Introduction: – Operation Related Weaknesses CWE-1384 Consequences Confidentiality, Integrity, Availability, Access Control: Gain Privileges or Assume Identity, Bypass Protection…
Description The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application’s model of the OS’s state is inconsistent with the OS’s actual state. Modes of Introduction: –…
Description The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the…
Description The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. Modes of Introduction: Related Weaknesses CWE-665 CWE-665 Consequences Potential Mitigations CVE References
Description The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-653 CWE-668 CWE-1331 Consequences Access Control: Bypass Protection Mechanism If resources being used by a trusted user are shared with an untrusted user, the untrusted user may be…
Description The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-118 CWE-20 Consequences Integrity, Confidentiality, Availability: Execute Unauthorized Code…
Description The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-696 Consequences Access Control: Bypass Protection Mechanism, Modify Memory DMA devices…
Description The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality: Read Application Data Confidentiality: Read Memory Authorization: Execute Unauthorized…
Description The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-657 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: CVE References
Description The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. Modes of Introduction: Related Weaknesses CWE-696 Consequences Access Control: Bypass Protection Mechanism An untrusted component can master transactions on the HW bus and target memory or other assets to compromise the SoC boot firmware.…
Description An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework’s built-in responses. The mode attribute of the tag defines whether custom or default error pages are used. Modes of Introduction: – Implementation Related Weaknesses CWE-756 Consequences Confidentiality: Read Application Data Default…
Description The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or…
Description The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive. By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or…
Description The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits…
Description A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. The most prominent is the stored return…
Description A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-788 CWE-787 …
Description The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive…
Description Hardware description language code incorrectly defines register defaults or hardware IP parameters to insecure values. Modes of Introduction: – Implementation Related Weaknesses CWE-665 Consequences Confidentiality, Integrity, Availability, Access Control: Varies by Context Degradation of system functionality, or loss of access control enforcement can occur. Potential Mitigations Phase: Architecture and Design…
Description The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.…
Description A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-362 Consequences Access Control: Bypass Protection Mechanism System configuration cannot be programmed in a secure way. …
Description The hardware design control register “sticky bits” or write-once bit fields are improperly implemented, such that they can be reprogrammed by software. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Confidentiality, Integrity, Availability, Access Control: Varies by Context System configuration cannot be programmed in a secure way. …
Description The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy. Modes of Introduction: Related Weaknesses CWE-664 Consequences Potential Mitigations CVE References
Description Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. Modes of Introduction: – Implementation Likelihood of Exploit: High Related Weaknesses CWE-787 CWE-119 CWE-119 Consequences Integrity, Confidentiality, Availability, Access Control: Modify Memory, Execute Unauthorized Code or…
Description The code is too complex, as calculated using a well-defined, quantitative measure. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Other: Reduce Performance Potential Mitigations CVE References
Description The code contains McCabe cyclomatic complexity that exceeds a desirable maximum. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Potential Mitigations CVE References
Description The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product uses too much self-modifying code. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains a callable or other code grouping in which the nesting / branching is too deep. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product has an attack surface whose quantitative measurement exceeds a desirable maximum. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Potential Mitigations CVE References
Description The source code declares a variable in one scope, but the variable is only used within a narrower scope. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues. Modes of Introduction: – Build and Compilation Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. Modes of Introduction: – Implementation Related Weaknesses CWE-93 CWE-79 CWE-20 Consequences Integrity, Access Control: Modify Application Data, Gain Privileges or Assume Identity CR…
Description Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is.…
Description The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-436 Consequences Integrity: Unexpected State Potential Mitigations CVE References CVE-2005-2225 Product sees dangerous file extension in free text of a group discussion, disconnects all users.…
Description The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-707 CWE-74 …
Description The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Other:…
Description The software does not neutralize or incorrectly neutralizes output that is written to logs. Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed…
Description The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria…
Description The ASP.NET application does not use, or incorrectly uses, the model validation framework. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1173 Consequences Integrity: Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. Potential Mitigations CVE References
Description The program performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-405 Consequences Availability: DoS: Resource Consumption (CPU) Other: Reduce Performance Potential Mitigations…
Description The software uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
