Chapter 5: Vulnerabilities and Impacts
Vulnerable Business Processes
A situation in which an attacker manipulates commonplace actions that are routinely performed; also called business process compromise. A common form of fraud is to send an invoice to an organization for goods or services that were not provided, typically for something common like office supplies. Failure to properly validate this invoice could cause financial loss for the company.
Race Conditions
A race condition is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. It becomes a bug when the inputs do not happen in the order the programmer intended. These conditions can occur in multithreaded or distributed programs when the sequence or timing of processes or threads is important for the program to operate properly. The impact of a race condition is usually the failure of a system in the form of a crash. These can mitigated with reference counters, kernel locks, and thread synchronization. Race conditions can be used for privilege escalation and DoS attacks. Programmers can use the above mitigation techniques.
Improper Certificate and Key Management
Certificates are the most common method of transferring and managing cryptographic keys between parties. Improper certificate management can lead to key problems and cryptographic failures. Failure to properly validate a key may result in using an expired or compromised key. Improper key management can result in failure to secure data.
Architecture/Design Weaknesses
Deficiencies/Issues due to poor design that result in vulnerabilities and increased risk in a systematic manner. These are not easily corrected without addressing the specific architecture or design vulnerability that created them in the first place. An example would be employing a flat network without any segmentation or separation of different traffic types.
DLL Injection
Dynamic Link Libraries (DLLs) are pieces of code that can add functionality to a program through the inclusion of library routines at run time. DLL injection is the process of adding to a program at run time a DLL that has specific vulnerability of function that can be capitalized by the attacker. Adding an "evil" DLL in the correct directory, or via a registry key, can result in "additional functionality" being incurred.
Undocumented Assets
Undocumented assets means that the specific assets are not necessarily included in plans for upgrades, security, etc.
Pointer Dereference
A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash. Some computer languages use a construct referred to as a pointer, a variable that refers to the memory location that holds a variable opposed to the value in the memory location. Pointers can be very powerful and allow fast operations across a wide range of structures, but can be very dangerous too.
Weak Cipher Suites and Implementations
A common vulnerability in systems is the use of weak encryption technologies/cipher suites or protocols. Weak cipher suites are those that were at one time considered secure, but are no longer secure. A common example of this would be using SSL instead of TLS. Choosing to develop your own cryptographic algorithm is another common cause of cryptographic errors. Secret or proprietary algorithms have never provided the desired level of protection.
Lack of Vendor Support
A lack of vendor support can become an issue at several different levels like; The vendor reaches end-of-life with the product. The system was installed by a 3rd party who no longer supports the system or has gone out of business.
Improperly Configured Accounts
Accounts form the basis for access control, which leads to the list of allowed actions via an access control list (ACL). Improperly configured accounts can lead to improper allowances via ACLs. If a user account ends up in the wrong group, the user may receive permissions that are inappropriate for that user, or even worse a compromise. Linux system administrators do not log in as root as an incorrect command could result in catastrophic failure. Forcing them to use the "su" command (to switch from one account to another; switching to the root account requires a password) acts as a reminder of the actions being performed. With Windows it is a good idea to limit the use of local admin accounts, or use mitigating actions to ensure they can't be used to gain domain admin access.
Resource Exhaustion
All systems are defined as a process that creates specific outputs as a result of a defined set of inputs. Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function. Two common resources are capacity and memory. If a system has more TCP SYN requests than it can handle, it fails to complete handshakes and enable additional connections. If a program runs out of memory, it will fail to operate correctly.
Memory Leak
An undesirable state in which a program requests memory but never releases it, which can eventually prevent other programs from running. (Creating but never deleting) Memory leaks are programming errors caused when a computer program does not properly handle memory resources. If the program that runs for a long period of time does not clean memory resources as they are no longer needed, it can grow in size and could result in the following: Consuming system resources Causing a system to crash Returning improper values
Buffer Overflow Attacks
Buffer overflow attacks are input validation attacks, designed to take advantage of input routines that do not validate the length of inputs. The proper mitigation for these is proper input validation and proper coding practices.
Embedded Systems
Embedded systems are systems that are included within other systems. This term may apply to stand-alone, single-purpose systems, or some component or module of a larger system. Older versions of Linux and software libraries have known vulnerabilities. When these programs are part of an embedded system, if they are not updated/patched, they can bring hidden vulnerabilities into the overall system.
End-of-Life Systems
End-of-Life is defined when the system has reached a point where it can no longer function as intended. After software has reached end-of-life and the original vendor no longer supports it with updates and patches, security becomes an issue because the vendor will no longer fix newly discovered vulnerabilities. Systems, hardware, or software that is not longer supported by the vendor are known as end-of-life and are vulnerable to exploit.
Improper Error Handling
Improper error handling can lead to a wide range of disclosure: Errors associated with SQL can disclose data structures and data elements. RPC (Remote Procedure Call) errors can give up sensitive information such as filenames, paths, and server names. Programmatic errors can disclose line numbers that an exception occurred on, the method that was invoked, and information such as stack elements.
Improper Input
Improper input handling is the number one cause of software vulnerabilities. If users have the ability to manipulate input it may result in the system being compromised. Proper input validation and coding practices can mitigate these vulnerabilities.
Integer Overflow
Integer overflow is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. These can lead to significant logic errors in a program. Integer overflows are easily tested for using a static code analyzer to point out where they are likely to occur.
System Sprawl
System sprawl is when systems expand over time, adding elements and functionality, and over time the growth and change exceed the documentation. Basically, as time passes, an enterprise may lose the ability to properly manage all of the systems, devices, software, and data assets that have accumulated.
Untrained Users
Untrained users are users who do not know how to operate a system properly due to a lack of training. They typically are less efficient and also add risk to a system by not using designed-in mitigations, in essence bypassing controls designed to reduce risk. Training users how to properly use their tools, including general security items such as policies and social engineering is essential.
Misconfiguration/Weak Configuration
When a system suffers from misconfiguration or weak configuration/isn't set up correctly, it may not achieve all of the desired performance or security objectives. Misconfigurations can result from omissions, such as when an administrator does not change default credentials. Default configuration is the configuration that a system enters upon start, upon recovering from an error, and at times when operating. Failure to address this vulnerability may result in an attacker gaining entry and advancing their level of privilege.
Memory/Buffer Vulnerability
When computer programs take inputs for a variable, they are put into buffers in memory. When the program needs to reference these variables, it uses the memory location to obtain the value. "Type safe" programming languages verify the length of an input before assigning it to the memory location, while others rely on the programmer to handle this task. If this task is not properly performed, it may result in the ability to overwrite the allocated area in memory and should be considered a memory/buffer vulnerability.
Zero Day/New Threats
Zero day is a term used to define vulnerabilities that are newly discovered and not yet addressed by a patch. From the time of discovery until a fix or patch is made available, the vulnerability goes by the name zero day. Example: A user clicking on an email link that led to a website that infected the workstation with a virus. The virus encrypted all the network shares to which the user had access. The virus was not detected or blocked by the email filter, website filter, or antivirus.