CYSA+ Chapter 5: Analyzing Vulnerability Scans
Privilege Escalation
Attacks seek to increase the level of access that an attacker has to a target system. They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged account, such as the root superuser account. Linux kernel vulnerability dubbed Dirty COW was an exploit.
CVSS metrics - Availability Metric
Availability Metric Describes the type of disruption. None (N) Low (L) Degraded High (H) Completely shut down
CVSS metrics - Attack Vector Metric and Attack Complexity Metric
Attack Vector Metric Describes how an attacker would exploit the vulnerability Physical (P) Local (L) Adjacent Network (A) Network (N) Attack Complexity Metric Describes the difficulty of exploiting the vulnerability High (H) Low (L)
Interpreting the CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector: Network (score: 0.85) Attack Complexity: Low (score: 0.77) Privileges Required: None (score: 0.85) User Interaction: None (score: 0.85) Scope: Unchanged Confidentiality: High (score: 0.56) Integrity: None (score: 0.00) Availability: None (score: 0.00)
Cross-Site Scripting (XSS)
Attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.
VM Escape
Attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different VM.
DNS amplification
Attacker sends spoofed DNS requests to a DNS server that are carefully designed to elicit responses that are much larger in size than the original requests.
Man-in-the-Middle
Attacks occur when an attacker is able to interfere in the communication flow between two systems.
Buffer Overflows
Attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use.
Session Hijacking
Focuses on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls, allowing them to participate in the session. Attacker needs to acquire to hijack the session, either via encrypting network sessions or links or on the local system, can help limit opportunities for session hijacking.
Virtual Guest and Virtual Network Issue Remediation
Guest operating systems and applications running on the guest OS must be promptly patched to correct security vulnerabilities. Use of virtual firewalls to control the flow of information between systems
Rootkits
Hacking tools designed to automate privilege escalation attacks. An attacker who gains access to a normal user account may use a rootkit to exploit a vulnerability and perform a privilege escalation attack, seeking to gain administrative privileges.
Password Reuse
Impersonation attacks occur when an attacker takes on the identity of a legitimate user. Security issues like OAuth open redirects, can allow impersonation to occur.
Other data sources to reconcile scan results with
Logs from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities Security information and event management (SIEM) Configuration management systems that provide information on the operating system and applications installed on a system
Cause of internal IP Disclosure
NAT Servers that are not properly configured may leak their private IP addresses to remote systems.
Vulnerability Scan Report Sections
Name of the vulnerability Overall severity (Low, Med, High, Critical) Solution References (Links or more details) Output (Detailed info returned when probed) Port/Hosts Vulnerability Info Risk Information (Usually CVSS scores)
IoT - Controller Area Network bus (CAN bus)
Networks are specialized networks designed to facilitate communication between embedded systems without the overhead of a TCP/IP network.
Injection attacks
Occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. The most common form of this attack is the SQL injection attack Can happen with: Extensible Markup Language (XML) documents and Lightweight Directory Access Protocol (LDAP) queries.
CVSS metrics - Privileges Required Metric
Privileges Required Metric Describes the type of account access that an attacker would need to exploit High (H) Admin Low (L) User None (N) No Authentication
IoT - Field-programmable gate arrays (FPGAs)
Computer chips that allow the end user to reprogram their function, making them quite useful for embedded systems.
IoT - Embedded systems
Computers integrated into the operation of another device, such as a vehicle, camera, or multifunction printer.
CVSS metrics - Confidentiality Metric
Confidentiality Metric Describes the type of information disclosure that might occur if an attacker successfully exploits. None (N) Required (R)
Management Interface Access (For VM's)
The management interface for a virtual infrastructure is used to configure the virtualization environment, set up new guest machines, and regulate access to resources. This interface is extremely sensitive from a security perspective, and access should be tightly controlled to prevent unauthorized individuals from gaining access.
Ways to protect from SQL injection
The two best ways to protect against SQL injection attacks are input validation and the enforcement of least privilege restrictions on database access.
Insecure Cipher Use
When a client/server wish to communicate using SSL/TLS, they exchange a list of ciphers that each system supports and agree on a mutually acceptable cipher. Some ciphers contain vulnerabilities like RC4.
Negative report
When a scanner reports that a vulnerability is not present. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).
Positive report
When a vulnerability scanner reports a vulnerability. This report may either be accurate (a true positive report) or inaccurate (a false positive report).
Web Application Vulnerabilities
-Injection attacks -Cross-Site Scripting -Directory Traversal -Authentication Vulnerabilities
Certificate Problems
-Mismatch Between the Name on the Certificate and the Name of the Server -Expiration of the Digital Certificate -Unknown Certificate Authority (CA)
Network Vulnerabilities
-Missing Firmware Updates -SSL and TLS Issues -Outdated SSL/TLS Versions -Insecure Cipher Use -Certificate Problems
Common Vulnerabilities
-Missing Patches -Mobile Device Security -Unsupported OS and Apps (End of Life) -Buffer Overflows -Privilege Escalation -Arbitrary code execution -Insecure Protocol Use -Debugging Modes
Integer overflow
A variant of a buffer overflow where the result of an arithmetic operation attempts to store an integer that is too large to fit in the specified buffer.
IoT - system on a chip (SoC)
An entire embedded system packaged onto a single chip, often including a processor, memory, networking interfaces, and power management on the chip.
Debugging Modes
Debug mode typically provides detailed information on the inner workings of an application and a server, as well as supporting databases. Although this information can be useful to developers, it can inadvertently assist an attacker
Common Vulnerability Scoring System (CVSS)
Industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures.
CVSS metrics - Integrity Metric
Integrity Metric Describes the type of information alteration that might occur if an attacker successfully exploits None (N) No integrity impact Low (L) No control of what is modified High (H) Total Compromise
Insecure Protocol Use
Older protocols like tenlet and FTP that fail to use encryption to protect usernames, passwords, and the content sent over an open network, exposing the users of the protocol to eavesdropping attacks.
Outdated SSL/TLS Versions
Outdated versions of SSL and TLS may be subject to eavesdropping attacks. Support only newer protocols, such as TLS version 1.2
Cross-site scripting attacks arise in three different forms:
Persistent XSS attacks occur when the attacker is able to actually store the attack code on a server. This code remains on the server, waiting for a user to request the affected content. These attacks are also known as stored XSS attacks. Reflected XSS attacks occur when the attacker tricks a user into sending the attack to the server as part of a query string or other content. The server then sends the attack back to the user (reflecting it), causing the code to execute. Document Object Model (DOM)-based XSS attacks occur within a database maintained by the user's web browser. These attacks are particularly insidious because they occur entirely on the user's computer and are never seen by the remote web server.
CVSS metrics - Scope Metric
Scope Metric Describes whether the vulnerability can affect system components beyond the scope of the vulnerability. Unchanged (U) Changed (C)
IoT - Real-time operating systems (RTOSs)
Slimmed-down operating systems designed to work quickly on IoT devices in a low-power environment.
IoT - Programmable logic controllers (PLCs)
Specialized hardware controllers designed to operate in an IoT environment. PLCs often use a specialized communication protocol called Modbus to communicate with sensors and other IoT components over wired serial interfaces.
Buffer Overflow Targetted memory
Stack overflows target the stack, which stores variable values and is managed by the operating system. Heap overflows target the heap, which stores objects created by code and must be managed by application developers.
CVSS metrics - User Interaction Metric
User Interaction Metric Describes whether the attacker needs to involve another human in the attack. None (N) Required (R)
Arbitrary code execution
Vulnerabilities allow an attacker to run software of their choice on the targeted system. Remote code execution Subset of code execution because the attacker can exploit over a network connection without having physical or logical access to the target system.
