In discussions and meetings with other information security professionals, I hear a lot of misinformation. I’m a geek and like to be more precise, rather than less. The use of the term vulnerability is a special pet-peeve of mine. The core of information assurance is making sure you don’t have serious vulnerabilities. So, what exactly is a vulnerability? Let’s get it straight.
I sort of like the definition offered by Mitre and their Common Vulnerabilities and Exposures: An information security “vulnerability” is a mistake in software that can be directly used by a hacker to gain access to a system or network. This means that a vulnerability is a means of illicit access. And through this access, an evil person could violate confidentiality, integrity or availability.
It’s like saying I was robbed by an unlocked door.
A vulnerability does not define an illicit action, like stealing passwords, destroying files or modifying data. Rather, it focuses on a flaw that may allow access. An exploit is a tool or technique that takes advantage of a vulnerability. It gains access and does the damage. If you leave your front door unlocked, you are vulnerable to stuff being stolen. Unlocked door = vulnerability. Robber = Exploit. Thus, my inner geek rails when I hear someone say “We were hit by the XYZ vulnerability.” No, you were hit by an exploit. It’s like saying I was robbed by an unlocked door.
One more little thing. That site was Common Vulnerabilities and Exposures. An exposure involves allowing access to information that could be used to discover vulnerabilities. Mitre defines an exposure as “An information security “exposure” is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.” An example of this would be grabbing the header from a Web server.
The information above was gained using Wireshark to capture a browser connecting to a Web site. We see that the server was running Microsoft IIS, version 6.0. If you are an attacker, this would be good preliminary information. However, it is not momentous enough to allow the Russian mafia in to pillage and plunder. Yet, it is useful reconnaissance.
It would be good to rid your self of exposures, but it may not be possible. Many exposures are not fixable. If you are running a Web server for the public, it is not really possible to hide that fact.
The greatest thing about CVE is the standardized name. Years ago, before CVE came into being in 1999, vulnerabilities had arbitrary names. Every researcher and security company that discovered a vulnerability made up a name for it. Thus, one vulnerability scanner might call its discovery the “Windows NETAPI buffer overlow”. Another scanner could call the same issue the “SMB Remote Code Execution Technique”. Both might refer to the same thing. But you wouldn’t immediately know if your scanners had discovered one vulnerability with two names, or two unique vulnerabilities.
It’s like a Social Security Number for vulnerabilities.
CVE solves this problem. This database is a central registry for vulnerability naming and information. It’s like a Social Security Number for vulnerabilities. Let’s look at an entry in CVE. Below, we see an entry in their database for an Adobe Flash Player issue.
This identifies a specific flaw in Adobe Flash Player. The entry assigns an ID: CVE-2012-0779. They all have a prefix of CVE. The 2012 means the issue was reported in the year 2012. The problem could date back years. The value 0779 is roughly a serial number. The serial number is not purely incremental. So, this is not the 779th vulnerability of the year. The truth is that major software vendors have whole blocks of numbers pre-assigned. Microsoft gets a block of numbers, as do Adobe, Oracle and others.
Next, we have the description. This generally provides detailed information on which versions of the software are vulnerable and an overview of the flaw. Notice that the version information is quite detailed. It tells also you a bit about the potential impact, should someone take advantage of the vulnerability. With the version information, you could go into Flash Player, choose Help > About, and determine for yourself whether you were vulnerable.
CVE does not directly publish exploit information. Remember, an exploit is something else entirely. Mitre’s goal is to publish the information necessary to identify flaws, not teach us how to perform exploits. Interestingly, you will often find links to sites that have exploit information. So, there is a little wiggle room in that no exploits rule.
Be careful. CVE has mistakes.
CVE is a great resource, but it is not perfect. The whole world regards CVE as the fountainhead of vulnerability knowledge. But, here is a shocking statement: not everything you read on the Internet is true. Be careful. CVE has mistakes. The mistakes are few, but you should know CVE is imperfect. The most common type of mistake is the vulnerable version numbers. I’ve seen plenty of cases where CVE has mixed up the difference between less than and less than or equal to. For example, CVE might say that a vulnerability affects the XYZ application, versions less than 1.2.3. But, in reality, vulnerable version include 1.2.3. It’s always good to verify information with other sources.
Mitre does not have a monopoly on identifiers and vulnerability information. You can cross-check information and learn more with other resources.
All of these cross-reference their IDs and bulletins with CVE-IDs.
Whether you work at a Help Desk, vulnerability assessment or are a pen tester, this is all key information. Knowing if your systems are at risk is important. It starts with understanding and using the right terms. While mixing up the terms vulnerabilities and exploits happens, it’s best to be accurate. Even referring to a vulnerability has its issues. CVE is the universal name. CVE entries can tell give you a name, description and severity information. This helps you decide how much risk you face. But, it’s not the sole panacea of truth. It has mistakes. Fortunately, there are plenty of other resources.
If you are interested in vulnerability scanning and assessment, the course Vulnerability Assessment includes this topic.