23 September 2017
Critical Vulnerabilities are
- exploitable from the network (Access Vector: Network),
- require only low or medium skills to exploit (Access Complexity: Low or Medium),
- require no authentication (Authentication: None),
- cause great damage (Severity: High), and
- allow remote attackers to execute arbitrary code on the victims’ computer
Among the vulnerabilities with CVSS vector (AV:N/AC:L/Au:N) or (AV:N/AC:M/Au:N) which cause great damage the last property makes the difference.
The infographic below shows that the number of critical vulnerabilities (320) is very small compared to the total number of vulnerabilities in 2016.
Nevertheless, immediate action is required because the reach of attacks is technically unlimited if critical vulnerabilities can be exploited.
Once an attacker has exploited a critical vulnerability in the DMZ he is able to execute arbitrary code on this computer. With this, he can probe the network for other computers with critical vulnerabilities or leverage Windows built-in weaknesses, configuration issues, and tools to explore the network until he finally gets to a computer which has a connection across a firewall to the company network.
Both, NotPetya and WannaCry exploited critical vulnerabilities. While WannaCry was just annoying, NotPetya caused multi-million dollar damage in companies across the world.
The TEAM approach for handling risks shows the direction for dealing with critical vulnerabilities.
Transfer: No insurer will take the risk because in the case of a critical vulnerability on a server in the DMZ both the probability of occurrence and the impact are high.
Eliminate: Is not possible, because this will result in loss of business.
Accept: No option because the probability of occurrence and the impact are high.
Mitigate: Patching is the only possible response in this case. Isolation of the system from the network will result in loss of business.
Under normal conditions, patches are available at the time of disclosure.
Rule: Critical vulnerabilities should be patched faster than exploits show up on the market.
With this, immediate action is required because very often exploits are available yet at the time of disclosure. In addition, we cannot expect that only ethical hackers publish vulnerabilities.
In the Equifax attack the critical vulnerability CVE-2017-5638 in the Apache Struts framework was used. A patch was available at the time of disclosure but apparently not applied.
Patching the Apache Struts framework is a challenging job.
Firstly, it is a challenge to identify the systems with the vulnerable framework installed.
Secondly, patches must be carefully tested prior implementation to avoid business loss.
Finally, the patches must be implemented manually because automated patch management is not available.
Thus, an up-to-date asset repository, a current QA system, and actual automated test routines are required to get the job done in the required short time frame.
To be honest, the Equifax attack remains a mystery for me. The IT shop of a billion dollar company should be able to deal with critical vulnerabilities in the required short time. Perhaps someone simply underestimated the risk.
For more details on the Equifax attack see Steven Bellovin’s post Preliminary Thoughts on the Equifax Hack published at CircleID.
Have a great weekend.