Tag Archives: CVE-2017-5638

Mean Time to Hardening: The Next-Gen Security Metric falls short in tackling the patching problem

12 January 2020

In report “Mean Time to Hardening: The Next-Gen Security Metric”,(1) published at 12/30/2019 on ThreatPost, Richard Melick proposes a new metric MMTH (Mean time to Hardening) to tackle the patch problem. I like the 24/72 MTTH approach. But when it comes to attacks of APTs on critical infrastructures this approach is from my point of view not effective.

Let me illustrate this with an example. CVE-2017-5638, a remote command execution vulnerability in the Apache Struts framework, was used in the Equifax attack (2) in 2017. In the case of remote command execution vulnerabilities, especially if the systems are operated in the DMZ, the 24/72 MTTH approach is the best strategy to survive. But let us look on the timeline.

NVD Exploit-DB Exploit-DB
CVE-2017-5638 EDB-ID 41570 EDB-ID 41614
Published NDV Published Exploit-DB Published Exploit-DB
3/11/2017 3/7/2017 3/15/2017

Exploit 41570 was published 4 days before the CVE was published. The 24/72 MTTH strategy will fail in this case. Exploit 41614 was published 4 days after the CVE was published, so the 24/72 MTTH strategy is successful.

Figure 1

Figure 1

This is not an isolated case. Between 2013 and 2019 56% of the exploits were published before or at the same day the vulnerability was published in the NVD. For mapping the exploits in the Exploit-DB to the CVEs the NVD reference map for the Exploit-DB (3) is used. Figure 2 shows the details in the range 30 days before and after the CVE publication date.

Figure 2

Figure 2

Figure 3

Figure 3

34% of the exploits for Remote Code/Command Execution (RxE) vulnerabilities like CVE-2017-5638 or CVE-2017-0144 (WannaCry) were published before or at the same day the vulnerability was published. Figure 4 shows the details. RxEs are selected from the NVD as follows: CVSS V2.0: Attack Vector: Network, Attack Complexity: Low + Medium, Authentication: None, Loss of Integrity: Complete, Keywords “remote code execution” or “exec arbitrary”.

Figure 4

Figure 4

So, the 24/72 MMTH approach falls short if the exploit is published before the vulnerability.

Please keep in mind that we only investigated published vulnerabilities and exploits. We can expect, that many yet unpublished, and unused, vulnerabilities exist in the arsenals of the APTs.

In the case of critical infrastructures, we are well advised to invest in solutions which increase the resilience against cyber-attacks. A simple Apparmor profile would probably have prevented the attack on Equifax. Whitelisting solutions should be considered in environments where industrial control systems are operated. This makes the 24/72 MTTH approach to patching not obsolete. We just buy time.

Have a great week.

References

  1. Melick R. Mean Time to Hardening: The Next-Gen Security Metric [Internet]. threatpost. 2019 [cited 2020 Jan 12]. Available from: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
  2. Brook C. Equifax Confirms March Struts Vulnerability Behind Breach [Internet]. threatpost. 2017 [cited 2020 Jan 12]. Available from: https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  3. NIST NVD. CVE – CVE Reference Map for Source EXPLOIT-DB [Internet]. [cited 2020 Jan 12]. Available from: https://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html

Critical vulnerabilities require immediate action – How to prevent Equifax like attacks

23 September 2017

Critical Vulnerabilities are

  • exploitable from the network (Access Vector: Network),
  • require only low or medium skills to exploit (Access Complexity: Low or Medium),
  • require no authentication (Authentication: None),
  • cause great damage (Severity: High), and
  • allow remote attackers to execute arbitrary code on the victims’ computer

Among the vulnerabilities with CVSS vector (AV:N/AC:L/Au:N) or (AV:N/AC:M/Au:N) which cause great damage the last property makes the difference.

The infographic below shows that the number of critical vulnerabilities (320) is very small compared to the total number of vulnerabilities in 2016.

Critical Vulnerabilities 2016

Critical vulnerabilities 2016. Click to enlarge.

Nevertheless, immediate action is required because the reach of attacks is technically unlimited if critical vulnerabilities can be exploited.

Once an attacker has exploited a critical vulnerability in the DMZ he is able to execute arbitrary code on this computer. With this, he can probe the network for other computers with critical vulnerabilities or leverage Windows built-in weaknesses, configuration issues, and tools to explore the network until he finally gets to a computer which has a connection across a firewall to the company network.

Both, NotPetya and WannaCry exploited critical vulnerabilities. While WannaCry was just annoying, NotPetya caused multi-million dollar damage in companies across the world.

Mitigation

The TEAM approach for handling risks shows the direction for dealing with critical vulnerabilities.

Transfer: No insurer will take the risk because in the case of a critical vulnerability on a server in the DMZ both the probability of occurrence and the impact are high.

Eliminate: Is not possible, because this will result in loss of business.

Accept: No option because the probability of occurrence and the impact are high.

Mitigate: Patching is the only possible response in this case. Isolation of the system from the network will result in loss of business.

Urgency

Under normal conditions, patches are available at the time of disclosure.

Rule: Critical vulnerabilities should be patched faster than exploits show up on the market.

With this, immediate action is required because very often exploits are available yet at the time of disclosure. In addition, we cannot expect that only ethical hackers publish vulnerabilities.

Equifax

Critical Vulnerabilities Mitigation Process

Critical vulnerabilities mitigation process.

In the Equifax attack the critical vulnerability CVE-2017-5638 in the Apache Struts framework was used. A patch was available at the time of disclosure but apparently not applied.

Patching the Apache Struts framework is a challenging job.

Firstly, it is a challenge to identify the systems with the vulnerable framework installed.

Secondly, patches must be carefully tested prior implementation to avoid business loss.

Finally, the patches must be implemented manually because automated patch management is not available.

Thus, an up-to-date asset repository, a current QA system, and actual automated test routines are required to get the job done in the required short time frame.

To be honest, the Equifax attack remains a mystery for me. The IT shop of a billion dollar company should be able to deal with critical vulnerabilities in the required short time. Perhaps someone simply underestimated the risk.

For more details on the Equifax attack see Steven Bellovin’s post Preliminary Thoughts on the Equifax Hack published at CircleID.

Have a great weekend.