Drinking from the Firehose: Ten Years of Vulnerabilities through the CVE Lens Steve Christey The MITRE Corporation April 21, 2010 © 2010 The MITRE Corporation. All rights reserved Welcome to 1998 Vulnerability databases were mostly private – “We’ll show you our database if you show us your NDA” Bugtraq was a low-traffic list CERT advisories said very little Exploits were shared privately Attacks were rampant for months/years Vendors didn’t fix things for months/years Vulnerability scanning industry still in infancy WWW wasn’t ubiquitous Maybe 10 unique vulnerability types “Smashing the Stack” was only 2 years old Most reported vulnerabilities were in servers © 2010 The MITRE Corporation. All rights reserved Party Like it’s 1999 Security Advisories Priority Lists Vulnerability Scanners Software Vendor Patches CVE-1999-0067 Intrusion Detection Systems Incident Response & Reporting Research Vulnerability Web Sites & Databases © 2010 The MITRE Corporation. All rights reserved An Approximate Timeline of Some Important Events 1999: Public launch 2000: Building steam, learning from mistakes 2001: Content decisions still evolving 2002: SNMP/PROTOS, responsible disclosure 2003: More regular updates, smaller batches 2004: Voting largely abandoned; increasing volume 2005: VIM mailing list, NVD dependence 2006: milw0rm 2007: grep-and-gripe, multi-stage exploits 2008: Getting to “root cause” 2009: drowning in details, oss-security 2010: back to the essentials? © 2010 The MITRE Corporation. All rights reserved 0 Aug-95 Oct-95 Dec-95 Feb-96 Apr-96 Jun-96 Aug-96 Oct-96 Dec-96 Feb-97 Apr-97 Jun-97 Aug-97 Oct-97 Dec-97 Feb-98 Apr-98 Jun-98 Aug-98 Oct-98 Dec-98 Feb-99 Apr-99 Jun-99 Aug-99 Oct-99 Dec-99 Feb-00 Apr-00 Jun-00 Aug-00 Oct-00 Dec-00 Feb-01 Apr-01 Jun-01 Aug-01 Oct-01 Dec-01 Feb-02 Apr-02 Jun-02 Aug-02 Oct-02 Dec-02 Feb-03 Apr-03 Jun-03 Aug-03 Oct-03 Dec-03 Feb-04 Apr-04 Jun-04 Aug-04 Oct-04 Dec-04 Feb-05 Apr-05 Jun-05 Aug-05 Oct-05 Dec-05 Feb-06 CVE Growth Over the Years 45000 40000 35000 30000 25000 20000 15000 10000 5000 © 2010 The MITRE Corporation. All rights reserved Number of Words per Description 45 40 35 30 25 20 15 10 5 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 © 2010 The MITRE Corporation. All rights reserved Number of References per CVE 9 8 7 6 5 4 3 2 1 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 © 2010 The MITRE Corporation. All rights reserved “Counting” Varies Widely CVE-1: SQL injection in version 1.x through login.php and order.php. CVE-2: SQL injection in version 2.x through admin.php. CVE-3: XSS in version 2.x through login.php and search.php. ISS and Bugtraq ID OSVDB 1: SQL injection in login.php 1: Mult. SQL injection in 1.x and 2.x 2: SQL injection in order.php 2: XSS in 2.x 3: SQL injection in admin.php Secunia, ISS, and Bugtraq ID 1: SQL injection and XSS in 1.x and 2.x 4: XSS in login.php 5: XSS in search.php © 2010 The MITRE Corporation. All rights reserved Content Decisions: Abstraction AB1: SPLIT if different flaw types AB2: SPLIT if different versions are affected SPLIT if different vectors are released at a later time SPLIT if different codebases Otherwise MERGE These factors are generally stable across all phases of vulnerability disclosure, and often known early in the game. http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html © 2010 The MITRE Corporation. All rights reserved Content Decisions: Inclusion INCLUDE any issue for software that – Could be deployed in an enterprise – Could be network-connected physical devices – Has minimal, but non-zero, risk path disclosure, admin-to-SYSTEM, client-side crasher EXCLUDE any issue that – – – – – Is “site-specific,” SaaS, hosted, “in the cloud,” … Is provably wrong Is just a rumor Is not “actionable” Is “just a bug” (e.g. defenestration exploit) Site-specific / hosted software can be difficult to identify. © 2010 The MITRE Corporation. All rights reserved “All Publicly Known Vulnerabilities,” Ten Years Later Site-specific (SaaS, Cloud, etc.) – How to even identify these? – Legal questions: can you hack your own site if it’s on someone else’s physical system? Joe Schmoe’s phpGolf application Country X’s most popular IM app Physical devices: mobile, voting machines, remote-control coffee makers, alarm clocks with built-in microphones, software that disables cars, SCADA Vulns from the 1960’s Vulns in malware Shout-outs to OSVDB for still trying to track everything. © 2010 The MITRE Corporation. All rights reserved Anatomy of a CVE Description: CVE-2009-4623 Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. Flaw type, vendor name, product name, affected versions, remote/local, impact, attack vectors, clarifiers. © 2010 The MITRE Corporation. All rights reserved 10 Years of CVE Descriptions CVE Desc CVE19990067 CGI phf program allows remote command execution through shell metacharacters. CVE20000067 CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack. CVE20010067 The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local attackers to read other users‘ PalmOS backup information if their umasks are not securely set. CVE20020067 Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions. CVE20030067 The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. CVE20040067 Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. © 2010 The MITRE Corporation. All rights reserved 10 Years of CVE Descriptions CVE Desc CVE2005-0067 The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable“ messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-20050068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE2006-0067 SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. CVE2007-0067 Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files. CVE2008-0067 Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via (1) long string parameters to the OpenView5.exe CGI program; (2) a long string parameter to the OpenView5.exe CGI program, related to ov.dll; or a long string parameter to the (3) getcvdata.exe, (4) ovlaunch.exe, or (5) Toolbar.exe CGI program. CVE2009-0067 ** RESERVED ** CVE2010-0067 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect confidentiality via unknown vectors. © 2010 The MITRE Corporation. All rights reserved Some Favorite CVEs CVE Desc CVE-2002-0013 Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. CVE-2002-0934 Directory traversal vulnerability in Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) allows remote attackers to read or modify arbitrary files via an illegal character in the middle of a .. (dot dot) sequence in the parameters (1) _browser_out or (2) _out_file. CVE-2008-7173 The Jura Internet Connection Kit for the Jura Impressa F90 coffee maker does not properly restrict access to privileged functions, which allows remote attackers to cause a denial of service (physical damage), modify coffee settings, and possibly execute code via a crafted request. CVE-*-* Stack-based buffer overflow in FTP Server [INSERT-PRODUCTNAME-HERE] allows remote attackers to execute arbitrary code via a long USER name. © 2010 The MITRE Corporation. All rights reserved Rise of the Web Applications 17% “other” © 2010 The MITRE Corporation. All rights reserved Postcards from the Linux Kernel CVE Desc CVE-20100291 The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess." CVE-20094410 The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file.c in the Linux kernel 2.6.29-rc1 through 2.6.30.y uses the wrong variable in an argument to the kunmap function, which allows local users to cause a denial of service (panic) via unknown vectors. CVE-20094026 The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous "code shuffling patch." CVE-20093620 The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. © 2010 The MITRE Corporation. All rights reserved The Common Weakness Enumeration 800 weaknesses - not 40,000 vulnerabilities Builds heavily on CVE and external taxonomy efforts Main goal: prevent CVEs from happening in the first place http://cwe.mitre.org © 2010 The MITRE Corporation. All rights reserved 2010 CWE/SANS Top 25 Programming Errors 1. CWE-79 XSS 2. CWE-89 SQL Injection 3. CWE-120 Classic Buffer Overflow 4. CWE-352 CSRF 5. CWE-285 Improper Authorization 6. CWE-807 Reliance on Untrusted Inputs in Security Decision 14. CWE-129 Uncontrolled Array Index 15. CWE-754 Improper Check for Exceptional Conditions 16. CWE-209 Error Message Infoleak 17. CWE-190 Integer Overflow/Wrap 18. CWE-131 Incorrect Buffer Size Calculation 19. CWE-306 Missing Authentication 20. CWE-494 Download of Code Without Integrity Check 7. CWE-22 Path Traversal 8. CWE-434 File Upload 9. CWE-78 OS Command Injection 21. CWE-732 Insecure Permissions 10. CWE-311 Missing Encryption 11. CWE-798 Hard-coded Credentials 22. CWE-770 Allocation of Resources Without Limits or Throttling 12. CWE-805 Incorrect Length Value in Buffer Access 23. CWE-601 Open Redirect 24. CWE-327 Broken Crypto 25. CWE-362 Race Condition 13. CWE-98 PHP Remote File Inclusion http://cwe.mitre.org/top25 © 2010 The MITRE Corporation. All rights reserved Predicting Popular Vulnerability Classes A class may become popular if it has all of these: – Bad consequences – – – – Remote code execution, data compromise, security bypass Easy to find Easy to write exploit code Has had a white paper or two written about it Has hit very popular software Past examples: buffer overflows, format strings, SQL injection, PHP file inclusion, XSS, CSRF Future: – Exposed ActiveX methods, file uploads, … Generally there seems to be at least a 2-year lag time between first discovery and rampant exploitation. Exception: format strings. © 2010 The MITRE Corporation. All rights reserved The Tipping Points SQL Injection Integer Overflow 25 3 20 2.5 15 2 10 1.5 5 1 0 0.5 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 CSRF 1.8 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 Symbolic Link 5 4 3 2 1 0 © 2010 The MITRE Corporation. All rights reserved The r0t Method of Vulnerability Analysis Be 14 or 15 years old, with spare time Go to a software repository web site Download a package or try its demo site Do blatantly simple SQL injection and XSS: ' <script>alert(‘XSS’)</script> Move on after 10 minutes Disclose the issue on your blog © 2010 The MITRE Corporation. All rights reserved 200612 200611 200610 200609 200608 200607 200606 200605 200604 200603 200602 200601 200512 200511 200510 200509 200508 200507 200506 700 200505 200504 200503 200502 200501 200412 200411 200410 200409 200408 200407 200406 200405 200404 200403 200402 200401 Number of CVEs Disclosed Per Month (2004 to 2006) 800 r0t 600 500 400 300 200 100 0 © 2010 The MITRE Corporation. All rights reserved Grep-and-Gripe: Revenge of the Symlinks Dmitry E. Oboukhov, August 2008 grep -A5 -B5 /tmp/ [PROGRAM] Run against Debian packages 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Dmitry Those who do not learn from the past are doomed to repeat it. Grep-and-gripe is a valid methodology. © 2010 The MITRE Corporation. All rights reserved Grep-and-Gripe 2: Attack of the Clones abc.php $language = “english”; … include(“$language.php”); http://example.com/abc.php?language=[RFI] © 2010 The MITRE Corporation. All rights reserved Unforgivable Vulnerabilities: The Lucky 13 <SCRIPT> AAA…AAA User/Password Filenames Common Commands User/Password Body, subject, title, to, from “../..” or “/full/path” Directory Traversal XSS Buffer overflow (CWE-120) (CWE-23) (CWE-79) template=http://example.com/c99 Any include/require that interpolates $_GET, $_POST, etc. Get/Send Command File sharing ’ OR 1=1 User/Password id or other numeric field -rwxrwxrwx myprog Executables Libraries Configuration Files World-Writable Files Remote File Inclusion SQL Injection (CWE-98) (CWE-89) (CWE-276, 279) 26 © 2010 The MITRE Corporation. All rights reserved The Lucky 13 (Continued) tebj lbhe bja pelcgb http://example/admin/script.cgi Admin functionality Library code with executable extensions authenticated=1 Substitution Cipher Form field Cookie Direct Request (CWE-425) ln –s /tmp/App.dat /etc/passwd sleep 100000 Log files Temporary files Command-line args Auth bypass (CWE-472) User: psychyore Pass: psychyore Hard-coded Default? Crypto Help Selected from privileged Windows executable (CWE-327) Privilege Escalation (CWE-271) Length: 0xffffffff Width: 0xffffffff Arbitrary length, width, height, size… Symlink Following (CWE-61) Hard-coded Pass (CWE-259) Integer overflow © 2010 The MITRE Corporation. All rights reserved (CWE-190) Typical Vulnerability History of a Product 3 1 Obvious types in critical functionality 7 Unique types or attacks, extensive expert analysis 5 Elimination of most common types Variants of common vulnerability types ActiveX, Image and High-profile Joe Schmoe SW Document Processors network servers Incomplete fixes, closely related vectors Limited environments, platforms, configs 2 4 Rare or novel types and attacks 6 © 2010 The MITRE Corporation. All rights reserved Chains: Why Buffer Overflows are Still Here X Use of Signed Integers for AlwaysPositive Operations A Incorrect Range Check B C Integer Overflow Insufficient Memory Allocation D Heap Overflow height = -65534; width = -65534 A Assumption: the range check will prevent an B overflow from C occurring. D if (height > 64000 || width > 64000) { error("too big!"); } size = height * width; buf = malloc(size); memmove(buf, InputBuf, SZ); © 2010 The MITRE Corporation. All rights reserved Symbolic Link Following (composition) Race Condition CWE-362 Predictability CWE-340 Symlink Following CWE-41 Insecure directory permissions Path Equivalence CWE-275 CWE-41 © 2010 The MITRE Corporation. All rights reserved The Four I’s Principle of Vulnerability Information Incomplete – Missing versions, product names – Missing patch information Inaccurate – Incorrect diagnosis – Blatantly wrong Inconsistent – Acknowledgement discrepancies – Bug type discrepancies – Varying severities Incomprehensible – Poor writing – Lack of clear formatting Coordinated disclosure between researcher and vendor frequently wipes these out. © 2010 The MITRE Corporation. All rights reserved Four I’s: Some Examples From Spring 2010 CVE-2010-1040 : original Symantec advisory implies that Symantec Endpoint Protection 11.x is affected, but later they say it’s not. CVE-2009-3376 : Red Hat, Ubuntu claim Thunderbird is affected, but this is not in the original Mozilla advisory. Same with several other CVEs. CVE-2010-0009 : vendor accidentally includes CVE-2008-2370 in subject line of advisory. developer of affected software, on oss-security: “I'm half way down this discussion and already I'd prefer to stick needles in my eyes.” Nowhere in the thread is an affected version mentioned. CVE-2010-1188: Red Hat provides this CVE as a link in RHSA-2010:0178, but doesn’t include within their details section. Did they fix this or not? See CVE-2009-4538 for Mandriva. CVE-2010-1028: reliable researcher claims a vulnerability but posts no details and did not provide them to the vendor. Commercial exploit available. CVE-2009-4463: a reliable researcher says “hard-coded passwords” but ICS-CERT performs further research and finds out these are default passwords. © 2010 The MITRE Corporation. All rights reserved Four I’s: Some Examples From Spring 2010 CVE-2010-1055: original researcher says “RP” parameter is affected, but everyone else says “id” CVE-2010-1060: exploit implies consequence of reading files, but it’s really executing arbitrary programs CVE-2009-4763: software developer removed third-party plugin due to “security issues” but no information on the plugin site; is it the same problem as one that was reported more than a year earlier? CVE-2005-1426: re-discovered and disclosed in 2009; researcher didn’t mention issue had already been disclosed; also said “blog.msb” which is a typo of “blog.mdb” CVE-2008-7254: researcher posts a vulnerability to ExploitDB in 2010, when it had already been disclosed in 2008 on PacketStorm. © 2010 The MITRE Corporation. All rights reserved Carving Out Your Niche in Applied Vulnerability Research Applied vulnerability research is a meritocracy Your idea might be way ahead of its time Someone else had the idea before you – … but you’re the one doing something about it You know less than you think you do – … but eventually, maybe a little more than anyone else There are many opportunities – Thought leaders will understand the limitations of your breakthrough – Thought leaders are busy – We need more freely-available white papers on “established” techniques that “everybody” knows © 2010 The MITRE Corporation. All rights reserved Carving Out Your Niche (2) Stay open to change in strategy and focus – Criticism is an opportunity to learn – Learn to say “no” but be mindful of the consequences – The future tends to change things Don’t let the perfect get in the way of the good Understand your work in the context of the larger picture © 2010 The MITRE Corporation. All rights reserved Carving Out Your Niche (3) Communication skills are critical Share what you know – you’ll learn, too Get out of the office every once in a while If you don’t fail at least a little bit: – You’re not pushing the envelope enough – You’re not introspective enough © 2010 The MITRE Corporation. All rights reserved How VDBs Notice Researchers Quality over quantity If you post a lot, we notice – If you’re often wrong, you face being ignored If you post a little but it’s great, we notice We read disclosure timelines for fun © 2010 The MITRE Corporation. All rights reserved Conclusion We’ve come a long way, baby We’ve got a long way to go Getting to the root causes – and understanding their solutions - has a greater chance of success than hack-andpatch © 2010 The MITRE Corporation. All rights reserved