To familiarize ourselves with vulnerability databases, their terminology, standards, and procedures to share vulnerability data. To understand how these data sources are integrated into commercial security software tools that help organizations manage their vulnerabilities. These software tools are generally grouped under the term “vulnerabilities scanners” (or similar terms). To examine a few “classic” vulnerabilities in depth to get a sense of just how vulnerabilities expose systems to exploitation.
1. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 1 of 8
Points Possible: 100
Due Date: March 15, 2016 by 11:59pm Central Time
Overview
A commonthreadinmost breachesof informationsecurityisthe presence of vulnerabilitiesin
the entitieswhichare supposedtobe protected.Vulnerabilitiesare, simply,weaknessesinsoftware,
systemsecurityprocedures,internal controls,orimplementationthatcouldbe exploited.Thatis,
vulnerabilitiesare specificweaknessesthatcould be used by“threatagents”(maliciousornon-malicious
actors) toendangeror cause harm to an informationasset.
RFC 4949 explainsvulnerabilitiesquitewell:“A flaw or weakness in a system's design,
implementation, or operation and management that could be exploited to violate the system's
security policy. A system can have three types of vulnerabilities: (a) vulnerabilities in design or
specification; (b) vulnerabilities in implementation; and (c) vulnerabilities in operation and
management. Most systems have one or more vulnerabilities, but this does not mean that the
systems are too flawed to use. Not every threat results in an attack, and not every attack
succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the
effectiveness of any countermeasures in use. If the attacks needed to exploit a vulnerability are
very difficult to carry out, then the vulnerability may be tolerable. If the perceived benefit to an
attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the
attacks are well understood and easily made, and if the vulnerable system is employed by a wide
range of users, then it is likely that there will be enough motivation for someone to launch an
attack.”
TO DO: To understandhowvulnerabilitiesfitintothe overall conceptof abreachplease visit:
http://en.wikipedia.org/wiki/Threat_(computer)#Phenomenology andstudythe diagramwith
accompanyingdescription.
Vulnerabilitiesinsoftware,inparticular, alsohave the potential forgreatdamage when
exploited.If maliciousactorsare able todevelop software ortechniquesthatcan“exploit”such
vulnerabilities,the consequencescouldbe devastating. Thus,informationsecurityprofessionals,system
administrators,riskmanagers,andITprofessionalsingeneralmustcontinuously1) Identifyand2)
Mitigate vulnerabilities(byimplementingappropriate controls).
The issue isthat there are thousandsof such KNOWN vulnerabilitiesandnew onesbecome
knowneachday. Asan aside, of course theymay be manyvulnerabilitiesthatare neverfoundbythe
organizationsthatdevelopsoftware butare knowntomaliciousactors.We call attacks associatedwith
such unknownoryetto be fixedvulnerabilitiesas“ZeroDay Attacks”.
Thus,both the identification of vulnerabilities (forexample figuringoutall the known
vulnerabilitiesof acertainversionof Word Pressblogsoftware beforeupgradingtothatversion) aswell
as mitigation of vulnerabilities (thatis,doingsomethingasinstallingpatches,reconfiguringthe system,
shuttingdownopenportsetc.,all of whichare formsof “control”) remaina challenge.
2. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 2 of 8
To addressthisissue the National Institute of StandardsinTechnology(NIST) andmany
independentcommunityeffortshave attemptedtocreate global “databases”of KNOWN vulnerabilities,
theirpotential forimpact,andtechniquesformitigatingthem.
Lab Purpose:
1) To familiarizeourselveswith vulnerabilitydatabases,theirterminology,standards,and
procedurestoshare vulnerabilitydata.
2) To understandhowthese datasourcesare integratedintocommercial securitysoftwaretools
that helporganizationsmanage their vulnerabilities. These software toolsare generallygrouped
underthe term“vulnerabilitiesscanners”(orsimilarterms).
3) To examine afew “classic”vulnerabilitiesindepthtogeta sense of justhow vulnerabilities
expose systemstoexploitation.
Lab Tasks: There are twotasks forthislab: Task 1 andTask 2.
TASK 1: Overview
TO DO: Visithttp://en.wikipedia.org/wiki/Vulnerability_database andreadthe short introduction.
TO DO:
1. Visitthe National VulnerabilityDatabase (NVD) siteathttps://nvd.nist.gov andspendtimeto
readthe aboutand FAQpages.The ideaisto understandjustwhatNVDis.
2. Visitthe “OpenSourcedVulnerabilityDatabase (OSVDB)site at http://www.osvdb.org andagain
try to readabout and FAQpages(See ProjectInfotab).Thisisa non-governmentalefforttodo
essentiallythe same thingasthe NVD.
3. Visitthe MicrosoftSecurityBulletinssite at https://technet.microsoft.com/security/bulletin/
and geta sense of whatisavailable.The MicrosoftSecurityBulletinsare notificationsabout
knownvulnerabilitiesinMicrosoftsoftware.
As youmay understandbynow,the above resourcesare attemptingtoprovide informationonknown
vulnerabilitiessothatusersmay take stepsto mitigate those vulnerabilities.However,giventhere are so
manyvulnerabilities,we needsome systemtokeeptrackof them. That is,do we have some type of ID
for eachof these vulnerabilities?Turnsout,the NVDusesa systemknownasthe “Common
VulnerabilitiesEnumeration (CVE)”thatessentiallyprovidesunique identifierstoeachvulnerability.
Such IDsare called“CVE-ID”.Of course Microsofthas itsownsystem to uniquelyidentifyits
vulnerabilities.Itsimplynumbers eachvulnerabilityusinga“BulletinNumber”(see the securitybulletin
page above).Mostof these “databases” also make some attempt to “map” each other’s IDs!
TO DO:
1) Visitthe WikipediaentryonCVEandread at leasttill the sectiononCVEIdentifiers.
http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
2) Alsobrieflyvisit http://cve.mitre.org/cve/identifiers/index.html
3. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 3 of 8
By now,youunderstandthat:
1) There are databasesforvulnerabilitiesinsoftware (The NVDbeingmostprominentandwidely
used) and
2) These databasesmustuse IDsto uniquelyidentifyeachvulnerability.
However,isjustknowing aboutvulnerabilitiesenough?How aboutif we have some indicationof “just
howbad the vulnerabilityis”?Turnsout,the NVDusesa systemcalled“CommonVulnerabilityScoring
System(CVSS)”thatprovidesjustsuchanindication.The CVSSallowsustoprovide quantifiable metrics
on useful characteristicsof eachvulnerabilityaswell asgetsome sense of justhow badan impact itcan
have on our IT assets.
TO DO:
1) Visitthe CVSSdescriptionpage onNVD’ssite at https://nvd.nist.gov/cvss.cfm andreadthrough.
2) Visitthe official CVSS - Version3standards pageshttps://www.first.org/cvss/user-guide and
https://www.first.org/cvss/specification-document.Use these pages tobriefly (butinyourown
wordsto the extentpossible) answerthe followingquestions.
a. NOTE: The currentCVSSstandardis at Version3.The earlierversion,2,isstill inuse.
Newvulnerabilities fromsometimeinlate 2015 startedto be scoredon bothversion3
and version2systems.
Answer Questions: (PLEASE EXPLAIN CONCEPTSIN OWNWORDS. “COPY/PASTE” ANSWERSWILLNOT
RECEIVE ANY CREDIT)
1. The CVSSVersion3 iscomposed ofthree “metric groups,Base, Temporal,and Environmental,each
consistingofa set of metrics.” Briefly explainwhat each grouprepresents.
Base Metric Group consistsof exploitability metrics including theattackvector, attack
complexity,privilegesrequired, and user interaction.It also representsthe intrinsic
characteristicsof a vulnerabilitythatare constantovertimeand acrossuser environments.
Exploitabilitymetrics reflect theease and technical means.ImpactMetricsreflect the direct
consequenceof a successfulexploitand representthe consequenceto an item that suffersthe
impact.
TemporalMetric Group consistsof exploitcode maturity,remediation level,and report
confidence.Thismetric doesreflect the characteristicsof a vulnerability that may changeovertie
butnot acrossuserenvironments.
EnvironmentalMetricGroup consistsof modified basemetrics,confidentiality requirement,
integrity requirement,and availability requirement.Thismetric doesreflect the characteristicsof
a vulnerabilitythatare relevantand uniqueto a particularuser’senvironment(homecomputer).
This group doesallowto promoteordemotethe importanceof a vulnerablesystemaccording to
the businessrisk.
2. The “Base” metric groupconsistsof two types of metrics: 1) ExploitabilityMetricsand2) Impact
Metrics. Withinthe Exploitabilitymetrics,brieflyexplaineachofthe followingmetricswhile
identifyingthemetric valuesandtheir meanings:
4. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 4 of 8
2.1. Attack Vector: Thisreflectsthe contextwhichvulnerabilitiesexploitationispossible.The metric
valuesknownasPLAN (Physical,Local,Adjacent,Network) differentaspects.Physical is
describedasthe physical accessrequirementthatattackersneedtophysicallytouchor
manipulate the vulnerable component.Local isdescribedasthe local accesswhere the
vulnerable componentisnotboundto the networkstackand the attacker’spath isviathree
differentcapabilitiesknownasread/write/execute capabilities.Adjacentisdescribedasthe
adjacentnetworkwhichthe vulnerable componentisboundtothe networkstack.Howeverthe
attack is limitedtothe same sharedphysical orlogical network,andcannotbe performed
across an OSIlayerlike a router.Networkisdescribedasthe networkaccessmeansthe
vulnerable componentisboundtothe networkstackand the attacker’spath isthoughOSI
Layer 3. Thisis alsoknownto be remotelyexploitable.
2.2. Attack Complexity:Thisreflectsthe conditionsbeyondthe attacker’scontrol thatmustexistin
orderto exploitthe vulnerability.The metricvaluesare basedonLH (Low and High).Low
meansthat an attackercan gainaccessoverand overagain withsuccessbecause the
specializedconditionsorextenuatingcircumstancesdonotexist.Highmeansthatanattacker
can be successful butnotoverandoveragain.The highmetricvalue isdeepertopenetrate and
the attacker themselvesmustinvestinsome measurable amountof effortinpreparationor
executionagainstthe vulnerable componentbefore asuccessful attackcanbe expected.
2.3. PrivilegesRequired:Thisreflectsthe level of privilegesanattackermustpossessbefore
successfullyexploitingthe vulnerability.The metricvaluesare basedonNLH(None,Low,and
High).None meansanattacker isunauthorizedpriortoattackand therefore doesnotrequire
any accessto anythingtobe able to carry out the missionedattack.Low iswhere the attackeris
authorized(employee) thathasthe basicusercapabilitiesthatcouldnormallyaffectonlythe
settingsandfilesbyownedbyauser. High iswhenan attackerhas a lot of authority
(administration) andasignificantamountof control overthe vulnerable componentthatcan
affectan organizationatitsentirety.
2.4. UserInteraction: Thismetriccapturesthe requirementof auser,otherthan the attacker,to
participate inthe successful compromise of the vulnerablecomponent(ex.GUI-Graphical User
Interface).The metricvaluesare RN (RequiredandNone).Requiredconsistsof the successful
exploitationof thisvulnerabilityrequiresausertotake some actionbefore the vulnerabilitycan
be exploited.None meansthatthe vulnerabilitycanbe exploitedwithoutinteractionfromany
user.
3. The CVSS-Version3also includesthe idea of “AuthorizationScope” (see section2.2 in the
https://www.first.org/cvss/specification-document).Brieflyexplainthe ideaof“Scope” as used
here.
Scope referstothe collectionof privilegesdefinedbyacomputingauthoritywhengranting
access to computingresources.The privilegesare assignedbasedonsome methodof
identificationandauthorization.The authorizationitself maybe simpleorlooselycontrolled
basedon the predefinedrulesorstandards.Scope hastwo metricvalueswhichischangedand
unchanged.Changediswhenanexploitedvulnerabilitycanaffectresourcesmanagedbythe
same authority.Unchangedisan exploitedvulnerabilitythatcan affectresourcesbeyond
authorizationprivilegesintendedbythe vulnerable component.Soinregardstwoindividualsof
5. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 5 of 8
the same authorityissimplycontrolledandisunchanged.Where whenyouhave ahigher
authorityanda lowerauthorityindividual thenthatmeansitislooselycontrolledwhichmeans
changed.
4. The “Base” metricgroup also consists of “Impact Metrics.” Brieflyexplaineachwhile identifying
the metricvalues and theirmeanings:
4.1. ConfidentialityImpact:Thismetricmeasuresthe impactto the confidentialityof the
informationresourcesmanagedbyasoftware componentdue toa successfullyexploited
vulnerability.The metricvaluesare high,low,ornone.Highiswhere atotal lossof
confidentiality,resultinginall resourceswithinthe impactedcomponentbeingdivulgedtothe
attacker.So if an attacker attemptsthiswouldleave them withlotsof informationespeciallyif
theygetan administratorspassword.Low iswhere there issome lossof confidentiality.Soonly
some restrictedaccessisobtainedbythe attackerbut theydonot have control overall
informationlikeanadministratorwould.Theywouldbe like aregularemployee thathas
limitedinformation.None iswhenthere isnolossof confidentialitywithinthe impacted
component.Inwhichcase the attacker hadno successhere.
4.2. IntegrityImpact: Thismetricmeasuresthe impactto integrityof asuccessfullyexploited
vulnerability.The metricvaluesstayconsistentwithconfidentialityinregardstohavinghigh,
low,andnone.Highis where the metrichasa total lossof integrityora complete lossof
protection.Forexample, inFerrisBueller’sDayOff Ferrisgetsintothe computersystemand
wipesoutall hisattendance issuessohisparentsdonotfindout.Low iswhere the modification
of data ispossible butthe attackerdoesn’thave control overthe consequence of modification
or the amount of modificationisconstrained.Inwhichcase if Iwere the attachedthenI would
not make a seriousimpactonthe impactedcomponent.None iswhenthere isnolossof
integritywithinthe impactedcomponent.Inregardstome beingthe attackerthenI wouldnot
have beenable tomodifyanytype of files.
4.3. AvailabilityImpact: Thismetricmeasuresthe impactto the availabilityof the impacted
componentresultingfromasuccessfullyexploitedvulnerability. The metricvaluesstay
consistentwithconfidentialityandintegrityinregardstohavinghigh,low,andnone. Highis
where the metrichasa total lossof availabilityresultinginthe attackerbeingable tofullydeny
access to resourcesinthe impactedcomponent;thislossiseithersustainedorpersistent.For
example,the 1983 movie War Gamesthere isa kid thatplaysa game calledWARand whathe
doesn’tknowisthathe istakingoverthe US governmentmachine.Inwhichcase thisdoesn’t
allowthe governmentthe availabilitytouse theirownmachinestodotheirjob.Low iswhen
there isreducedperformance orinterruptionsinresource availability.In the 1995 filmHackers
the IT Company’ssecurityofficerislimitingthe availabilitytoall resourcesbecausehe hadput
somethingintothe systemtoblockthemfromnoticingthathe isstealingfromthe company.
None iswhenthere isnoimpact to availabilitywiththe impactedcomponent.
So nowyouunderstandhowvulnerabilitiesare “scored”usingthe metricsyoulearnedabove.Although
yousee “qualitative”valuesforeach metrics(e.g.,High,Medium,Low),the CVSSsystemassigns
numberstoeach of these valuestocome up witha NumericScore rangingfrom0 to 10. We don’tneed
to understandthe “formula”theyuse fornow butyou can see ithere:
https://www.first.org/cvss/specification-document#i8
6. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 6 of 8
Overall,youhave thusfarseenthat:
1) There are databasesof software vulnerabilities(e.g.,the NVD).
2) There are unique identifiers(e.g.,CVE-ID) foreachvulnerabilitysothatwe can tell themapart
and track them.
3) We have approachesto“quantify”the characteristicsof eachvulnerability(e.g.,whatisits
access vector,howeasyitis to accessit, how easyitis to exploitit…) aswell itsimpact(e.g.,
confidentialityimpact,etc.)
TASK 2: Examining two well-known vulnerabilities
Here,we will lookattwowell-knownvulnerabilitiesthathave provenquite damagingtosecurity.One is
prettyoldand the otherfairlyrecent.The ideaisto use whatyou learnedinTASK1 to “gauge”these
twovulnerabilities.
TO DO:
1. Visitthe National VulnerabilityDatabase (NVD) VulnerabilitySearchpage at
https://web.nvd.nist.gov/view/vuln/search andsearchforthe followingtwovulnerabilities.
a. Searchfor vulnerabilitywithCVE-ID:CVE-2008-4250
b. Searchfor vulnerabilitywithCVE-ID:CVE-2014-0160
2. Answer Questions:
2.1. For each, please note down the following: [NOTE:These are CVSS Version2 scoresas version
3 was not implementeduntil 2015) (Define)
CVSSBase Score: The CVSSbase score isthe base metricgroup that capturesthe characteristics
of a vulnerabilitythatare constantwithtime and acrossuser environments.
Impact Subscore:Thisispart of the base score that calculatesthe impact.
ExploitabilitySubscore:Underthe metricgroupsthere are temporal metricsinwhich
exploitabilityfallsunder. Thismetricmeasuresthe currentstate of exploittechniquesorcode
availability.
AccessVector:Thisis one of the base metrics.Thismetricreflectshow the vulnerabilityis
exploited.
AccessComplexity:Thisisanotherbase metric.Thismetricmeasuresthe complexityof the
attack requiredtoexploitthe vulnerabilityonce anattackerhasgainedaccessto the target
system.
Authentication:Thisisanotherbase metric.Thismetricmeasuresthe numberof timesan
attackermust authenticate toa targetin orderto exploitavulnerability.
7. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 7 of 8
2.2. Discuss the differences betweenthe twovulnerabilitiesacross the above metrics. Is the
secondone somehow“lesssevere” thanthe first? Is the “Impact Type” ofone worse than the
other? (whichvulnerabilityisworst based on scores:do research)
Hints: searchfor more informationonthese vulnerabilitiesonline.The secondvulnerabilitywas
foundjustlastyear andhas beenknownasthe “heartbleed”vulnerability.The first
vulnerabilityisalsoknownasthe “MS08-067” vulnerability.Thatnumberisactuallythe ID
(BulletinNumber) Microsoftgave tothatvulnerability.
Big Picture Discussion (answer these questions in your homework and
be ready to discuss in class):
Answer Questions:
2.3. Based on your reading and opinion,what purpose do you thinksuch vulnerabilitydatabases
serve?
I believethatthe purpose of vulnerabilitydatabasesistohelporganizationsouttocatch
those wantingtohack theirsystemshowevertheycan.Sotheyserve toblockthose
attackersas bestas theycan.
2.4. Are theyactually useful?Whyor why not?
Yes theyare useful because itismostlikelythatthe vulnerabilitydatabasesdocatchthe
necessaryattacksthat couldor are beingattackedby.
2.5. What happensonce a vulnerabilityhas beenaddedto a database? That is,what can we do
about it? How do we find out what to do?
Once a vulnerabilityis addedtothe database itisthenevaluatedtosee if thisthreatis
bigenoughto getrid of or if theycan chance it goingthrough.Insome casesif you
receive aTrojanhorse threat thenthe companywill needtoprotectitfromtheir
organization.Where inothercasesif itisjustphishingemailsthentheycanchance and
hope theirassociatesare notgoingto openthe email fully.
SUBMISSIONINSTRUCTIONS:
1. Type your answerswithinthisdocumentorcreate a new document.Be sure to name your
documentinthe followingformat: FirstName_LastName_Assignment3
2. Submitthe documentviathe “Assignment 3” assignmentpage onMyGateway.Be sure to hit
submit.
8. INFSYS 3848/6828 Assignment – 3: Understanding Vulnerabilities in Software
Dr. Shaji Khan
Page 8 of 8
PENALTY FOR LATE SUBMISSIONS:
Late submissionswillreceive a10% automaticdeductionforeach24 hour periodafterthe due
date/time until nopointsremain.
GETTING HELP:
1. Visittutorsinthe CITIL (ESH 204). InformationlistedonMyGateway/FacultyInformation.
2. Call (314-489-9733) / email (shajikhan@umsl.edu)instructoranytime.