Vulnerability (computer security)

From Wikipedia, the free encyclopedia
(Redirected from Security vulnerability)
Jump to navigation Jump to search

Template:Short description Script error: No such module "Sidebar". In computer security, vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security.

Despite a system administrator's best efforts to achieve complete correctness, virtually all hardware and software contain bugs where the system does not behave as expected. If the bug could enable an attacker to compromise the confidentiality, integrity, or availability of system resources, it can be considered a vulnerability. Insecure software development practices as well as design factors such as complexity can increase the burden of vulnerabilities.

Vulnerability management is a process that includes identifying systems and prioritizing which are most important, scanning for vulnerabilities, and taking action to secure the system. Vulnerability management typically is a combination of remediation, mitigation, and acceptance.

Vulnerabilities can be scored for severity according to the Common Vulnerability Scoring System (CVSS) and added to vulnerability databases such as the Common Vulnerabilities and Exposures (CVE) database. As of November 2024, there are more than 240,000 vulnerabilities catalogued in the CVE database.[1]

A vulnerability is initiated when it is introduced into hardware or software. It becomes active and exploitable when the software or hardware containing the vulnerability is running. The vulnerability may be discovered by the administrator, vendor, or a third party. Publicly disclosing the vulnerability (through a patch or otherwise) is associated with an increased risk of compromise, as attackers can use this knowledge to target existing systems before patches are implemented. Vulnerabilities will eventually end when the system is either patched or removed from use.

Causes

Despite a system administrator's best efforts, virtually all hardware and software contain bugs.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". If a bug creates a security risk, it is called a vulnerability.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Software patches are often released to fix identified vulnerabilities, but zero-days are still liable for exploitation.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Vulnerabilities vary in their ability to be exploited by malicious actors, and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Although some vulnerabilities can only be used for denial of service attacks, more dangerous ones allow the attacker to perform code injection without the user's awareness.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Only a minority of vulnerabilities allow for privilege escalation, which is typically necessary for more severe attacks.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Without a vulnerability, an exploit typically cannot gain access.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". It is also possible for malware to be installed directly, without an exploit, through social engineering or poor physical security such as an unlocked door or exposed port.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Design factors

Vulnerabilities can be worsened by poor design factors, such as:

  • Complexity: Large, complex systems increase the possibility of flaws and unintended access points.[2]
  • Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.[3] However, using well-known software, particularly free and open-source software, comes with the benefit of having more frequent and reliable software patches for any discovered vulnerabilities.Script error: No such module "Unsubst".
  • Connectivity: any system connected to the internet can be accessed and compromised. Disconnecting systems from the internet can be extremely effective at preventing attacks, but it is not always feasible.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Legacy software and hardware is at increased risk by nature.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". System administrators should consider upgrading from legacy systems, but this is often prohibitive in terms of cost and downtime.Script error: No such module "Unsubst".

Development factors

Some software development practices can affect the risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the company culture. This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from a disgruntled employee selling access to cyber criminals, to sophisticated state-sponsored schemes to introduce vulnerabilities to software.

Poor software development practices can affect the likelihood of introducing vulnerabilities to a code base. Lack of knowledge or training regarding secure software development, excessive pressure to deliver, or an excessively complex code base can all allow vulnerabilities to be introduced and left unnoticed. These factors can also be exacerbated if security is not prioritized by the company culture.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Inadequate code reviews can also lead to missed bugs, but there are also static code analysis tools that can be used during the code review process to help find some vulnerabilities.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

DevOps, a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the attack surface by paring down dependencies to only what is necessary.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". If software as a service is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

National Vulnerability Database classification

Template:Missing information The National Vulnerability Database classifies vulnerabilities into eight root causes that may be overlapping, including:Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

  1. Input validation vulnerabilities exist when input checking is not sufficient to prevent the attacker from injecting malicious code. Buffer overflow exploits, buffer underflow exploits, and boundary condition exploits typically take advantage of this category.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  2. Access control vulnerabilities enable an attacker to access a system that is supposed to be restricted to them, or engage in privilege escalation.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  3. When the system fails to handle and exceptional or unanticipated condition correctly, an attacker can exploit the situation to gain access.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  4. Configuration vulnerability come into existence when configuration settings cause risks to the system security, leading to such faults as unpatched software or file system permissions that do not sufficiently restrict access.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  5. A race condition—when timing or other external factors change the outcome and lead to inconsistent or unpredictable results—can cause a vulnerability.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerabilities by component

Hardware

Script error: No such module "Labelled list hatnote". Deliberate security bugs can be introduced during or after manufacturing and cause the integrated circuit not to behave as expected under certain specific circumstances. Testing for security bugs in hardware is quite difficult due to limited time and the complexity of twenty-first century chips,Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". while the globalization of design and manufacturing has increased the opportunity for these bugs to be introduced by malicious actors.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Operating system

Script error: No such module "Labelled list hatnote". Although operating system vulnerabilities vary depending on the operating system in use, a common problem is privilege escalation bugs that enable the attacker to gain more access than they should be allowed. Open-source operating systems such as Linux and Android have a freely accessible source code and allow anyone to contribute, which could enable the introduction of vulnerabilities. However, the same vulnerabilities also occur in proprietary operating systems such as Microsoft Windows and Apple operating systems.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". All reputable vendors of operating systems provide patches regularly.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Client–server applications

Client–server applications are downloaded onto the end user's computers and are typically updated less frequently than web applications. Unlike web applications, they interact directly with a user's operating system. Common vulnerabilities in these applications include:Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

  • Unencrypted data that is in permanent storage or sent over a network is relatively easy for attackers to steal.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Process hijacking occurs when an attacker takes over an existing computer process.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Web applications

Web applications run on many websites. Because they are inherently less secure than other applications, they are a leading source of data breaches and other security incidents.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". They can include:

Attacks used against vulnerabilities in web applications include:

  • Cross-site scripting (XSS) enables attackers to inject and run JavaScript-based malware when input checking is insufficient to reject the injected code.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". XSS can be persistent, when attackers save the malware in a data field and run it when the data is loaded; it can also be loaded using a malicious URL link (reflected XSS).Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Attackers can also insert malicious code into the domain object model.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • SQL injection and similar attacks manipulate database queries to gain unauthorized access to data.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Command injection is a form of code injection where the attacker places the malware in data fields or processes. The attacker might be able to take over the entire server.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Cross-site request forgery (CSRF) is creating client requests that do malicious actions, such as an attacker changing a user's credentials.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Server-side request forgery is similar to CSRF, but the request is forged from the server side and often exploits the enhanced privilege of the server.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".
  • Business logic vulnerability occurs when programmers do not consider unexpected cases arising in business logic.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Taxonomy

Security bugs generally fall into a fairly small number of broad categories that include:[5]

Management

Script error: No such module "Labelled list hatnote".

There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Although estimating the risk of an attack is not straightforward, the mean time to breach and expected cost can be considered to determine the priority for remediating or mitigating an identified vulnerability and whether it is cost effective to do so.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Although attention to security can reduce the risk of attack, achieving perfect security for a complex system is impossible, and many security measures have unacceptable cost or usability downsides.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". For example, reducing the complexity and functionality of the system is effective at reducing the attack surface.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Successful vulnerability management usually involves a combination of remediation (closing a vulnerability), mitigation (increasing the difficulty, and reducing the consequences, of exploits), and accepting some residual risk. Often a defense in depth strategy is used for multiple barriers to attack.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Some organizations scan for only the highest-risk vulnerabilities as this enables prioritization in the context of lacking the resources to fix every vulnerability.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Increasing expenses is likely to have diminishing returns.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Remediation

Remediation fixes vulnerabilities, for example by downloading a software patch.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Vulnerability scanners are typically unable to detect zero-day vulnerabilities, but are more effective at finding known vulnerabilities based on a database. These systems can find some known vulnerabilities and advise fixes, such as a patch.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". However, they have limitations including false positives.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerabilities can only be exploited when they are active-the software in which they are embedded is actively running on the system.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Before the code containing the vulnerability is configured to run on the system, it is considered a carrier.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Dormant vulnerabilities can run, but are not currently running. Software containing dormant and carrier vulnerabilities can sometimes be uninstalled or disabled, removing the risk.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Active vulnerabilities, if distinguished from the other types, can be prioritized for patching.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerability mitigation is measures that do not close the vulnerability, but make it more difficult to exploit or reduce the consequences of an attack.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Reducing the attack surface, particularly for parts of the system with root (administrator) access, and closing off opportunities for exploits to engage in privilege exploitation is a common strategy for reducing the harm that a cyberattack can cause.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". If a patch for third-party software is unavailable, it may be possible to temporarily disable the software.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Testing

A penetration test attempts to enter the system via an exploit to see if the system is insecure.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". If a penetration test fails, it does not necessarily mean that the system is secure.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Some penetration tests can be conducted with automated software that tests against existing exploits for known vulnerabilities.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Other penetration tests are conducted by trained hackers. Many companies prefer to contract out this work as it simulates an outsider attack.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerability lifecycle

File:Vulnerability timeline.png
Vulnerability timeline

The vulnerability lifecycle begins when vulnerabilities are introduced into hardware or software.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Detection of vulnerabilities can be by the software vendor, or by a third party. In the latter case, it is considered most ethical to immediately disclose the vulnerability to the vendor so it can be fixed.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Government or intelligence agencies buy vulnerabilities that have not been publicly disclosed and may use them in an attack, stockpile them, or notify the vendor.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". As of 2013, the Five Eyes (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Organized criminal groups also buy vulnerabilities, although they typically prefer exploit kits.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Even vulnerabilities that are publicly known or patched are often exploitable for an extended period.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Security patches can take months to develop,Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". or may never be developed.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". A patch can have negative effects on the functionality of softwareScript error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". and users may need to test the patch to confirm functionality and compatibility.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Cybercriminals can reverse engineer the patch to find the underlying vulnerability and develop exploits,Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". often faster than users install the patch.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerabilities become deprecated when the software or vulnerable versions fall out of use.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". This can take an extended period of time; in particular, industrial software may not be feasible to replace even if the manufacturer stops supporting it.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Assessment, disclosure, and inventory

Assessment

A commonly used scale for assessing the severity of vulnerabilities is the open-source specification Common Vulnerability Scoring System (CVSS). CVSS evaluates the possibility to exploit the vulnerability and compromise data confidentiality, availability, and integrity. It also considers how the vulnerability could be used and how complex an exploit would need to be. The amount of access needed for exploitation and whether it could take place without user interaction are also factored in to the overall score.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Disclosure

Someone who discovers a vulnerability may disclose it immediately (full disclosure) or wait until a patch has been developed (responsible disclosure, or coordinated disclosure). The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available.[6] Some vendors pay bug bounties to those who report vulnerabilities to them.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". There is no law requiring disclosure of vulnerabilities.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". If a vulnerability is discovered by a third party that does not disclose to the vendor or the public, it is called a zero-day vulnerability, often considered the most dangerous type because fewer defenses exist.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Vulnerability inventory

The most commonly used vulnerability dataset is Common Vulnerabilities and Exposures (CVE), maintained by Mitre Corporation.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". As of November 2024Template:Dated maintenance category (articles)Script error: No such module "Check for unknown parameters"., it has over 240,000 entries[1] This information is shared into other databases, including the United States' National Vulnerability Database,Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". where each vulnerability is given a risk score using Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE) scheme, and Common Weakness Enumeration.Script error: No such module "Unsubst". CVE and other databases typically do not track vulnerabilities in software as a service products.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Submitting a CVE is voluntary for companies that discovered a vulnerability.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

Liability

The software vendor is usually not legally liable for the cost if a vulnerability is used in an attack, which creates an incentive to make cheaper but less secure software.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters". Some companies are covered by laws, such as PCI, HIPAA, and Sarbanes-Oxley, that place legal requirements on vulnerability management.Script error: No such module "Footnotes".Script error: No such module "Check for unknown parameters".

See also

References

<templatestyles src="Reflist/styles.css" />

  1. a b Script error: No such module "citation/CS1".
  2. Script error: No such module "citation/CS1".
  3. Script error: No such module "citation/CS1".
  4. Script error: No such module "citation/CS1".
  5. Script error: No such module "Citation/CS1".
  6. Script error: No such module "citation/CS1".

Script error: No such module "Check for unknown parameters".

Sources

<templatestyles src="Refbegin/styles.css" />

  • Script error: No such module "citation/CS1".
  • Script error: No such module "Citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".
  • Script error: No such module "citation/CS1".

External links

Script error: No such module "Navbox".


Template:Authority control

Retrieved from "http://debianws.lexgopc.com/wiki143/index.php?title=Vulnerability_(computer_security)&oldid=5497816"