In my last post we discussed the most dangerous kind of vulnerabilities that we classify at McAfee Labs: remote code execution and denial of service. Today, we’ll talk about vulnerabilities that are not so dangerous, those we classify as Medium or Low Risk. These threats still require our attention because they can create a chain reaction in our metaphorical building, as we discussed last time. Let’s see why that’s the case.
These vulnerabilities are like a group of siblings, all very similar but with slight differences in context. We have the Privilege Escalation twins and their brother the Security Bypass.
- Privilege Escalation (PE): This vulnerability allows an attacker to take actions not usually permitted to a legitimate user. They are twins because there are two types: horizontal PE and vertical PE. A Horizontal PE allows an attacker to have the same privileges that another user of the same level has. The easiest example of this would be in a forum. An attacker can “jump” from one user account to another, read and modify information or posts, but always at the same level of privileges. In the context of our building, this vulnerability allows an attacker to have the freedom of movement of a legitimate inhabitant, sometimes impersonating one, sometimes without the need. A vertical PE, on the other hand, gives an attacker more privileges that its actual state enjoys. This happens, for example, when the attacker jumps from a local user to an administrator. Thus the attacker now has partial or total access to some restricted areas of the building, where he or she can change things.
- Security Bypass (SB): In the broadest sense, a security bypass is the same as a PE, meaning that the attacker can take actions not usually allowed. The difference is that in a good part of the cases, the bypass is valid for rooms that have contact with the exterior (the Internet). Nowadays, a lot of rooms are protected by a sandbox, which forms a cubicle around the room and its windows. The sandbox allows a secure communication with the environment because only permitted traffic goes through the sandbox to the rest of the room. When a program has a security bypass, the cubicle has imperfections that allow unsafe traffic to slip through.
Medium-risk vulnerabilities are not too dangerous by themselves. If the building is well protected, then someone’s operating with increased privileges is not the disaster it could be. The danger is that the PE and the SB can create a chain reaction: The attacker enters as a normal user or guest, overcomes security measures, and then installs or changes programs to cause a lot of damage. PE and SB are a more difficult way to enter our building than remote code execution, but it can happen.
- Information Disclosure (ID): This flaw allows an attacker to read information that is otherwise inaccessible. Think of this as a bulletin board in some part of the building, with ads and information for everyone to see. The kind of information on the board depends on the type of room it is in: It can be a memory dump, configuration files, directory structures, etc. ID is a low-risk vulnerability because attackers can only see, they can’t do anything to the building. If attackers want to use the information, they must exploit other vulnerabilities or find critical information such as a password file. However, ID must be reviewed case by case, as its risk level can be very volatile, depending on the vulnerable program, the information disclosed, and the network environment. An ID in a Certificate Authority, such as Comodo or DigiNotar, can be a disaster, as we have seen. The same danger applies to critical networks or machines that store highly valuable information. Even if ID might appear a lesser evil, never take it at face value.
Even though medium- and low-risk vulnerabilities are less dangerous than remote code execution or denials of service, they are still important. An experienced attacker sometimes doesn’t need more than one of these to cause damage, such as stealing intellectual property. And although these attacks leave a noticeable trail, the amount of information stored in the activity logs is so big that to find the suspicious trail would require a slow and detailed search, which we don’t usually do as a preventive measure. We tend to look closely only as a reaction to damage already done.
This finishes our two posts on vulnerabilities; I hope they were valuable for you. Next time: Attack vectors–how an attacker can enter the building.