- 1.6.1 Vendor Vulnerabilities
- 1.6.2 Memory Vulnerabilities
- 1.6.3 Race Condition Vulnerabilities
- 1.6.4 Configuration Vulnerabilities
1.6.1 Vendor Vulnerabilities
Every IT department relies on products and services provided by outside vendors (Servers, network equipment, software etc…)
Product End of Life
When a product reaches its end of life it introduces security concerns as they no longer provide patches/security updates for the product.
End of Life Cycle
- End of sale:product is no longer available for sale but the vendor still supports existing customers.
- End of support: the vendor reduces or eliminates support for existing users of the product.
- End of Life: the vendor no longer supports the product at all and will not release patches even for critical security issues.
These can be an added security risk as it can be difficult to update the software in the case of a security concern.
In 2019 there was a vulnerability found in embedded systems that made the headlines. This was known as Urgent/11. The vulnerability was in the IPNet network stack which was an network standard in embedded systems. This left millions of devices vulnerable to attacks. The devices were used in mainly Real Time Operating systems. It affected a long lost of devices: medical equipment, manufacturing equipment, cars, firewalls, printers, and a lot more. For more information on this: https://www.armis.com/urgent11/
1.6.2 Memory Vulnerabilities
Whether intentional or accidental, software may consume all of the memory storage in a system and effectively cripple the system. Memory Leaks are an example of this. When an application requests memory from the operating system, it will eventually no longer need this memory and return it to the operating system. With a Memory Leak it fails to return the memory it has been given. If it repeats this overtime it can eventually consume all the memory. Rebooting the system will alleviate the issue but it does not resolve the long term problem.
Null Pointer Exception
A pointer is an area of memory that stores the address of another location in memory. If a pointer is empty it is known as a null value. If an application tries to access this null value it causes a condition known as null pointer exception. This may cause the application to crash giving an attacker access to debugging information which could be used for reconnaissance of the application security. Or worse, it may allow the attacker to bypass security controls.
DLL Injections Attack
Windows relies on DLL’s (Dynamic Link Libraries) to provide common code that applications may share. Applications can load a DLL then make use of its content. In a DLL injection attack, an attacker may insert a malicious DLL into an area of memory used by an application, then trick this application into using the malicious DLL.
1.6.3 Race Condition Vulnerabilities
The following is from: https://www.veracode.com/security/race-condition
A Race Condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect. This can lead to a system granting unauthorised privileges to an attacker.
Anatomy of an Race Condition Flaw
When a normal update to an application or database takes place — and names, numbers, or other data are changed to reflect the most current state of information — a cybercriminal could unleash a race condition attack. This is possible because the database isn’t completely rewritten during the update process. As the update takes place, a gap exists, one that can last less than a second or up to a few minutes, during which the system is unprotected. This allows attackers to gain unauthorized access. During this brief period, an attacker can send queries that compromise the system and result in a race condition attack.
1.6.4 Configuration Vulnerabilities
A few simple errors in a configuration can result in very significant vulnerabilities that an attacker can exploit.
One common mistake is putting equipment from manufacturers straight on to the network without changing any of the default settings. This is especially true of embedded systems. This can include things like:
- building control systems
- research equipment
the default configuration on these devices may contain things like:
- open firewalls
- Guest accounts
- Default passwords
IT staff should always verify the security of devices before connecting them to the network. IT staff should use documented security standards and configuration baselines to help them install systems in a secure manner.
Cryptographic protocols are a common source of misconfiguration because they are complex to manage. Some areas of concern could be:
- Weak cipher suites: Communication to and from the device may be subject to eavesdropping if weak cipher suites are in place
- Poor Key Management: Ensure keys don’t fall into the wrong hands. if they do, that person can eavesdrop on communications, engage in false communications and create false digital signatures.
- Poor Certificate Management: Make sure certificates don’t get into the wrong hands or false certificates don’t get used.
- Account Management: Don’t give excess privileges to accounts. This will prevent intentional or accidental security issues. Use the Principal of Least Privilege – give the user the minimum privileges needed to do their job function.
These arise when a complex system is improperly designed.
This is a set of processes and practices used to design and build complex technical systems. IT Architects are similar to traditional architects, but instead of putting together complex buildings, they put together different technologies in a way that meets business requirements. Security is one of the most important requirements and it must be incorporated in the early days of the design, not bolted on afterwards. The security must not just contain the technical design, but also the complex interweaving of business processes and people. EG: a system may carefully encrypt data, bu then a business process has a user printing it and leaving it an unsecured copy room.
System Life Cycle
A lot of times new systems get added to the network when they are new and necessary, they they aren’t removed when they are no longer necessary. This can result in a serious security flaw as they get forgotten about and don’t get managed, EG: no updating of patches.