A Heartbleed By Any Other Name - Data Driven Vulnerability Management
10
A Heartbleed By Any Other Name Intro.
-
Upload
michael-roytman -
Category
Internet
-
view
346 -
download
0
description
The heartbleed vulnerability exposes a weakness in current vulnerability management practices - namely, they aren't driven by the data. Starting with the data, we identify 4 vulnerabilities which are arugably more important than Heartbleed.
Transcript of A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any
Other Name
Intro.
As of this morning we have observed over 1000 breaches related to CVE-2014-0160, the Heartbleed vulnerability. More than enough has been said about the technical details of the vulnerability, and our own Ryan Huber covered the details a few days ago. I want to talk about the vulnerability management implications of Heartbleed, because they are both terrifying and telling.
CVSS v2 Base Score: 5.0
(MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)
The Common Vulnerability Scoring System ranks CVE-2014-0160 as a 5.0/10.0. A good observer will note that the National Vulnerability Database is not all that comfortable with ranking the vulnerability that broke the internet a 5/10. In fact, unlike any other vulnerability in the system we’ve seen, there is an “addendum” in red text:
“CVSS V2 scoring evaluates the impact of the vulnerability on the host where the
vulnerability is located. When evaluating the impact of this vulnerability to your
organization, take into account the nature of the data that is being protected and act
according to your organization’s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly
sensitive information, e.g., cryptographic keys and passwords. Theft of this information
could enable other attacks on the information system, the impact of which would depend on
the sensitivity of the data and functions of that system.”
So what does this mean for your organization? How should you prioritize the remediation of Heartbleed vs other vulnerabilities? NVD’s answer is “think about what can be stolen.” The problem here is that the CVSS environmental metric, which is used to account for an organization’s particular environment, can only reduce the score. So we’re still stuck at a 5. Why? CVSS is failing to take into account quite a few factors:
1. It’s a target of opportunity for attackers.
2. It’s being actively and successfully exploited on
the Internet.
3. It’s easy to exploit.
1. It’s a target of opportunity for attackers: The amount of sites affected by the vulnerability is unfathomable – with broad estimates between 30-70% of the internet. 2. It’s being actively and successfully exploited on the Internet: We are logging about 20 breaches every few hours. The rate of incoming breaches is also increasing, on April 10th, we were seeing 1-2 breaches an hour. Keep in mind this is just from the 30,000 businesses that we monitor - not 70% of the Internet. 3. It’s easy to exploit: There exists a metasploit module and exploit code on ExploitDB.
Heartbleed
Breach Volume Release -> Now
We already knew heartbleed was a big deal – this data isn’t changing anyone’s mind. The interesting bit, is that Heartbleed is not the only vulnerability to follow such a pattern. Of all the breached vulnerabilities in our database, Heartbleed is the fifth most breached (that is, most instances recorded) with a CVSS score of 5 or less.
1. CVE-2001-0540 - Score: 5.0
2. CVE-2012-0152 - Score: 4.3
3. CVE-2006-0003 – Score: 5.1
4. CVE-2013-2423 - Score: 4.3
CVE-2001-0540
CVE-2013-2423
CVE-2001-0540 Windows 2000
CVE-2006-0003 ActiveX
CVE-2012-0152 Windows 7
CVE-2013-2423 Java Runtime
HeartBleed
Thank you!www.risk.io
