A9 – Using Known Vulnerable Components

ITEC 6873By Derrick Hunter

• Threat Agents

• Attack Vectors

• Security Weaknesses

• Technical Impacts

• Importance

• How to prevent

• Discussion questions

A9 – USING KNOWN VULNERABLE COMPONENTSAgenda

Components, such as libraries, frameworks, and other software modules, almost always

run with full privileges. If a vulnerable component is exploited, such an attack can

facilitate serious data loss or server takeover. Applications using components

with known vulnerabilities may undermine application defenses and enable a range of

possible attacks and impacts.

A9 – USING KNOWN VULNERABLE COMPONENTS

Threat Agents

Some vulnerable components can be identified and exploited with automated tools, expanding

the threat agent pool beyond targeted attackers to include chaotic actors.

Anyone who can

send untrusted data to the

system

ATTACK VECTORS

AVERAGE EXPLOITABILITY

SECURITY WEAKNESS

WIDE SPREAD

DIFFICULTDETECHABILITY

TECHNICAL IMPACTS

MODERATE

POSSIBLE WEAKNESSES

INJECTION

BROKEN ACCESS CONTROL

CROSS SITE SCRIPTING

EXAMPLE

• Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission.

• Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.

WHY IS THIS SO IMPORTANT

• Open source applications allow coders to quickly create new and innovative software, but the lack of visibility into component vulnerabilities and associated fixes means that vulnerable components may stay in use long after the threat has been identified.

SOFTWARE THAT HAS A HISTORY OF

KNOWN VULNERABILITIES

STRUTS2

Open source web application framework was downloaded 80,000

times even after 30+ public vulnerability announcements.

SOFTWARE THAT HAS A HISTORY OF

KNOWN VULNERABILITIES

HTTP CLIENT

Component with broken SSL validation was downloaded 66,000

times one year after a critical security alert was issued.

.

SOFTWARE THAT HAS A HISTORY OF

KNOWN VULNERABILITIES

BOUNCY CASTLE

In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier. .

HOW TO PREVENT

• Make sure you are using the current application versions.

• Monitor the security of components in databases, project mailing lists, and security mailing lists, and keep them up to date.

• Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.

• Consider adding security wrappers around components to disable unused functionality and secure weak or vulnerable aspects of the component.

References OWASP

• OWASP Dependency Check (for Java libraries)

• OWASP SafeNuGet (for .NET libraries thru NuGet)

• Good Component Practices Project

• Keyhole Software. (November 18, 2013). Top 10 Web Application Security Risks From OWASP. In Java Code Geeks. Retrieved October 29, 2014, from http://www.javacodegeeks.com/2013/11/top-10-web-application-security-risks-from-owasp.html.

• Sonatype.org. (2008-2014). OWASP Top TenImproving online software security. In Sonatype. Retrieved October 29, 2014, from http://www.sonatype.com/spotlight/owasp-top-ten.

QUESTIONS?

• Give an example of a company using a known vulnerable component in the news.

• How has some companies decided to deal with this issue?

• What would you add to the list of how to prevent this issue?