Vulnerability Assessment

Overview

The goal of today is to practice the art of assessing the severity of a given vulnerability. Today, you will be going through several past vulnerabilities in major software products. You will need to answer two types of questions: one from the Common Vulnerability Scoring System (CVSS), and some other questions that can help developers identify vulnerabilities in the future.

In today's discussion, we will be covering a number of recent vulnerabilities in real products. As with everything in real life, these are messy and don't always fit into the logical buckets we have made. Thus, the assessment of each vulnerability is ultimately subjective. But, fortunately we can mitigate that subjectivity with multiple perspectives and lively discussion.

Setup

This activity is for 4-6 people, all at one table.

1. Go to this GoogleDoc spreadsheet template, and make a copy of your own called "Vulnerability Assessment". Share it with your instructor.
2. For each person, give them a set of cards and a writing utensil. They will need to make their own cards for a voting-driven discussion, as in Planning Poker.

Activity

1. As a group, review the following questions from the CVSS, and make sure everyone understands it:
   • Access Vector: was this vulnerability exploitable from local only, an adjacent network, or the full network?
2. Prepare the group for a Planning Poker-style discussion. Each team member will need cards for their votes on the questions (see the next step). No peeking at each other's votes ahead of time, but feel free to discuss the vulnerability prior to voting for any clarifications.
3. For each one of the given vulnerabilities below, answer only the Access Vector question. Record your conclusion in the spreadsheet (be sure to use the given dropdowns for the answers).
   • CVE-2011-3267 (null pointer dereference in PHP). See the Red Hat bugzilla, the CVE description, and the upstream patch.
   • Chromium vulnerability. See the Chromium bug and its corresponding upstream fix
   • CVE-2011-3376 in Apache Tomcat. See the Tomcat description of the vulnerability, the CVE entry, and the upstream patch
   • CVE-2012-1090 in the Linux Kernel. See the Red Hat Bugzilla entry, along with the upstream patch
4. As a group, review the following questions from the CVSS, and the two new questions:
   • Access Complexity: did this require a high, medium, or low amount of expertise and special configuration to access this vulnerability? See the CVSS description on first.org for more clarification
   • Confidentiality Impact: was it none, partial or full?
   • Integrity Impact: was it none, partial or full?
   • Availability Impact: was it none, partial or full?
   • Was this vulnerability domain-specific? A domain-specific vulnerability is one that does not make any sense outside of the context of its domain. Think of it in terms of who could recognize it: any vulnerability that requires significant knowledge of the domain to recognize is domain-specific. Non-domain-specific vulnerabilities include commonly-understood ones, like XSS, SQL injection, buffer overflow, path traversal, and the like. Here are some examples:
     • Domain-specific: An operating system kernel messes up its memory management algorithm such that it's predictable and somehow causes a DoS. A non-expert in developing operating systems would not be able to recognize that.
     • Not domain-specific: Memory leaks, because they are common coding mistakes
     • Domain-specific: Forgetting to set certain permissions to a feature, because the domain dictates how those permissions ought to be set.
   • Did the fix for this vulnerability primarily involve new code or changing code? That is, in a code inspection, would the team need to be looking for a piece of code that was missing, or written wrong? New code includes things like new functions, data structures, branches, conditions, and if-statements.
5. Now, once you've answered the Access Vector question for all of the vulnerabilities, go back and answer the rest of the questions as a group. This time, try to answer all of the questions for one vulnerability at a time. Keep that discussion moving - you've now got over twenty decisions to make!
6. Finished a little early? Take a look at these:
   • CVE-2012-3507. A problem with HTTPD with error handling. See the CVE-2012-3507 , the bug report and the fix.
   • CVE-2008-5519. A problem with HTTPD with disclosing prior HTTP responses. See the CVE, the bug, and the fix.

Submission & Grading

This activity is worth 10 points, and your grade is based on in-class participation. Nothing is due beyond class today, as long as you are participating and are reasonably close to completion. Your instructor will check your GoogleDoc before the end of class.