Ben Nagy
2004-05-21 08:05:46 UTC
Hm. Playing catch up, and ran across this.
exploits for lsass within 24 hours (cf Dave Aitel's CANVAS announcement on
full disclosure). Given how trivial it was to exploit I have no doubt that
the underground had them around the same time. There was a widely publicised
exploit for the RPC-DCOM stack overflow after 9 days. IIS SSL PCT - 8 days.
Last year Workstation and Windows Messenger were around the same, but I
can't be bothered doing the research for exact numbers. Remember that these
are only the public exploits.
Let me expand a little on this part first.
There are a bunch of different vulnerability "classes". The simplest - a
"stack based buffer overflow" is both very well understood, easy to exploit,
and reliable. All of the major worms I can recall off the top of my head
have been of this kind. We tend to see exploits for these really fast.
More common recently are more complex vulnerabilities like the recent heap
corruption bugs in various services, where it is downright HARD to either
trace back the fault or to "seed" the heap to get even vaguely reliable
exploitation. These are often not exploited in public at all, and the more
you know about the exploitation process the less surprising this becomes.
If you want an oversimplified yardstick - any vulnerability which is a
stack-based overflow that yields remote SYSTEM should be addressed yesterday
- there is less than 24 hours of safe time. This does not mean that you
shouldn't patch _all_ vulnerabilities which are rated by the vendor as
critical.
One trend I have heard of is security staff second guessing vulnerability
advisories or vendor severity ratings - "Oh that's not exploitable". In
general - don't do that. Even low-level memory management and architecture
courses do nothing to prepare you for assessing real-world exploitability.
This is partly because attack is easier than defence (and easier than
understanding the theory) - an attacker doesn't care _why_ EIP is
0x41414141. :)
Another trend is "people" (also known as "they") claiming disingenuously
that a vulnerability is not exploitable in order to taunt the vendor or
whoever issued the advisory into giving more details. These "not
exploitable" arguments can then be picked up by impressionable people, and
taken as fact. Don't fall for it.
OK, so here's my point. Assessing vulnerability exploitability is not some
kind of "Oh yeah, sez who?" challenge. It is almost certain that the person
telling you a vulnerability is critical has spent a lot more time looking at
it then whoever is second-guessing the advisory. It is _strongly_ advisable,
IMO, to err on the side of caution. I can think of three examples offhand
where "they" cried "not real-world exploitable" and were completely wrong
(ASN.1, BGP TCP RST, OpenSSH) and none, offhand, of the reverse case.
Yes, I am completely aware that patching costs money, and remediation needs
to be prioritised. Maybe vendors and researchers should do something more
formal about also providing ease / reliability of exploitation data along
with vulnerability information, but then everyone would think they were
bragging and ignore it anyway.
I'm going to go ahead and cut this short before it turns into a rant.
Cheers,
ben
-----Original Message-----
Of Ahmed, Balal
[...]Of Ahmed, Balal
Microsoft targeted Exploits usually arrive on the scene 3 - 8
weeks after a vulnerability has been announced, this TCP RST
advisory cannot be looked at in the same light though as it
is cross platform/vendor.
Oh it's way worse than that. The "full disclosure for $$$" crowd had workingweeks after a vulnerability has been announced, this TCP RST
advisory cannot be looked at in the same light though as it
is cross platform/vendor.
exploits for lsass within 24 hours (cf Dave Aitel's CANVAS announcement on
full disclosure). Given how trivial it was to exploit I have no doubt that
the underground had them around the same time. There was a widely publicised
exploit for the RPC-DCOM stack overflow after 9 days. IIS SSL PCT - 8 days.
Last year Workstation and Windows Messenger were around the same, but I
can't be bothered doing the research for exact numbers. Remember that these
are only the public exploits.
Let me expand a little on this part first.
There are a bunch of different vulnerability "classes". The simplest - a
"stack based buffer overflow" is both very well understood, easy to exploit,
and reliable. All of the major worms I can recall off the top of my head
have been of this kind. We tend to see exploits for these really fast.
More common recently are more complex vulnerabilities like the recent heap
corruption bugs in various services, where it is downright HARD to either
trace back the fault or to "seed" the heap to get even vaguely reliable
exploitation. These are often not exploited in public at all, and the more
you know about the exploitation process the less surprising this becomes.
If you want an oversimplified yardstick - any vulnerability which is a
stack-based overflow that yields remote SYSTEM should be addressed yesterday
- there is less than 24 hours of safe time. This does not mean that you
shouldn't patch _all_ vulnerabilities which are rated by the vendor as
critical.
As stated elsewhere in this thread the largest threat vector
will be feeds from the Internet. Given that sasser exploited
a known vulnerability for which a patch was available, no
patch release from any vendor should be dismissed without due
process and risk analysis with buy in from security officers
and management. Its very easy to dismiss a vulnerability
without assessing the full impact until it is exploited by
which time its too late.
I completely agree here.will be feeds from the Internet. Given that sasser exploited
a known vulnerability for which a patch was available, no
patch release from any vendor should be dismissed without due
process and risk analysis with buy in from security officers
and management. Its very easy to dismiss a vulnerability
without assessing the full impact until it is exploited by
which time its too late.
One trend I have heard of is security staff second guessing vulnerability
advisories or vendor severity ratings - "Oh that's not exploitable". In
general - don't do that. Even low-level memory management and architecture
courses do nothing to prepare you for assessing real-world exploitability.
This is partly because attack is easier than defence (and easier than
understanding the theory) - an attacker doesn't care _why_ EIP is
0x41414141. :)
Another trend is "people" (also known as "they") claiming disingenuously
that a vulnerability is not exploitable in order to taunt the vendor or
whoever issued the advisory into giving more details. These "not
exploitable" arguments can then be picked up by impressionable people, and
taken as fact. Don't fall for it.
-----Original Message-----
Of Josh Welch
Sent: 05 May 2004 16:24
Subject: RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX
vulnerable to TCP RST DOS attacks)
<snip>
(Josh Welch)Of Josh Welch
Sent: 05 May 2004 16:24
Subject: RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX
vulnerable to TCP RST DOS attacks)
<snip>
I still believe that the #1 impact of this vulnerability,
as seen inan Internet-wide perspective, is killing BGP sessions in
core routers.[...]The advisories I have seen have made this same statement.
However, according to another list I read there are a number
of network operators who feel this is not a real threat. A
number of them hold that it would be excessively challenging
to be able to match up the source-ip:source-port and
dest-ip:dest-port and effectively reset a BGP session without
generating a large volume of traffic, which should be noticed
in and of itself.
The advisories are right. Those network operators are wrong. Surprise!However, according to another list I read there are a number
of network operators who feel this is not a real threat. A
number of them hold that it would be excessively challenging
to be able to match up the source-ip:source-port and
dest-ip:dest-port and effectively reset a BGP session without
generating a large volume of traffic, which should be noticed
in and of itself.
OK, so here's my point. Assessing vulnerability exploitability is not some
kind of "Oh yeah, sez who?" challenge. It is almost certain that the person
telling you a vulnerability is critical has spent a lot more time looking at
it then whoever is second-guessing the advisory. It is _strongly_ advisable,
IMO, to err on the side of caution. I can think of three examples offhand
where "they" cried "not real-world exploitable" and were completely wrong
(ASN.1, BGP TCP RST, OpenSSH) and none, offhand, of the reverse case.
Yes, I am completely aware that patching costs money, and remediation needs
to be prioritised. Maybe vendors and researchers should do something more
formal about also providing ease / reliability of exploitation data along
with vulnerability information, but then everyone would think they were
bragging and ignore it anyway.
I'm going to go ahead and cut this short before it turns into a rant.
Cheers,
ben