Understanding Vulnerabilities
Before going any further, let’s make sure we’re all on the same page when it comes to
the definition of a vulnerability. They are sometimes confused with exploits, and
when we start talking about risk and threats, these terms can get really muddled. A
vulnerability
is a weakness in a system or piece of software.
This weakness is a flaw in
the configuration or development of the system or software. If that vulnerability can
be taken advantage of to gain access or impair the system, it is exploitable. The pro‐
cess to take advantage of that weakness is the
exploit
. A
threat
is the possibility of
harm to a system or of having it become unavailable.
Risk
is the
intersection of loss
and probability, meaning you have to have loss or damage that is measurable and a
probability of that loss, or damage, becomes actualized.
This
is all fairly abstract, so let’s talk about this in concrete terms. Say someone leaves
default usernames and passwords configured on a system. This creates a vulnerability
because the password could be guessed. The process of guessing the password is the
exploit of that vulnerability. This is an example of a vulnerability that comes from a
misconfiguration. The vulnerabilities that are more regularly recognized are pro‐
grammatic in nature and often come from poor input validation.
If you’re interested in vulnerabilities and keeping track of the work that goes into dis‐
covering them, you can subscribe to mailing lists like Bugtraq.
You can get details
about vulnerabilities that have been found, sometimes including the proof-of-concept
code that can be used to exploit the discovered vulnerability. With so much software
out in the world,
including web applications, a lot of vulnerabilities are being found
daily. Some are more trivial than others, of course.
We’re going to take a look at a couple of types of vulnerabilities. The first are
local
vulnerabilities
. These are ones that can be triggered only if you are logged into the sys‐
tem with local access. It doesn’t mean that you are sitting at the console—just that you
have some interactive access to the system. This may include something like a privi‐
lege escalation vulnerability: a user with regular permissions gains higher-level privi‐
leges up to administrative rights. Using something like this,
users may gain access to
resources they shouldn’t otherwise have access to.
The other type of vulnerability is a
remote vulnerability
. This is a vulnerability that
can be triggered without local access. This does, though,
require that a service be
exposed that an attacker can get to. Remote vulnerabilities may be authenticated or
unauthenticated. If an unauthenticated user can exploit a vulnerability to get local
access to the system, that would be a bad thing. Not all remote vulnerabilities lead to
local or interactive access to a system. Vulnerabilities
can lead to denial of service,
data compromise, integrity compromise, or possibly complete, interactive access to
the system.