Vulnerabilities

What is vulnerability?

The term "vulnerability" in the context of cybersecurity refers to a weakness or flaw in a data system, software, or hardware that allows an attacker to gain access to the system or manipulate it in an unintended way. This can lead to data leakage, unauthorized acquisition of system privileges, or other unwanted activities.

Vulnerabilities can result from various factors, such as programming errors, design errors, incorrect configuration, or inadequate security measures.

Zero-day, N-day, and known vulnerabilities

Zero-day vulnerability (0-day)

A zero-day vulnerability refers to a vulnerability that is unknown to software vendors or for which there is no fix yet available. The term "zero days" refers to the fact that software developers have had zero days to react to the vulnerability after its discovery. Zero-day vulnerabilities are particularly dangerous because there are no available remedies or updates against them, and they can remain unknown for long periods of time. Attackers can exploit these vulnerabilities to create malware or launch attacks that are effective precisely because there are no defenses against them yet.

Both cybersecurity researchers, ethical hackers, governmental entities, and even criminals are constantly working to find these vulnerabilities in software and systems.

When vulnerabilities are discovered, they can be reported in many different ways. They can be directly reported to the software developer, sold to third parties such as Zero Day Initiative (ZDI) programs or, more unethically, sold on the black market.

Some state actors use zero-day vulnerabilities for intelligence purposes or cyber warfare. They can exploit these vulnerabilities to gather information or carry out operations.

N-day Vulnerability

This term, on the other hand, refers to a vulnerability that is already known and may already have a fix, but has not yet been fixed in all systems. "N days" means that a certain number of days have passed since the vulnerability became widely known. N-day vulnerabilities are still a risk, especially if systems have not been updated in a timely manner. Attackers can still exploit these vulnerabilities, particularly in systems that have not received the necessary updates or fixes.

Known vulnerabilities

These are vulnerabilities that are commonly known in the field of cybersecurity and for which public remedies or updates already exist. They have been known for a sufficient period of time for manufacturers to have released fixes, and information about them has spread widely within the cybersecurity community.

• For example: Vulnerabilities that are listed in databases such as the National Vulnerability Database (NVD) or Common Vulnerabilities and Exposures (CVE) are known vulnerabilities.
• The risk of these vulnerabilities depends on how quickly organizations respond and apply available patches. Even if a patch exists, systems can remain vulnerable if they are not regularly updated.
  

Typical examples of vulnerabilities

Injection Vulnerabilities

Injection generally refers to a vulnerability through which an attacker sends input to an application, which disrupts or alters the structure of a query controlled by the application. Examples of these include SQL injection vulnerability, where an attacker manipulates a database query executed by the application, and XSS injection, where an attacker manipulates the structure of the HTML response returned by a web application. Typically, in injection vulnerabilities, the basic requirement is that the application does not properly validate or sanitize the input received from the user and uses it in some form.

Access control vulnerabilities

Vulnerabilities related to access control refer to broken access control. Simply put, if a user is able to access functions or see information that they should not be able to see, it is a result of inadequate access control or a vulnerability in access control.

Concrete vulnerabilities related to access control include, for example, IDOR vulnerabilities (Insecure Direct Object Reference), where user-controlled identifiers are used directly in processing a resource. It is an IDOR vulnerability if a user is able to directly manipulate a resource that does not belong to them by modifying the identifier.

In access control, there is also talk about horizontal and vertical restrictions, where horizontal refers to a restriction that prevents access to, for example, another user of the same category's information, and vertical refers to restrictions between a regular user and a higher authority (Regular User vs. Administrator).

Authentication-related vulnerabilities

Vulnerabilities related to authentication are emphasized in the login process deficiencies. Does the login happen in the browser through JavaScript or securely verify the correctness of the credentials on the application side? Can an attacker perform automated login attempts and thus programmatically guess thousands of passwords? Bypassing two-factor authentication would also be a vulnerability in this category.

Vulnerabilities related to session management

Inadequacies or vulnerabilities in session management could include, for example, the predictability of the token used in session maintenance. If the post-login tokens are guessable, it is possible for an attacker to hijack the session. A good example is the "Break into a website" task used in this course, where the session cookie is not secure and easily guessable.

Misunderstanding of protocols

Protocol misunderstandings refers to a situation where developers take advantage of technologies without understanding the functionalities hidden within them. A good example of this is XXE vulnerabilities, where hidden functions in XML language are used, allowing attackers to perform various attacks. Another example is the use of different PDF generators, which sometimes allow executing HTML or JavaScript code from the server and thus stealing files from the server or performing other attacks.

Race condition vulnerabilities

Race condition vulnerabilities are programming problems that occur when multiple processes or threads attempt to access the same resource simultaneously, and the system's outcome depends on the order in which these accesses occur. Such a situation can lead to unpredictable and undesirable consequences in the software.

Let's take an example of a money transfer from a user with a balance of 10 euros to another recipient. The code could work like this.

• Checking from the database if the user has enough balance (10 euros or more).
• If exists, add X amount of balance to the recipient.
• Decrease X amount of balance from the user.

What if the user writes a code snippet that sends two simultaneous account transfers? In this case, two code executions would be initiated on the bank's server at the same time:

• Task 1: Checking from the database if the user has enough balance: OK
• Task 2: Checking if the user has enough balance from the database: OK
• Task 1: Add 10 euros of balance to the recipient.
• Task 2: Adding 10 euros to the recipient's balance. <- Oops, 20 euros were sent to the recipient from an account with only 10 euros.

Memory corruption vulnerabilities

Memory corruption vulnerabilities refer to programming errors that cause incorrect use of a program's memory. This can lead to unstable program behavior, data distortion, program crashes, and often the emergence of security vulnerabilities. Such vulnerabilities are common, especially in programs written in the C and C++ programming languages, where memory management is the responsibility of the programmer. On the other hand, they are rarely present when using modern programming frameworks where the developer does not need to manage memory themselves.

Vulnerabilities caused by inadequate configuration

Vulnerabilities caused by misconfiguration vulnerabilities refer to situations where the settings of a system or software are not secure, which can expose them to security risks. These vulnerabilities are not due to programming errors, but rather incorrect or insufficient configurations. Such vulnerabilities can occur in various environments, such as web servers, databases, operating systems, or cloud services.