By Ankit Kapoor - July 28, 2019
What is Vulnerability?
Vulnerability refers to the state when there is a possibility of being attacked or harmed. In cyber security, a vulnerability is a weakness which can be used by attacker to compromise a device or application. Different vulnerabilities can lead to different kinds of attack scenarios such as sensitive information disclosure or compromise of devices or applications. Sometimes there are some small loopholes which are not a vulnerability itself but just threat, which can lead to serious consequences.
What is CVSS?
CVSS stands for Common Vulnerability Scoring System. It is an open industry standard to determine the severity of security vulnerabilities on different factors such as exploitability and impact. CVSS score ranges from 0 to 10 where 0 being the lowest and 10 being the highest. Along with the Base Score, there is also Temporal Score and Environmental Score. Base score provides just the severity of the vulnerability while other can also help to determine the severity based on different factors.
What is Vulnerability Chaining?
Sometimes there are few weaknesses in the application or infrastructure, which does not have serious impact. Developers often overlook these kinds of threats but when these threats are combined then it is called vulnerability chaining. These kinds of low-level threats help attacker to set it foot in compromising systems or network.
In the dark web, hackers are developing new methods to chain attacks and gain access to corporate and enterprise networks. Most of the times these attacks go undetected in networks and attacker might get access to sensitive data or critical assets. Attackers generally monetize these successful attacks through cryptocurrency like bitcoins.
Examples of Vulnerability Chaining
1. A session cookie, which does not have a HTTPOnly attribute and scoped to parent domain, might be a risk. The application might not have an XSS vulnerability and don’t need to be fixed. The other application linked to the same parent domain and using same cookie might have XSS and put the other application at risk. This combine attack can increase the impact and severity of the vulnerability. Additionally, if there is Clickjacking or CSRF in the application, then it can also increase the ease of exploitability to exploit XSS.
2. There is old version of a software which is only accessible locally and only allow requests from localhost. Then, there is another vulnerability SSRF which can make a call from web server to internal network and the impact can be too much high.
3. SSRF, CR-LF and Unsafe Deserialization leading to RCE. These vulnerabilities together lead to Remote Code Execution and GitHub Enterprise was vulnerable to it. There is a blog on it by the researcher http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
4. In the web applications weak password policy is the most common threat but it is at higher risk when there is a chance of brute force. Brute force will boost the chances of exploiting the weak password policy if they exist together.
Remediation of Vulnerability Chaining
There is no specific mitigation for vulnerability chaining. Developers usually overlook low level threats because of less impact, tight release schedules or major code changes because of the vulnerabilities. A proper impact and exploit analysis of the vulnerabilities must be done, keeping in consideration about the other vulnerabilities present in the application. The best and most effective solution is remediating the vulnerability in the first place or have a secure SDLC to implement the proper security controls in application architecture so that there are no major code changes are required.