Vulnerability database

Last updated

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number (e.g. 123456) or alphanumeric designation (e.g. VDB-2020-12345). Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

Contents

History

The first vulnerability database was the "Repaired Security Bugs in Multics", published by February 7, 1973 by Jerome H. Saltzer. He described the list as "a list of all known ways in which a user may break down or circumvent the protection mechanisms of Multics ". [1] The list was initially kept somewhat private with the intent of keeping vulnerability details until solutions could be made available. The published list contained two local privilege escalation vulnerabilities and three local denial of service attacks. [2]

Types of vulnerability databases

Major vulnerability databases such as the ISS X-Force database, Symantec / SecurityFocus BID database, and the Open Source Vulnerability Database (OSVDB) [lower-alpha 1] aggregate a broad range of publicly disclosed vulnerabilities, including Common Vulnerabilities and Exposures (CVE). The primary purpose of CVE, run by MITRE, is to attempt to aggregate public vulnerabilities and give them a standardized format unique identifier. [3] Many vulnerability databases develop the received intelligence from CVE and investigate further providing vulnerability risk scores, impact ratings, and the requisite workaround. In the past, CVE was paramount for linking vulnerability databases so critical patches and debugs can be shared to inhibit hackers from accessing sensitive information on private systems. [4] The National Vulnerability Database (NVD), run by the National Institute of Standards and Technology (NIST), is operated separately from the MITRE-run CVE database, but only includes vulnerability information from CVE. NVD serves as an enhancement to that data by providing Common Vulnerability Scoring System (CVSS) risk scoring and Common Platform Enumeration (CPE) data.

The Open Source Vulnerability Database provides an accurate, technical and unbiased index on vulnerability security. The comprehensive database cataloged over 121,000 vulnerabilities. The OSVDB was founded in August 2002 and was launched in March 2004. In its primitive beginning, newly identified vulnerabilities were investigated by site members and explanations were detailed on the website. However, as the necessity for the service thrived, the need for dedicated staff resulted in the inception of the Open Security Foundation (OSF) which was founded as a non-profit organisation in 2005 to provide funding for security projects and primarily the OSVDB. [5] The OSVDB closed in April 2016. [6]

The U.S. National Vulnerability Database is a comprehensive cyber security vulnerability database formed in 2005 that reports on CVE. [7] The NVD is a primary cyber security referral tool for individuals and industries alike providing informative resources on current vulnerabilities. The NVD holds in excess of 100,000 records. Similar to the OSVDB, the NVD publishes impact ratings and categorises material into an index to provide users with an intelligible search system. [8] Other countries have their own vulnerability databases, such as the Chinese National Vulnerability Database and Russia's Data Security Threats Database.

A variety of commercial companies also maintain their own vulnerability databases, offering customers services which deliver new and updated vulnerability data in machine-readable format as well as through web portals. Examples include A.R.P. Syndicate's Exploit Observer, Symantec's DeepSight [9] portal and vulnerability data feed, Secunia's (purchased by Flexera) vulnerability manager [10] and Accenture's vulnerability intelligence service [11] (formerly iDefense).

Exploit Observer [12] uses its Vulnerability & Exploit Data Aggregation System (VEDAS) to collect exploits & vulnerabilities from a wide array of global sources, including Chinese and Russian databases. [13]

Vulnerability databases advise organisations to develop, prioritize, and execute patches or other mitigations which attempt to rectify critical vulnerabilities. However, this can often lead to the creation of additional susceptibilities as patches are created hastily to thwart further system exploitations and violations. Depending upon the level of a user or organisation, they warrant appropriate access to a vulnerability database which provides the user with disclosure of known vulnerabilities that may affect them. The justification for limiting access to individuals is to impede hackers from being versed in corporation system vulnerabilities which could potentially be further exploited. [14]

Use of vulnerability databases

Vulnerability databases contain a vast array of identified vulnerabilities. However, few organisations possess the expertise, staff, and time to revise and remedy all potential system susceptibilities hence vulnerability scoring is a method of quantitatively determining the severity of a system violation. A multitude of scoring methods exist across vulnerability databases such as US-CERT and SANS Institute's Critical Vulnerability Analysis Scale but the Common Vulnerability Scoring System (CVSS) is the prevailing technique for most vulnerability databases including OSVDB, vFeed [15] and NVD. The CVSS is based upon three primary metrics: base, temporal and environmental which each provide a vulnerability rating. [16]

Base

This metric covers the immutable properties of a vulnerability such as the potential impact of the exposure of confidential information, the accessibility of information and the aftermath of the irretrievable deletion of information.

Temporal

The temporal metrics denote the mutable nature of a vulnerability for example the credibility of an exploitability, the current state of a system violation and the development of any workarounds that could be applied. [17]

Environmental

This aspect of the CVSS rates the potential loss to individuals or organisations from a vulnerability. Furthermore, it details the primary target of a vulnerability ranging from personal systems to large organisations and the number of potentially affected individuals. [18]

The complication with utilising different scoring systems it that there is no consensus on the severity of a vulnerability thus different organisations may overlook critical system exploitations. The key benefit of a standardised scoring system like CVSS is that published vulnerability scores can be assessed, pursued and remedied rapidly. Organisations and individuals alike can determine the personal impact of a vulnerability on their system. The benefits derived from vulnerability databases to consumers and organisations are exponential as information systems become increasingly embedded, our dependency and reliance on them grows, as does the opportunity for data exploitation. [19]

Common security vulnerabilities listed on vulnerability databases

Initial deployment failure

Although the functionality of a database may appear unblemished, without rigorous testing, the exiguous flaws can allow hackers to infiltrate a system's cyber security. Frequently, databases are published without stringent security controls hence the sensitive material is easily accessible. [20]

SQL injection

Database attacks are the most recurrent form of cyber security breaches recorded on vulnerability databases. SQL and NoSQL injections penetrate traditional information systems and big data platforms respectively and interpolate malicious statements allowing the hackers unregulated system access. [21]

Misconfigured databases

Established databases ordinarily fail to implement crucial patches suggested by vulnerability databases due to an excessive workload and the necessity for exhaustive trialling to ensure the patches update the defective system vulnerability. Database operators concentrate their efforts into major system deficiencies which offers hackers unmitigated system access through neglected patches. [22]

Inadequate auditing

All databases require audit tracks to record when data is amended or accessed. When systems are created without the necessary auditing system, the exploitation of system vulnerabilities are challenging to identify and resolve. Vulnerability databases promulgate the significance of audit tracking as a deterrent of cyber attacks. [23]

Data protection is essential to any business as personal and financial information is a key asset and the purloining of sensitive material can discredit the reputation of a firm. The implementation of data protection strategies is imperative to guard confidential information. Some hold the view that is it the initial apathy of software designers that in turn, necessitates the existence of vulnerability databases. If systems were devised with greater diligence, they may be impenetrable from SQL and NoSQL injections making vulnerability databases redundant. [24]

See also

Notes

  1. OSVDB was shut down in April 2016; a paid service VulnDB took their place

Related Research Articles

SQL Slammer is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed general Internet traffic. It also crashed routers around the world, causing even more slowdowns. It spread rapidly, infecting most of its 75,000 victims within 10 minutes.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc.. MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Ang Cui</span> American computer scientist

Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.

SIGRed is a security vulnerability discovered in Microsoft's Domain Name System (DNS) implementation of Windows Server versions from 2003 to 2019.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

The Mark of the Web (MoTW) is an identifier used by Microsoft Windows to mark files downloaded from the Internet as potentially unsafe. It is implemented as an NTFS Zone.Identifier alternate data stream (ADS) containing an identifier element which indicates that a file saved on a computer could contain harmful or malicious content because it was downloaded from an external source.

References

  1. Saltzer, J. H. (7 February 1973). "Repaired Security Bugs in Multics" (PDF). Massachusetts Institute of Technology. S2CID   15487834. Archived (PDF) from the original on 26 February 2024. Retrieved 21 May 2024.
  2. "REPAIRED SECURITY BUGS IN MULTICS" (PDF). Archived (PDF) from the original on 2024-02-26. Retrieved 2024-05-21.
  3. "Common Vulnerabilities and Exposures (CVE)". Cve.mitre.org. Archived from the original on 20 August 2011. Retrieved 1 November 2015.
  4. Yun-Hua, Gu; Pei, Li (2010). "Design and Research on Vulnerability Database". 2010 Third International Conference on Information and Computing. pp. 209–212. doi:10.1109/ICIC.2010.147. ISBN   978-1-4244-7081-5. S2CID   13308368.
  5. Karlsson, Mathias (2012). The Edit History of the National Vulnerability Database and similar Vulnerability Databases (PDF) (Thesis). Archived (PDF) from the original on 2022-11-14. Retrieved 2024-05-21.
  6. "OSVDB Shut Down Permanently". 7 April 2016. Archived from the original on 2021-01-28. Retrieved 2021-01-25.
  7. "The National Vulnerability Database Explained". resources.whitesourcesoftware.com. Archived from the original on 2024-05-21. Retrieved 2020-12-01.
  8. "NVD Primary Resources". National Vulnerability Database. Archived from the original on 6 April 2018. Retrieved 1 November 2015.
  9. "DeepSight Technical Intelligence | Symantec". Symantec . Archived from the original on 2018-11-24. Retrieved 2018-12-05.
  10. "Secunia's Vulnerability Manager". Archived from the original on 2018-12-06. Retrieved 2018-12-05.
  11. "Accenture Vulnerability Intelligence" (PDF). Archived (PDF) from the original on 2018-12-06. Retrieved 2018-12-05.
  12. "Exploit & Vulnerability Intelligence by A.R.P. Syndicate". Exploit Observer. Retrieved 2024-05-31.
  13. Singh, Ayush (2024-05-18). "Around 1000 exploitable cybersecurity vulnerabilities that MITRE & NIST 'might' have missed but China or Russia didn't". A.R.P. Syndicate's Blog. Retrieved 2024-05-31.
  14. Erickson, J (2008). Hacking - The Art of Exploitation (1st ed.). San Francisco: No Starch Press. ISBN   978-1-59327-144-2.
  15. vFeed. "vFeed Correlated Vulnerability and Threat Intelligence". Archived from the original on 2016-10-27. Retrieved 2016-10-27.
  16. First. "Common Vulnerability Scoring System (CVSS-SIG)". Archived from the original on 8 March 2022. Retrieved 1 November 2015.
  17. Mell, Peter; Scarfone, Karen; Romanosky, Sasha (November 2006). "Common Vulnerability Scoring System". IEEE Security Privacy. 4 (6): 85–89. doi:10.1109/MSP.2006.145. S2CID   14690291.
  18. Hayden, L (2010). IT Security Metrics (1st ed.). New York: McGraw Hill.
  19. Peter Mell; Karen Scarfone; Sasha Romanosky (November–December 2006). "Common Vulnerability Scoring System" (PDF). IEEE Security & Privacy. Vol. 4, no. 6. pp. 85–88. doi:10.1109/MSP.2006.145. Archived (PDF) from the original on 2024-02-25. Retrieved 2024-05-21 via Forum of Incident Response and Security Teams.
  20. "The Most Significant Risks of 2015 and How to Mitigate Them" (PDF). Imperva. Archived (PDF) from the original on 30 September 2015. Retrieved 2 November 2015.
  21. Natarajan, Kanchana; Subramani, Sarala (2012). "Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks". Procedia Technology. 4: 790–796. doi: 10.1016/j.protcy.2012.05.129 .
  22. "Vulnerability Database - Top 1000 Flaws". Network Security. 8 (6). 2001.
  23. Afyouni, H (2006). Database Security & Auditing (1st ed.). Boston: Thomson Course Technology.
  24. Sirohi, D (2015). Transformational Dimensions of Cyber Crime. India: Vij Books. pp. 54–65.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.