In this recent post (and a couple subsequent ones), I discussed an
interesting presentation by Tom Pace of NetRise. In it, he described how he’d
found 1,237 vulnerabilities by identifying components in the firmware in a
device that’s used in many ICS environments.
Having vulnerabilities – and
sometimes a lot of them – is certainly not unique to this product. Why did I
write three posts about this discovery? The problem is that, were you to look
for vulnerabilities for that product in the National Vulnerability Database
(NVD), you would get the message “There are 0 matching records.” Sounds good,
doesn’t it? No vulnerabilities at all! That conclusion is true, except it’s off
by 1,237 vulnerabilities.
Now, suppose you were comparing three
products in advance of a procurement decision, and you look up vulnerabilities
for all three. For two of them, you find a handful of vulnerabilities, but for
the third product, you get the above message. Would you tell the first two
vendors, “Thanks, but no thanks”, and write up your PO for the third vendor?
I’m sure many organizations would.
Of course, this would be a
mistake, since Tom found 1,237 vulnerabilities listed for components in just
the firmware of this device. But it turns out the true story is worse: Tom said
last week that after further analysis, he identified 2,200 vulnerabilities in components
included in the device’s firmware. Even worse, after analyzing all of the
software installed in the device, he estimates there are around 40,000
component vulnerabilities in the whole device. That’s a lot.
To be sure, these aren’t all exploitable
vulnerabilities. As I’ve mentioned often, probably 90-95% of vulnerabilities
identified in software and firmware components within a device aren’t
exploitable in the device itself, often because of how the component was
implemented. Let’s say that the percentage for this device is 95%, meaning only
5% of the identified vulnerabilities are exploitable. That’s still 2,000 exploitable
vulnerabilities in a single device
This is obviously not good, but
what’s even worse is the fact that not a single one of these 2,000 exploitable vulnerabilities
appears in the NVD. They don’t appear because the supplier never registered the
product. If the supplier (or somebody else) doesn’t register a product, it
doesn’t get a CPE
name. And if it doesn’t have a CPE name, nobody
can report vulnerabilities for the product to the NVD. The product will appear
to be perfect – no vulnerabilities, either current or reported in the past.
In fact, this supplier is so good
that they’ve never registered any of their 50 or so products – meaning everything
this supplier makes has a perfect record! Moreover, they don’t even mention the
word “security” or “vulnerability” on their website. Why should they, given
that all of their products are perfect?
Of course, that company’s products
aren’t perfect – just the opposite. And the company is hardly unique. There are
lots of other companies that haven’t registered some or all of their products
on the NVD, meaning that anyone searching for vulnerabilities in those products
will also get the message, “There are 0 matching records.”
What does all this mean? I hope
you’re sitting down, since I need to give you some bad news: There are no
perfect products or perfect suppliers (there’s also no Santa Claus or Easter
Bunny. Might as well give you all the bad news at once). You should never interpret
the fact that you can’t identify vulnerabilities for a software product (or
intelligent device) in the NVD (or any other vulnerability database, of course)
to mean that the product doesn’t have vulnerabilities.
But there’s more to it than that.
Not only should you stay away from “perfect” products, but you should also deliberately
favor products that show a lot of vulnerabilities in the NVD. Why is this? Remember,
vulnerabilities are almost always reported by the suppliers themselves. Would
you rather buy a product from a supplier that has only reported a few
vulnerabilities in the past year or two, or from one that has reported a lot of
them? If a supplier has only reported a few vulnerabilities, this doesn’t mean
they’re good; on the contrary, it probably means they’re clueless in cybersecurity
matters. It means the supplier isn’t looking very hard – or not at all – for vulnerabilities,
so they’re not finding many.
Steve
Springett, who I’ve written about a number of
times and who is tasked with helping 2,000 coders produce secure software in
his day job, said last week that his company deliberately favors products for
which there are a lot of reported vulnerabilities. They consider this a sign
that the supplier is diligently seeking out vulnerabilities, not waiting for
their product to be hacked.
So not only should you avoid “perfect”
products, but you should actually seek out suppliers that have reported a lot
of vulnerabilities. Of course, you also want to make sure that such a supplier
hasn’t left serious vulnerabilities unpatched. My guess is, if a supplier has
found and reported a lot of exploitable vulnerabilities, they’ve also done a
good job of patching them. In fact, the supplier should report
vulnerabilities, even if they’re patched.[i] That’s the only way the
rest of the world will learn about the real impact of particular
vulnerabilities.
Any opinions expressed in this blog post are strictly mine, and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] There
are limits to this suggestion. I know that suppliers discover vulnerabilities
in products under development all the time, and patch them immediately. I don’t
think they need to report those. But when a vulnerability develops in a product
that’s already on the market, they always need to report it – along with
providing the patch, of course.
No comments:
Post a Comment