In this recent post (and a couple subsequent ones), I discussed an interesting presentation by Tom Pace of NetRise. In it, he described how he’d found 1,237 vulnerabilities by identifying components in the firmware in a device that’s used in many ICS environments.
Having vulnerabilities – and sometimes a lot of them – is certainly not unique to this product. Why did I write three posts about this discovery? The problem is that, were you to look for vulnerabilities for that product in the National Vulnerability Database (NVD), you would get the message “There are 0 matching records.” Sounds good, doesn’t it? No vulnerabilities at all! That conclusion is true, except it’s off by 1,237 vulnerabilities.
Now, suppose you were comparing three products in advance of a procurement decision, and you look up vulnerabilities for all three. For two of them, you find a handful of vulnerabilities, but for the third product, you get the above message. Would you tell the first two vendors, “Thanks, but no thanks”, and write up your PO for the third vendor? I’m sure many organizations would.
Of course, this would be a mistake, since Tom found 1,237 vulnerabilities listed for components in just the firmware of this device. But it turns out the true story is worse: Tom said last week that after further analysis, he identified 2,200 vulnerabilities in components included in the device’s firmware. Even worse, after analyzing all of the software installed in the device, he estimates there are around 40,000 component vulnerabilities in the whole device. That’s a lot.
To be sure, these aren’t all exploitable vulnerabilities. As I’ve mentioned often, probably 90-95% of vulnerabilities identified in software and firmware components within a device aren’t exploitable in the device itself, often because of how the component was implemented. Let’s say that the percentage for this device is 95%, meaning only 5% of the identified vulnerabilities are exploitable. That’s still 2,000 exploitable vulnerabilities in a single device
This is obviously not good, but what’s even worse is the fact that not a single one of these 2,000 exploitable vulnerabilities appears in the NVD. They don’t appear because the supplier never registered the product. If the supplier (or somebody else) doesn’t register a product, it doesn’t get a CPE name. And if it doesn’t have a CPE name, nobody can report vulnerabilities for the product to the NVD. The product will appear to be perfect – no vulnerabilities, either current or reported in the past.
In fact, this supplier is so good that they’ve never registered any of their 50 or so products – meaning everything this supplier makes has a perfect record! Moreover, they don’t even mention the word “security” or “vulnerability” on their website. Why should they, given that all of their products are perfect?
Of course, that company’s products aren’t perfect – just the opposite. And the company is hardly unique. There are lots of other companies that haven’t registered some or all of their products on the NVD, meaning that anyone searching for vulnerabilities in those products will also get the message, “There are 0 matching records.”
What does all this mean? I hope you’re sitting down, since I need to give you some bad news: There are no perfect products or perfect suppliers (there’s also no Santa Claus or Easter Bunny. Might as well give you all the bad news at once). You should never interpret the fact that you can’t identify vulnerabilities for a software product (or intelligent device) in the NVD (or any other vulnerability database, of course) to mean that the product doesn’t have vulnerabilities.
But there’s more to it than that. Not only should you stay away from “perfect” products, but you should also deliberately favor products that show a lot of vulnerabilities in the NVD. Why is this? Remember, vulnerabilities are almost always reported by the suppliers themselves. Would you rather buy a product from a supplier that has only reported a few vulnerabilities in the past year or two, or from one that has reported a lot of them? If a supplier has only reported a few vulnerabilities, this doesn’t mean they’re good; on the contrary, it probably means they’re clueless in cybersecurity matters. It means the supplier isn’t looking very hard – or not at all – for vulnerabilities, so they’re not finding many.
Steve Springett, who I’ve written about a number of times and who is tasked with helping 2,000 coders produce secure software in his day job, said last week that his company deliberately favors products for which there are a lot of reported vulnerabilities. They consider this a sign that the supplier is diligently seeking out vulnerabilities, not waiting for their product to be hacked.
So not only should you avoid “perfect” products, but you should actually seek out suppliers that have reported a lot of vulnerabilities. Of course, you also want to make sure that such a supplier hasn’t left serious vulnerabilities unpatched. My guess is, if a supplier has found and reported a lot of exploitable vulnerabilities, they’ve also done a good job of patching them. In fact, the supplier should report vulnerabilities, even if they’re patched.[i] That’s the only way the rest of the world will learn about the real impact of particular vulnerabilities.
Any opinions expressed in this blog post are strictly mine, and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com.
[i] There are limits to this suggestion. I know that suppliers discover vulnerabilities in products under development all the time, and patch them immediately. I don’t think they need to report those. But when a vulnerability develops in a product that’s already on the market, they always need to report it – along with providing the patch, of course.
Post a Comment