Friday, September 2, 2022

It’s time for some basic VEX education

 

I’ve written a number of posts about VEX, but there are only one or two posts that I’ve linked when I want to explain the term itself, so that someone who hasn’t heard of VEX can get a quick education. However, I recently went back and read those posts, and realized that they don’t actually give a basic explanation of VEX. Instead, they assume basic VEX knowledge to start out. Now, I’m writing the post I should have written a while ago. I’ll use this as my “VEX education” link in the future.

VEX is an acronym for “Vulnerability Exploitability eXchange”. VEX is a simple yet machine-readable pair of formats for reporting the status of vulnerabilities found in software products and intelligent devices. While it can be used for any vulnerability reporting, it was developed specifically for a use case specific to suppliers that provide SBOMs for their products.

VEX was developed to enable a supplier to notify its customers, in a machine-readable format, that a vulnerability they may believe is exploitable in their product is not in fact exploitable. The primary reason that customers would ask this question in the first place is if they have received an SBOM and looked up its components in a vulnerability database like the NVD, then learned about one or more serious vulnerabilities that apply to those components. They might waste a lot of time (and worry) trying to find and patch vulnerabilities that aren’t exploitable, and therefore pose no danger to them.

Another reason for a VEX is that a specific vulnerability or set of vulnerabilities, like the log4j or Ripple20 vulnerabilities, has been widely discussed in the news – and users want to know whether or not it applies to a software product they use.

The consensus in the software industry is that at least 90% of component vulnerabilities are not exploitable in the product itself, usually because of how the component was incorporated into the product. For example, a library may have four modules, but the supplier might have only installed the three modules that they needed. A serious vulnerability could be identified in the library, but it happens to be found in the fourth module, which the supplier didn’t install. Therefore, the vulnerability is not exploitable in the product itself. A VEX document will state that fact.

It is likely that the great majority of VEX documents will be based on the use case of identifying non-exploitable component vulnerabilities. However, the simplicity of the VEX idea enables a number of other powerful use cases for vulnerability notifications. These use cases go beyond the case for which VEX was originally developed.

The need for VEX arose from discussions in the Software Component Transparency Initiative (hereinafter, “the Initiative”). This was a “multistakeholder process” convened by the National Technology and Information Administration (NTIA) division of the US Department of Commerce, beginning in 2018 and ending in late 2021. The purpose of the Initiative was to get together private and public “stakeholders” in the software marketplace to discuss securing software and intelligent devices from risks arising from use of third-party and open source components; of course, the main tool for accomplishing this purpose is SBOMs.

Early on in those discussions, it became apparent that there was a lot of concern about the problem that was discussed above: the fact that a large percentage of vulnerabilities identified in components included in a software product are not in fact exploitable in the product itself.

At first, this might seem to be a good thing. After all, if 90% of vulnerabilities in the components of a product aren’t exploitable in the product itself, this means that the “attack surface” of the product is reduced by 90%, compared to what it would be if all component vulnerabilities were exploitable in the product itself.

This is true, but the problem is that the end user cannot normally determine, through their own actions, which component vulnerabilities are exploitable in the product, and which are not exploitable. Not having this information, the user needs to assume that every component vulnerability they have identified is exploitable. Thus, they may waste a lot of their time trying to determine whether these vulnerabilities are actually present in the product. Moreover, they will waste the supplier’s time by continually contacting their help desk to inquire when each of these vulnerabilities will be patched.

The NTIA group discussing this problem decided that the best way to prevent this from happening is for the supplier to notify the customer that a particular vulnerability is not in fact exploitable in the product, even though it is listed in the NVD (or another vulnerability database) as applicable to a component of the product.

Note that this is a type of vulnerability notification that has not been used very much, simply because it has not normally been needed. A “normal” vulnerability notification says, for example, that CVE-2022-12345 is exploitable in product ABC version X.Y.Z. We call this a “positive” vulnerability notification, since it states that a particular vulnerability is exploitable in the product.

Of course, if this example is a positive vulnerability notification, then the notification mentioned above – i.e. that a particular vulnerability found in a component of a product is not in fact exploitable in the product – should be called a negative vulnerability notification.

The supplier is normally the party that is best able to provide vulnerability exploitability information, since they have access to the source code and know in intimate detail how the product was built. Fortunately, it is also in the supplier’s interest to get this information to their customers, since this will eliminate a lot of “false positive” calls to their help desk.  However, because it is likely that many suppliers, at least initially, will not provide either SBOMs or VEX documents, third parties might need to step in to provide VEXes on their own.

There are currently two VEX formats. The first is based on the CycloneDX SBOM format (although it can refer to SPDX SBOMs as well). The second consists of a subset of the CSAF vulnerability reporting format. Unfortunately, as of now (September 2022), the CSAF VEX format isn’t completely specified (a partial specification, which will be enough for someone who already understands CSAF, is here). A “playbook” for creating and using VEX documents is currently being prepared by the CISA VEX working group.

Because of the delay in developing proper documentation for producing and using VEX documents, as well as the fact that end users will want to know about the exploitability status of component vulnerabilities as soon as they learn about them – not several days or weeks later, depending on how long it takes the supplier to produce a VEX document – I am now advocating for the idea of “real-time VEX”.

This is essentially an API where a user will be able to learn instantaneously what the supplier currently believes to be the exploitability status of a particular component vulnerability (of course, that status may be “We’re still investigating it”). My guess is that, if this is implemented, the need for a majority of VEX documents will disappear. VEXes will still be needed for more complex use cases like patching, but the urgent use cases can all be handled by the API.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment