I love listening to the Sophos podcast. These guys a) know what they’re doing, and b) love what they’re doing. That’s a deadly combination!
They had a podcast explaining the different items on the Microsoft menu, when they release patches every 2nd Tuesday of the month. Microsoft tends to abbreviate the types of vulnerabilities to 3 letter acronyms, which gives them a cute, almost useless meaning. Here are the most common vulnerability types you’re likely to encounter on a patch Tuesday, their meaning, and what they (could potentially) mean for you if they get exploited on your servers:
1. Remote Code Execution (RCE)
This is the one that gets the most attention (ie “Critical” severity), and for good measure.
This vulnerability allows an unauthorized attacker to remotely execute arbitrary code on your machine, against its will so-to-speak. The piece of code they execute on your machine (aka the payload) is called shellcode. Shellcode can be anything the attacker wants, which is the reason why this type of vulnerability is so worrisome.
Comparison: Piggybacking or tailgaiting someone through the door.
2. Elevation of Privilege (EoP)
This vulnerability gets given a severity level of “important”, but I disagree with Microsoft that it’s less important than a RCE.
Elevation of privilege is exactly as it sounds. A non-privileged user (ie non-administrator for Windows, or non-root for Unix/Linux) can leverage an EoP vulnerability to gain administrator level access on a system. Once you have that level of access on a system, all bets are off. That system is completely yours.
From there, you can use pivoting to move laterally throughout the network with your newly acquired super(admin) powers.
Comparison: Stealing the security guard’s keys to gain access to all rooms
3. Information Disclosure (ID)
Applications typically reserve an area in memory to store data that is being used frequently. This data could be anything: a credit card number, a password, text you entered in an email, settings for the application, etc.
Insecurely storing data in memory could lead to Information disclosure, where an unauthorized subject gains access to that data.
Shellcode that someone just injected into your machine could be looking for interesting data like passwords. RAM scrapers are a subset of malware dedicated to scouting your system’s memory looking for passwords and other interesting data.
The trick with Information disclosure attacks, is that it’s usually invisible to the user. There’s no sign that something happened.
Heartbleed is an example of an information disclosure bug. You could send a specially crafted packet to a server, and get more data than you asked for. The extra data could be any random bit of memory really. But there was no limit on how many of those packets you could send to the server. So, do it enough times, and you get all sorts of juicy data back (private keys, usernames, passwords, etc)
Comparison: Stealing the address book so now you have access to even more information.
4. Denial of Service (DoS)
I send a weird request to your webserver, and instead of owning it, I just cause it to crash. Or, I send so many requests to your server, much more than it knows to how to handle, and it crashes as a result.
Either way, a denial of service attack is about causing a system to stop being able to serve requests.
This one is becoming increasingly more common as a means of distraction while something else is taking place. A very recent example is the Code Spaces incident where an attacker caused them to go out of business. A DoS was launched as a first step, and the attacker tried to extort money form them. When they caught onto him, he immediately started deleting everything in their EC2 control panel, putting them out of business in the span of 12 hours.
Comparison: Making noise outside the building to distract all security staff, meanwhile sneaking in through the side entrance.
Tampering is an interesting security hole. Tampering is about making it harder for you to know something bad is taking place. It allows an attacker to say, make security-related changes without triggering any alarms. Or, to add a malicious payload to someone’s signed software without altering the signature.
An example can be made using the MD5 hashing algorithm, which is well-known to be cryptographically insecure (it’s very easy to cause collisions, not just in the lab, but in real life). Something signed with MD5 could be altered with something that has the same signature, allowing the malicious entity to launch an attack without being detected.
Example: Signing the security guard log book with another person’s name, to throw people off.
There’s a whole buffet of options available to attackers. Mix and match them to gain even more power.
A DoS of your IDS system can hide an RCE attack about to take place on one of your servers. Or, an Information Discolure attack can reveal privileged account credentials, and allow an attacker to gain more rights on a system.
In conclusion, “patch early, and patch often”.