ics vulnerabilities happen… what lessons can we...
TRANSCRIPT
ICS Vulnerabilities happen… what lessons can we learn?Dr Richard J. Thomas ([email protected])University of Birmingham
The Challenge:
Provide guidance to the supply chain to get things right. What do you target? How confident are you in your reasoning?
How can you assure this has been done correctly?Automated Tools?Manual Firmware Analysis?Fuzzing?
Disparate Data Sources – what is available?
ICS-CERT AdvisoriesICS vulnerabilities from 2011Provide some common insight in vulnerabilities
CVE ListsThe what for a vulnerability and its severity (CVSS)Different sources – NVD and MITRE for the same CVE
CVEDetails.com (other sites available)Vulnerabilities for a specific vendor/product
Key information in different locations
Interlude…accuracy of Vulnerability Reports
32% of ICS CVEs had an incorrect CVSS vector and CVSS score
18% of vendor reports had errors in the CVSS score 24% error for reports where a researcher engaged
with the vendor (not CERT)
How do we ensure our analyses are accurate?
Processing data to obtain meaningful analyses
US-CERT ICS Advisory List (NOT ICSA)*
MITRE CWE/CVE XML Export
NVD CVE JSON Export
XML ParserExtracts details of
CWE
Manual Review
HTML2TextPandoc (MD)
Extract CVE, CWE References and
context
ICSA, Vendor, Product Extraction
Parse CVE
Azure SQL Server
Tableau Data Analysis
Manual Review
Another challenge: preventing bias
Dataset only covers ICS-CERT, MITRE and NVD Many vendors publish their own security advisories
Some public, some closed to own customers/integrators
Varying levels of detail and formats
Consistency is at risk, with opportunity to introduce bias
We have vulnerabilities – what categories do they fall under? Most CVEs have an assigned CWE CWEs define the root cause
e.g. CWE-20: Improper Input Validation, CWE-200: Information Exposure
Not all CWEs are born equalSome retired and replaced with more granular ones
No single categorisation scheme fits all – SFP Secondaries give us the best opportunity
Key Statistics
1158 ICS Advisories Processed 2363 CVE References Extracted
362 ‘Critical’, 1157 ‘High’
2049 CWE Attributions 7.4 Average CVSS Score 925 CVEs in the CWE Top 25 Most Dangerous Software Errors
(2019) 40 with PoCs, 33 not responsibly disclosed, 37 OpenSSL-related
Classifying Vulnerabilities
92
150
8514
141
11
89400
OWASP Top 10
Injection
Broken Auth
Data Exposure
XXE
Broken Access Control
Security Misconfig
XSS
Insecure Deserialisation
Using Components with KnownVulnerabilitiesInsufficient Logging and Monitoring
171
89
84
746058
52
51
45
43
3329
2120191713121265542
CWE Top 25 (2019)
CWE-20 CWE-79 CWE-287
CWE-119 CWE-22 CWE-400
CWE-89 CWE-352 CWE-798
CWE-200 CWE-125 CWE-269
CWE-94 CWE-434 CWE-78
CWE-787 CWE-611 CWE-476
CWE-416 CWE-190 CWE-295
CWE-732 CWE-502 CWE-426
925586
Clustering Threats over the Years
2018
2017
2019
2014 2013
2015
2012
2016
Taking inspiration from Infographics
Current Vulnerability Trends
A TfL-styleMap of ICS Vulnerabilities
Insecure Resource Access (17)
Insecure Resource Permissions (15)
Authentication Bypass (102)
Access Management (60)
Digital Certificate (1)
Faulty Endpoint Authentication (9)
Hardcoded Sensitive Data (44)
Insecure Authentication Policy(12)
Missing Authentication (29)
Missing Endpoint Authentication (5)
Unrestricted Authentication(11)
Channel Attack (22)
Protocol Error (1)
Broken Cryptography (2)
Weak Cryptography (21)
Unchecked Status Condition(14)
Incorrect Exception Behaviour(4)
Exposed Data (210) Other Exposures (2) State Disclosure (2)
Faulty Memory Release (6)
Faulty Buffer Access (336)
Faulty Pointer Use (12)Incorrect Buffer LengthComputation (1)
Implementation (5)
Architecture(23)
Design (6)
Path Traversal (97)
Failure to release resource (12)
Faulty Resource Use (12)
Life Cycle (1)
Unrestricted Consumption (58)
Race Condition Window(3)
Unrestricted Lock(1)
Tainted Input to Command(227)
Tainted Input to Environment(67)
Faulty Import Transformation (1)
Incorrect Input Handling (3)
Tainted Input to Variable (175)
UI Security (2)
Glitch in Computation (8)
Use of Improper API (2)
Unexpected EntryPoints (2)
Access Control92
Authentication213
Channel Weaknesses
23
Cryptography23
Exception Management
18
Information Leakage214
Memory Management and
Access355
Other34
Path Resolution97
Resource Management
83
Synchronisation4
Tainted Input473
UI2
Risky Values8 1643
API2
Entry Points2
What is Zone 1?
Are these ‘termini’ suitable?
80% coverage –where are the other 450 CVEs?
A TfL-styleMap of ICS Vulnerabilities
Insecure Resource Access (26)
Insecure Resource Permissions (15)
Authentication Bypass (124)
Access Management (60)
Digital Certificate (6)
Faulty Endpoint Authentication (9)
Hardcoded Credentials (50)
Insecure Authentication Policy(13)
Missing Authentication (32)
Unrestricted Authentication(13)
Channel Attack (36)
Protocol Error (1)
Broken Cryptography (2)
Weak Cryptography (21)
Unchecked Status Condition(14)
Incorrect Exception Behaviour(7)
Exposed Data (212)Predictable Value Rangefrom Previous Values (6) State Disclosure (4)
Faulty Memory Release (6)
Faulty Buffer Access (338)
Faulty Pointer Use (16)
Incorrect Buffer LengthComputation (1)
Implementation (9)
Architecture(23)
Design (6)
Path Traversal (97)
Failure to release resource (12)
Faulty Resource Use (12)
Life Cycle (1)
Unrestricted Consumption (58)
Race Condition Window(3)
Unrestricted Lock(1)
Tainted Input to Command(227)
Tainted Input to Environment (67)
Faulty Import Transformation (1)
Incorrect Input/Output Handling (12)
Tainted Input to Variable (175)
UI Security (2)
Glitch in Computation (8)
Use of Improper API (2)
Unexpected EntryPoints (2)
Access Control165
Authentication307
Channel Weaknesses
92
Cryptography54
Exception Management
23
Information Leakage231
Memory Management and
Access393
Other42
Path Resolution97
Resource Management
100
Synchronisation4
Tainted Input509
UI2
Risky Values26 2049
API2
Entry Points2
Missing Endpoint Authentication (5)
CSRF (51)
Hardcoded Sensitive Data (44)
Improper Privilege Management(31)
Permissions, Privileges andAccess Controls (33)
Unrestricted Upload of File withDangerous Type (20)
Out of Bounds Write (17)
Insecure Storage ofSensitive Information (4)
Cryptographic Issues(13)
Resource Management Issues (12)
Untrusted PointerDereference (10)
Insufficient Entropy (10)
Use of Insufficiently RandomValues (8)
Use of Password Hash withInsufficient ComputationalEffort (7)
Key ManagementErrors (7)
Session Fixation (6)
Other Exposures (5)
PHP Remote File Inclusion (4) Hidden Functionality (4)
Integer Overflow toBuffer Overflow (3)
OWASP A9: Denial of Service (3)
Execution with UnnecessaryPrivileges (3)
Use of Weak PRNG (4)
Error Conditions, Return Values and Status Codes (2)
Untrusted Search Path (2)
Access of Memory LocationAfter End of Buffer (2)
Use of Password Hash instead of Password (2)
SSRF (2)
Improper Restriction of Power Consumption (2)
Improper Restriction of Channel to Intended Endpoints (2)
XML Entity Expansion (1)
1 100% coverage
How severe is a vulnerability?
What is the environmental impact?
We know what might be on the horizon…How do we detect/test for these issues? Use of Automated Tooling
Combination of Commercial/Open Source Tooling
Fuzzing of Inputs App Analysis Firmware Analysis
Next steps…
Defining a framework to compare tooling
Adding new dimensions for analysis – severity, theme and additional context (e.g. patched)
Publishing first set of guidance for feedback
ICS Vulnerabilities happen… what lessons can we learn?Dr Richard J. Thomas ([email protected])University of Birmingham