Difference between revisions of "Top 10 2013-A9-Using Components with Known Vulnerabilities"

From OWASP
Jump to: navigation, search
(Created page with "= TEMPORARY PLACEHOLDER for 2013 T10 = {{Top_10_2013:TopTemplate |usenext=2013NextLink |next={{Top_10_2010:ByTheNumbers |10 |year=2013}} ...")
 
m (added '#' at 'How Do I prevent...')
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= TEMPORARY PLACEHOLDER for 2013 T10 =
 
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
 
     |usenext=2013NextLink
 
     |usenext=2013NextLink
     |next={{Top_10_2010:ByTheNumbers
+
     |next=A10-{{Top_10_2010:ByTheNumbers
 
               |10
 
               |10
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 
     |useprev=2013PrevLink
 
     |useprev=2013PrevLink
     |prev={{Top_10_2010:ByTheNumbers
+
     |prev=A8-{{Top_10_2010:ByTheNumbers
 
               |8
 
               |8
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 +
    |year=2013
 +
    |language=en
 
}}
 
}}
  
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
+
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
+
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=1|detectability=3|impact=2|year=2013|language=en}}
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
+
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE}}
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
+
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
+
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank.</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application.
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
 +
Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases,  the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.
 +
 
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
 +
The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise.
 +
 
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>
 +
Consider what each vulnerability might mean for the business controlled by the affected application. It could be trivial or it could mean complete compromise.
 +
 
 +
</td>
 
{{Top_10_2010:SummaryTableEndTemplate}}
 
{{Top_10_2010:SummaryTableEndTemplate}}
  
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=9|year=2013}}
+
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=9|year=2013|language=en}}
blank
+
In theory, it ought to be easy to figure out if you are currently using any vulnerable components or libraries. Unfortunately, vulnerability reports for commercial or open source software do not always specify exactly which versions of a component are vulnerable in a standard, searchable way. Further, not all libraries use an understandable version numbering system. Worst of all, not all vulnerabilities are reported to a central clearinghouse that is easy to search, although sites like [http://cve.mitre.org/  CVE] and [http://nvd.nist.gov/home.cfm  NVD] are becoming easier to search.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=9|ear=2013}}
+
 
blank
+
Determining if you are vulnerable requires searching these databases, as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability. If one of your components does have a vulnerability, you should carefully evaluate whether you are actually vulnerable by checking to see if your code uses the part of the component with the vulnerability and whether the flaw could result in an impact you care about.
#blankBullet1
+
 
#blankBullet2
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=9|year=2013|language=en}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=9|year=2013}}
+
One option is not to use components that you didn’t write. But that’s not very realistic.
blank
+
 
{{Top_10_2010:ExampleBeginTemplate}}<span style="color:red;">blank code</span>{{Top_10_2010:ExampleEndTemplate}}
+
Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical. Software projects should have a process in place to:
blank
+
# Identify all components and the versions you are using, including all dependencies. (e.g., the [http://mojo.codehaus.org/versions-maven-plugin/  versions] plugin).
{{Top_10_2010:ExampleBeginTemplate}}<nowiki>http://example.com/app/accountView?id=</nowiki><span style="color: red;">' or '1'='1</span>{{Top_10_2010:ExampleEndTemplate}}
+
# Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
blank
+
# Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=9|year=2013}}
+
# Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.
 +
 
 +
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=9|year=2013|language=en}}
 +
Component vulnerabilities can cause almost any type of risk imaginable, ranging from the trivial to sophisticated malware designed to target a specific organization. Components almost always run with the full privilege of the application, so flaws in any component can be serious, The following two vulnerable components were downloaded 22m times in 2011.
 +
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3451  Apache CXF Authentication Bypass] – By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.)
 +
* [http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/ Spring Remote Code Execution] – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.
 +
 
 +
Every application using either of these vulnerable libraries is vulnerable to attack as both of these components are directly accessible by application users. Other vulnerable libraries, used deeper in an application, may be harder to exploit.
 +
 
 +
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=9|year=2013|language=en}}
 
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
 
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
* [[SQL_Injection_Prevention_Cheat_Sheet | OWASP SQL Injection Prevention Cheat Sheet]]
+
 
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html ESAPI Encoder API]
+
* [[OWASP Dependency Check|OWASP Dependency Check (for Java libraries)]]
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}
+
* [https://github.com/OWASP/SafeNuGet  OWASP SafeNuGet (for .NET libraries thru NuGet)]
* [http://cwe.mitre.org/data/definitions/77.html CWE Entry 77 on Command Injection]
+
* [[OWASP Good Component Practices Project]]
* [http://cwe.mitre.org/data/definitions/89.html CWE Entry 89 on SQL Injection]
+
 
 +
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
 +
* [https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf  The Unfortunate Reality of Insecure Libraries]
 +
* [http://en.wikipedia.org/wiki/Open_source_software_security  Open Source Software Security]
 +
* [http://www.sonatype.com/content/download/1025/10060/file/sonatype_executive_security_brief_final.pdf  Addressing Security Concerns in Open Source Components]
 +
* [http://cve.mitre.org/ MITRE Common Vulnerabilities and Exposures]
 +
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0277  Example Mass Assignment Vulnerability that was fixed in ActiveRecord, a Ruby on Rails GEM]
  
 
{{Top_10_2013:BottomAdvancedTemplate
 
{{Top_10_2013:BottomAdvancedTemplate
 
     |type={{Top_10_2010:StyleTemplate}}
 
     |type={{Top_10_2010:StyleTemplate}}
 
     |usenext=2013NextLink
 
     |usenext=2013NextLink
     |next={{Top_10_2010:ByTheNumbers
+
     |next=A10-{{Top_10_2010:ByTheNumbers
 
               |10
 
               |10
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 
     |useprev=2013PrevLink
 
     |useprev=2013PrevLink
     |prev={{Top_10_2010:ByTheNumbers
+
     |prev=A8-{{Top_10_2010:ByTheNumbers
 
               |8
 
               |8
               |year=2013}}}}
+
               |year=2013
 
+
              |language=en}}
[[Category:OWASP Top Ten Project]]
+
    |year=2013
 +
    |language=en
 +
}}

Latest revision as of 16:15, 23 June 2013

← A8-Cross-Site Request Forgery (CSRF)
2013 Table of Contents

2013 Top 10 List

A10-Unvalidated Redirects and Forwards →
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
AVERAGE
Prevalence
WIDESPREAD
Detectability
DIFFICULT
Impact
MODERATE
Application / Business Specific

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.

Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application.

Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.

The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise.

Consider what each vulnerability might mean for the business controlled by the affected application. It could be trivial or it could mean complete compromise.

Am I Vulnerable To 'Using Components with Known Vulnerabilities'?

In theory, it ought to be easy to figure out if you are currently using any vulnerable components or libraries. Unfortunately, vulnerability reports for commercial or open source software do not always specify exactly which versions of a component are vulnerable in a standard, searchable way. Further, not all libraries use an understandable version numbering system. Worst of all, not all vulnerabilities are reported to a central clearinghouse that is easy to search, although sites like CVE and NVD are becoming easier to search.

Determining if you are vulnerable requires searching these databases, as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability. If one of your components does have a vulnerability, you should carefully evaluate whether you are actually vulnerable by checking to see if your code uses the part of the component with the vulnerability and whether the flaw could result in an impact you care about.

How Do I Prevent 'Using Components with Known Vulnerabilities'?

One option is not to use components that you didn’t write. But that’s not very realistic.

Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical. Software projects should have a process in place to:

  1. Identify all components and the versions you are using, including all dependencies. (e.g., the versions plugin).
  2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
  3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.
  4. Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.
Example Attack Scenarios

Component vulnerabilities can cause almost any type of risk imaginable, ranging from the trivial to sophisticated malware designed to target a specific organization. Components almost always run with the full privilege of the application, so flaws in any component can be serious, The following two vulnerable components were downloaded 22m times in 2011.

  • Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.)
  • Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.

Every application using either of these vulnerable libraries is vulnerable to attack as both of these components are directly accessible by application users. Other vulnerable libraries, used deeper in an application, may be harder to exploit.

References

OWASP

External

← A8-Cross-Site Request Forgery (CSRF)
2013 Table of Contents

2013 Top 10 List

A10-Unvalidated Redirects and Forwards →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png