Vulnerability (computer security): Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:09, 28 April 2025 edit Jruderman (talk \| contribs) Extended confirmed users, Rollbackers 3,732 edits m plural ← Previous edit		Latest revision as of 03:46, 13 August 2025 edit undo Steel1943 (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, Pending changes reviewers, Rollbackers, Template editors 228,915 edits m →Development factors: fix common MOS:REFSPACE spacing errors, replaced: {{sfn\| → {{sfn\| Tag: AWB
(19 intermediate revisions by 9 users not shown)
Line 1: {{short description\|Exploitable weakness in a computer system}} {{Computer hacking}} '''Vulnerabilities''' are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security. Despite ~~intentions~~a [[system administrator]]'s best efforts to achieve complete correctness, virtually all hardware and software contain [[Software bug\|bugs]] where the system does not behave as expected. If the bug could enable an attacker to compromise the [[confidentiality]], [[Data integrity\|integrity]], or [[availability]] of system resources, it iscan be ~~called~~considered a vulnerability. Insecure [[software development]] practices as well as design factors such as complexity can increase the burden of vulnerabilities. ~~There are different types most common in different components such as hardware, operating systems, and applications.~~ [[Vulnerability management]] is a process that includes identifying systems and prioritizing which are most important, scanning for vulnerabilities, and taking action to secure the system. Vulnerability management typically is a combination of remediation ~~(fixing the vulnerability)~~, mitigation ~~(increasing the difficulty or reducing the danger of exploits)~~, and accepting risks that are not economical or practical to eliminate. Vulnerabilities can be scored for risk according to the [[Common Vulnerability Scoring System]] or other systems, and added to vulnerability databases. {{as of\| November 2024}}, there are more than 240,000 vulnerabilities<ref name="Metrics">{{cite web \|url=https://www.cve.org/About/Metrics \|title=CVE - Program Metrics \|date=15 November 2024 }}</ref> catalogued in the [[Common Vulnerabilities and Exposures]] (CVE) databaseacceptance. Vulnerabilities can be scored for severity according to the [[Common Vulnerability Scoring System]] (CVSS) and added to vulnerability databases such as the [[Common Vulnerabilities and Exposures]] (CVE) database. As of November 2024, there are more than 240,000 vulnerabilities catalogued in the CVE database.<ref name="Metrics">{{cite web \|url=https://www.cve.org/About/Metrics \|title=CVE - Program Metrics \|date=15 November 2024 }}</ref> A vulnerability is initiated when it is introduced into hardware or software. It becomes active and exploitable when the software or hardware containing the vulnerability is running. The vulnerability may be discovered by the vendor or a third party. Disclosing the vulnerability (as a [[software patch \|patch]] or otherwise) is associated with an increased risk of compromise because attackers often move faster than patches are rolled out. Regardless of whether a patch is ever released to remediate the vulnerability, its lifecycle will eventually end when the system, or older versions of it, fall out of use.▼ ▲A vulnerability is initiated when it is introduced into hardware or software. It becomes active and exploitable when the software or hardware containing the vulnerability is running. The vulnerability may be discovered by the administrator, vendor, or a third party. ~~Disclosing~~Publicly [[Full disclosure (computer security)\|disclosing the vulnerability]] (asthrough a [[~~software patch~~Patch (computing)\|patch]] or otherwise) is associated with an increased risk of compromise, ~~because~~as attackers ~~often~~can ~~move~~use ~~faster~~this ~~than~~knowledge ~~patches~~to ~~are~~target ~~rolled~~existing ~~out.~~systems ~~Regardless~~before ofpatches ~~whether~~are ~~a patch is ever released to remediate the vulnerability, its~~implemented. ~~lifecycle~~Vulnerabilities will eventually end when the system, oris ~~older~~either ~~versions~~patched ofor ~~it,~~removed ~~fall out of~~from use. ==Causes== Despite ~~developers' goal of delivering~~ a ~~product~~system ~~that~~administrator's ~~works~~best ~~entirely as intended~~efforts, virtually all ~~[[software bugs\|software]]~~hardware and ~~[[hardware bug\|hardware]]~~software contain bugs.{{sfn\|Ablon\|Bogart\|2017\|p=1}} If a bug creates a security risk, it is called a vulnerability.{{sfn\|Ablon\|Bogart\|2017\|p=2}}{{sfn\|Daswani \|Elbayadi\|2021\|p=25}}{{sfn\|Seaman\|2020\|pp=47-48}} [[Software ~~patch]]es~~patches are often released to fix identified vulnerabilities, but ~~those that remain unknown (~~[[~~Zero~~zero-~~day (computing)\|zero day~~days]]~~s) as well as those that have not been patched~~ are still liable for exploitation.{{sfn\|Daswani \|Elbayadi\|2021\|pp=26-27}} Vulnerabilities vary in their ability to be [[Exploit (computer security)\|~~exploit~~exploited]]ed by malicious actors,~~{{sfn\|Ablon\|Bogart\|2017\|p=2}}~~ and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system.{{sfn\|Haber \|Hibbert\|2018\|pp=5-6}} Although some vulnerabilities can only be used for [[denial of service]] attacks, more dangerous ones allow the attacker to perform [[code injection~~\|inject~~]] ~~and run their own code (called [[malware]]),~~ without the user's ~~being aware of it~~awareness.{{sfn\|Ablon\|Bogart\|2017\|p=2}} Only a minority of vulnerabilities allow for [[privilege escalation]], which is typically necessary for more severe attacks.{{sfn\|Haber \|Hibbert\|2018\|p=6}} Without a vulnerability, ~~the~~an exploit typically cannot gain access.{{sfn\|Haber \|Hibbert\|2018\|p=10}} It is also possible for [[malware]] to be installed directly, without an exploit, ~~if the attacker uses~~through [[Social engineering (security)\|social engineering]] or ~~implants~~poor ~~the~~[[physical ~~malware~~security]] insuch ~~legitimate~~as ~~software~~an ~~that~~unlocked isdoor or ~~downloaded~~exposed ~~deliberately~~port.{{sfn\|Haber \|Hibbert\|2018\|pp=13–14}} ===Design factors=== Vulnerabilities can be worsened by poor design factors, such as: ~~Fundamental design factors that can increase the burden of vulnerabilities include:~~ Complexity: Large, complex systems increase the ~~probability~~possibility of flaws and unintended ~~[[File system permissions\|~~access ~~point]]s~~points.<ref name=Vacca23>{{cite book\|last= Kakareka\|first=Almantas\|editor-last=Vacca\|editor-first=John\|title=Computer and Information Security Handbook\|series=Morgan Kaufmann Publications\|year=2009\|publisher= Elsevier Inc\|isbn= 978-0-12-374354-1\|page=393\|chapter=23}}</ref> Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.<ref>{{cite book \| title = Technical Report CSD-TR-97-026 \| first = Ivan \| last = Krsul \| publisher = The COAST Laboratory Department of Computer Sciences, Purdue University \| date = April 15, 1997 \| citeseerx = 10.1.1.26.5435 }}</ref> However, using well-known software, particularly [[free and open-source software]], comes with the benefit of having more frequent and reliable software patches for any discovered vulnerabilities.{{cn\|date=May 2025}}▼ ~~\|last= Kakareka~~ Connectivity: any system connected to the internet can be accessed and compromised. [[Air gap (networking)\|Disconnecting systems from the internet]] iscan ~~one~~be ~~truly~~extremely effective ~~measure~~at ~~against~~preventing attacks, but it is ~~rarely~~not always feasible.{{sfn\|Linkov\|Kott\|2019\|p=2}} ▼ ~~\|first=Almantas~~ [[Legacy software]] and [[legacy hardware\|hardware]] is at increased risk, ~~but~~by nature.{{sfn\|Haber \|Hibbert\|2018\|p=155}} System administrators should consider upgrading ~~often~~from legacy systems, but this is often prohibitive in terms of cost and [[downtime]].{{~~sfn~~cn\|~~Haber \|Hibbert\|2018\|p~~date=~~155~~May 2025}}▼ ~~\|editor-last=Vacca~~ ~~\|editor-first=John~~ ~~\|title=Computer and Information Security Handbook~~ ~~\|series=Morgan Kaufmann Publications~~ ~~\|year=2009~~ ~~\|publisher= Elsevier Inc~~ ~~\|isbn= 978-0-12-374354-1~~ ~~\|page=393~~ ~~\|chapter=23~~ }} ~~</ref>~~ ▲Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.<ref>{{cite book \| title = Technical Report CSD-TR-97-026 \| first = Ivan \| last = Krsul \| publisher = The COAST Laboratory Department of Computer Sciences, Purdue University \| date = April 15, 1997 \| citeseerx = 10.1.1.26.5435 }}</ref> ▲Connectivity: any system connected to the internet can be accessed and compromised. [[Air gap (networking)\|Disconnecting systems from the internet]] is one truly effective measure against attacks, but it is rarely feasible.{{sfn\|Linkov\|Kott\|2019\|p=2}} ▲[[Legacy software]] and [[legacy hardware\|hardware]] is at increased risk, but upgrading often is prohibitive in terms of cost and [[downtime]].{{sfn\|Haber \|Hibbert\|2018\|p=155}} ===Development factors=== Some [[software development]] practices can affect the risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the [[company culture]]. This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from a disgruntled employee selling access to cyber criminals, to sophisticated state-sponsored schemes to introduce vulnerabilities to software.{{sfn\|Strout\|2023\|p=17}} Inadequate [[code review]]s can lead to missed bugs, but there are also [[Static application security testing\|static code analysis]] tools that can be used as part of code reviews and may find some vulnerabilities.{{sfn\|Haber \|Hibbert\|2018\|p=143}} Poor [[software development]] practices can affect the likelihood of introducing vulnerabilities to a code base. Lack of knowledge or training regarding secure software development, excessive pressure to deliver, or an excessively complex code base can all allow vulnerabilities to be introduced and left unnoticed. These factors can also be exacerbated if security is not prioritized by the [[company culture]].{{sfn\|Strout\|2023\|p=17}} Inadequate [[code review]]s can also lead to missed bugs, but there are also [[Static application security testing\|static code analysis]] tools that can be used during the code review process to help find some vulnerabilities.{{sfn\|Haber \|Hibbert\|2018\|p=143}} [[DevOps]], a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.{{sfn\|Haber \|Hibbert\|2018\|p=141}} Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the [[attack surface]] by paring down dependencies to only what is necessary.{{sfn\|Haber \|Hibbert\|2018\|p=142}} If [[software as a service]] is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.{{sfn\|Haber \|Hibbert\|2018\|pp=135-137}} ===National Vulnerability Database classification=== {{missing information\|section\|the other causes\|date=May 2025}} The [[National Vulnerability Database]] classifies vulnerabilities into eight root causes that may be overlapping, including:{{sfn\|Garg\|Baliyan\|2023\|pp=17–18}} #[[Improper input validation\|Input validation]] ~~(including [[buffer overflow]] and [[boundary condition]])~~ vulnerabilities ~~occur~~exist when [[input checking]] is not sufficient to prevent the attacker from injecting malicious code. [[Buffer overflow]] exploits, [[buffer underflow]] exploits, and [[boundary condition]] exploits typically take advantage of this category.{{sfn\|Garg\|Baliyan\|2023\|p=17}} # [[Access control]] vulnerabilities enable an attacker to access a system that is supposed to be restricted to them, or engage in [[privilege escalation]].{{sfn\|Garg\|Baliyan\|2023\|p=17}} #When the system fails to handle and exceptional or unanticipated condition correctly, an attacker can exploit the situation to gain access.{{sfn\|Garg\|Baliyan\|2023\|p=18}} #~~A [[configuration~~ Configuration vulnerability]] ~~comes~~come into existence when configuration settings cause risks to the system security, leading to such faults as unpatched software or file system permissions that do not sufficiently restrict access.{{sfn\|Garg\|Baliyan\|2023\|p=18}} #A [[race condition]]—when timing or other external factors change the outcome and lead to inconsistent or unpredictable results—can cause a vulnerability.{{sfn\|Garg\|Baliyan\|2023\|p=18}} Line 80 ⟶ 72: ===Remediation=== Remediation fixes vulnerabilities, for example by downloading a [[software patch]].{{sfn\|Haber \|Hibbert\|2018\|p=11}} [[~~Software vulnerability~~Vulnerability scanner]]s are typically unable to detect zero-day vulnerabilities, but are more effective at finding known vulnerabilities based on a database. These systems can find some known vulnerabilities and advise fixes, such as a patch.{{sfn \|Strout \|2023\|p=8}}{{sfn\|Haber \|Hibbert\|2018\|pp=12-13}} However, they have limitations including [[false positive]]s.{{sfn\|Haber \|Hibbert\|2018\|p=11}} Vulnerabilities can only be exploited when they are active-the software in which they are embedded is actively running on the system.{{sfn\|Haber \|Hibbert\|2018\|p=84}} Before the code containing the vulnerability is configured to run on the system, it is considered a carrier.{{sfn\|Haber \|Hibbert\|2018\|p=85}} Dormant vulnerabilities can run, but are not currently running. Software containing dormant and carrier vulnerabilities can sometimes be uninstalled or disabled, removing the risk.{{sfn\|Haber \|Hibbert\|2018\|pp=84-85}} Active vulnerabilities, if distinguished from the other types, can be prioritized for patching.{{sfn\|Haber \|Hibbert\|2018\|p=84}} Line 116 ⟶ 108: {{refbegin\|indent=yes}} {{cite book \|last1=Ablon \|first1=Lillian \|last2=Bogart \|first2=Andy \|title=Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits \|date=2017 \|publisher=Rand Corporation \|isbn=978-0-8330-9761-3 \|language=en\|url=https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf}} {{cite journal \| last1=Agrafiotis \| first1=Ioannis \| last2=Nurse \| first2=Jason R C \| last3=Goldsmith \| first3=Michael \| last4=Creese \| first4=Sadie \| last5=Upton \| first5=David \| title=A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate \| journal=Journal of Cybersecurity \| volume=4 \| issue=1 \| date=2018 \| issn=2057-2085 \| doi=10.1093/cybsec/tyy006\|ref={{sfnref\|Agrafiotis et al.\|2018}}\| doi-access=free }} {{cite book \|last1=Daswani \|first1=Neil\|authorlink=Neil Daswani \|last2=Elbayadi \|first2=Moudy \|title=Big Breaches: Cybersecurity Lessons for Everyone \|date=2021 \|publisher=Apress \|isbn=978-1-4842-6654-0}} *{{cite book \|last1=Garg \|first1=Shivi \|last2=Baliyan \|first2=Niyati \|title=Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis \|date=2023 \|publisher=CRC Press \|isbn=978-1-000-92451-0 \|language=en}}