Page 79 - Cyber Defense eMagazine August 2024
P. 79
exploitation. Notable examples include EternalBlue and regreSSHion, which have caused widespread
concern due to their pre-auth nature.
Vulnerabilities that require no user interaction, known as "zero-click" (0-click) vulnerabilities, are
particularly dangerous. These vulnerabilities can be exploited without the victim doing anything, such as
clicking a link or opening a file. Zero-click vulnerabilities are often contrasted with "one-click" or "multi-
click" vulnerabilities, which require some degree of user interaction. The FORCEDENTRY exploit for
Apple iOS devices is a prime example of a 0-click vulnerability.
The ease with which a vulnerability can be exploited is another crucial factor. While having a public exploit
available significantly increases the danger, other factors also play a role. Modern exploits often consist
of multiple smaller vulnerabilities chained together, referred to as "primitives." This complexity can make
exploitation a challenging "cat and mouse" game between attackers and defenders. Some vulnerabilities
rely on rare conditions to trigger, known as statistical exploits. This can lead to Denial of Service (DoS)
attacks if the exploit fails, or make exploitation inherently difficult and unreliable.
The impact of an RCE vulnerability is also influenced by the popularity of the affected software. A
vulnerability in widely used software like Windows or OpenSSH is inherently more critical than one in a
little-known application. For instance, the EternalBlue vulnerability in Windows had a massive impact
because of Windows' ubiquity.
How easy it is to patch vulnerability also affects its criticality. Some vulnerabilities can be patched with a
simple update, while others might require significant changes to infrastructure or even new hardware.
The RowHammer vulnerability, for example, highlighted the difficulties in patching certain hardware-level
vulnerabilities. Additionally, vulnerabilities that are exploitable in the default configuration of an application
are particularly dangerous, as they affect a broader base of installations. Many users and organizations
do not change default configurations, making these vulnerabilities more likely to be exploited.
EternalBlue is one of the most infamous RCE vulnerabilities, affecting Windows SMB functionality in its
default configuration. The availability of a public exploit made millions of Windows machines vulnerable,
leading to widespread exploitation and significant impact on organizations worldwide. Several factors
contributed to its severity: it required only network communication with a Windows machine, making it a
0-click, pre-auth vulnerability. The Shadow Brokers leak included a functioning exploit, lowering the bar
for attackers. Windows' widespread use amplified the vulnerability's impact, and patching legacy
Windows systems proved challenging, exacerbating the vulnerability's effects.
The regreSSHion vulnerability, discovered in OpenSSH, is another significant pre-auth RCE. Despite its
alarming nature, a deeper analysis reveals mitigating factors. OpenSSH is widely used, making any
vulnerability in it potentially impactful. regreSSHion is a 0-click, pre-auth vulnerability that affects the
default configuration. However, the underlying issue is a race condition, a statistical vulnerability that is
hard to exploit reliably. The best-known exploit requires continuous attempts over several hours and is
prone to detection by security tools. While a proof-of-concept was quickly available, no fully functioning
exploit has been released, and existing ones are highly complex and environment-dependent.
Cyber Defense eMagazine – August 2024 Edition 79
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
