Page 47 - Cyber Defense eMagazine forJune 2021
P. 47
Case studies
Recently, the GRIMM independent security research team began to build a case of examples to display
that there is an underlying risk being accepted, perhaps unknowingly, by a large number of organizations.
1
The two examples that can be discussed publicly are a Local Privilege Escalation (LPE) vulnerability in
the Linux kernel and a Remote Code Execution (RCE) vulnerability in an enterprise time synchronization
software product called Domain Time II. These two examples show the ability of vulnerabilities to be
present in widely used products without being detected for well over a decade.
The bugs that were exploited to construct the Linux LPE were originally introduced in 2006. The exploit
allowed an unprivileged user to gain root access, and it affected several Linux distributions in their default
configurations. The Domain Time II vulnerability allowed a network attacker to hijack the update process
to trick the person applying the update to install malware. The underlying vulnerability was present at
least as far back as 2007. Although the name might not be familiar, the software is used in many critical
sectors, such as aerospace, defense, government, banking and securities, manufacturing, and energy.
How do you uncover and/or mitigate these risks before they become an emergency?
Strategies for addressing this risk
There are a number of different ways organizations can attempt to address the risk of unknown
vulnerabilities, each with their own strong points and limitations. It takes a combination of them for optimal
coverage. Typical threat intelligence only informs you of attacks after they happen. This information may
be helpful, but it will not allow you to truly get ahead of the problem.
Maintaining an inventory of your environment is part of the solution, but without having a software bill of
materials, there's a risk that things will be missed. For example, GitLab uses the nginx web server, so if
someone only sees GitLab on the asset list, they may not realize that they are also impacted by
vulnerabilities in nginx
To control costs, traditional penetration tests are either scoped to be a mile wide and an inch deep, or
they're very deep, but limited to one particular system. These engagements are valuable, but it's not
feasible to have in depth penetration tests on every single product that an organization uses.
Having your own dedicated team of security researchers can address the shortcomings of the
approaches above. An internal team will have a holistic view of your security posture, including the
context of what is most important to your organization along with the ability to dig in and go where their
research takes them.
1 More examples are currently under embargo while we complete the coordinated disclosure process. These will be made
public in due time.
Cyber Defense eMagazine – June 2021 Edition 47
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.