Case studies

            Recently, the GRIMM independent security research team began to build a case of examples to display
            that there is an underlying risk being accepted, perhaps unknowingly, by a large number of organizations.
                                                            1
            The two examples that can be discussed publicly  are a Local Privilege Escalation (LPE) vulnerability in
            the Linux kernel and a Remote Code Execution (RCE) vulnerability in an enterprise time synchronization
            software product called Domain Time II. These two examples show the ability of vulnerabilities to be
            present in widely used products without being detected for well over a decade.


            The bugs that were exploited to construct the Linux LPE were originally introduced in 2006.  The exploit
            allowed an unprivileged user to gain root access, and it affected several Linux distributions in their default
            configurations.  The Domain Time II vulnerability allowed a network attacker to hijack the update process
            to trick the person applying the update to install malware.  The underlying vulnerability was present at
            least as far back as 2007.  Although the name might not be familiar, the software is used in many critical
            sectors, such as aerospace, defense, government, banking and securities, manufacturing, and energy.
            How do you uncover and/or mitigate these risks before they become an emergency?


            Strategies for addressing this risk

            There  are  a  number  of  different  ways  organizations  can  attempt  to  address  the  risk  of  unknown
            vulnerabilities, each with their own strong points and limitations.  It takes a combination of them for optimal
            coverage. Typical threat intelligence only informs you of attacks after they happen. This information may
            be helpful, but it will not allow you to truly get ahead of the problem.


            Maintaining an inventory of your environment is part of the solution, but without having a software bill of
            materials, there's a risk that things will be missed.  For example, GitLab uses the nginx web server, so if
            someone  only  sees  GitLab  on  the  asset  list,  they  may  not  realize  that  they  are  also  impacted  by
            vulnerabilities in nginx


            To control costs, traditional penetration tests are either scoped to be a mile wide and an inch deep, or
            they're very deep, but limited to one particular system.  These engagements are valuable, but it's not
            feasible to have in depth penetration tests on every single product that an organization uses.


            Having  your  own  dedicated  team  of  security  researchers  can  address  the  shortcomings  of  the
            approaches above.  An internal team will have a holistic view of your security posture, including the
            context of what is most important to your organization along with the ability to dig in and go where their
            research takes them.





            1  More examples are currently under embargo while we complete the coordinated disclosure process.  These will be made
            public in due time.






            Cyber Defense eMagazine – June 2021 Edition                                                                                                                                                                                                47
            Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.