Potential Vulnerability
- Terminology
- Vulnerabilities vs. Potential Vulnerabilities
- An example of a potential vulnerability
- SAST: in search of vulnerabilities and potential vulnerabilities
- Additional links
A potential vulnerability (security weakness) is an error in program code that can lead to a vulnerability. This happens when an attacker finds a way to exploit an error and affect program behavior.
Terminology
A software error (bug) causes a program to behave unexpectedly. Such bugs can remain hidden in a program. An attacker can exploit such errors, then it becomes a vulnerability. Vulnerabilities most often arise from common software errors, not from high-level security failures.
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
A potential vulnerability is a code error that hackers can exploit. Other terms: a security defect, a security weakness. Common Weakness Enumeration (CWE) is a list of dangerous weaknesses. So, if you have an error that fits the CWE list, you are dealing with a potential vulnerability.
A vulnerability refers to an error in a system that can be used for malicious purposes. The Common Vulnerabilities and Exposures (CVE) system provides a database of publicly known security vulnerabilities.
A zero-day vulnerability is an unknown flaw or vulnerability. Due to such a vulnerability, hackers can take over a system, use a remote desktop control, get access to your data, and so on. A zero-day attack happens when attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability – hence "zero-day".
SAST (Static Application Security Testing) is a testing methodology that analyzes source code to find security vulnerabilities. We'll discuss SAST tools in detain below.
Vulnerabilities vs. Potential Vulnerabilities
Authors of articles and documentation on static code analyzers often confuse potential vulnerability and vulnerability. Perhaps writers just don't know the difference, or maybe they intentionally make the description more intimidating.
Here's an example of such a description:
The static analyzer found a vulnerability. A buffer overflow may occur here...
But this is not yet a vulnerability. This error is very likely to crash a program, but an attacker can't exploit such a bug. It has a low impact on a program, for example, it may cause discoloration of some GUI element.
A vulnerability occurs only when cybercriminals create an exploit to gain unauthorized access to a computer system. At first, we must understand whether we have a harmless bug or a vulnerability. Until then, we are dealing with a potential vulnerability.
We don't want to exaggerate and brag that the PVS-Studio analyzer found hundreds of vulnerabilities. Our tool searches for potential vulnerabilities. It's very unlikely that hackers could exploit them because it takes a lot of effort, time and skills to build an exploit. Although we constantly learn about new vulnerabilities, they still appear rarely. Meanwhile, PVS-Studio regularly finds thousands of errors in applications.
Note. If you use PVS-Studio as a plugin for SonarQube, some warnings get into the "Vulnerabilities" section. In fact, these are not vulnerabilities but potential vulnerabilities. SonarQube developers use the term vulnerability for significant defects.
Now we know why there's no need to call each error a vulnerability. However, a bugless app is the best app. So, don't hesitate to fix an error right away. Otherwise, some bad actor could exploit a bug in your code and create a new vulnerability. (i.e., you'll have a zero-day vulnerability).
An example of a potential vulnerability
The CWE database describes an "unreachable code" error as CWE-561, which means it is a potential vulnerability. A potential vulnerability may well be a harmless bug from security standpoint. But let's check its chances of becoming a critical vulnerability.
Take a look at a code snippet from the Vangers: One For The Road game (click here for further details).
void uvsVanger::break_harvest(void){
....
pg = Pworld -> escT[0] -> Pbunch
-> cycleTable[Pworld -> escT[0] -> Pbunch -> currentStage].Pgame;
if (!pg) {
return;
ErrH.Abort("uvsVanger::break_harvest : don't know where to go ");
}
....
}
PVS-Studio warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.
If an error occurs, the break_harvest function must write a message to the log. Then, the function finishes. The programmer puts the message to the log data after the return statement by accident. The debug warning does not get into the log. It's definitely better to fix such an issue. However, you can't call it a vulnerability.
Now let's take a look at the error that caused the vulnerability in iOS.
Vulnerability Description CVE-2014-1266: The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx,
bool isRsa,
SSLBuffer signedParams,
uint8_t *signature,
UInt16 signatureLen)
{
OSStatus err;
....
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
....
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Please note that PVS-Studio issues the same warning: V779 CWE-561 Unreachable code detected. It is possible that an error is present.
The double goto made a part of the code unreachable. Even if the err variable is null, the transition to the fail label occurs. That's why, a signature verification does not happen. The function returns 0, which indicates that the problem is not in the signature. Then, the program gets the server key, even if there are problems with the signature. This key encrypts data during transmission.
So, here the same potential vulnerability turns out to be a critical vulnerability.
Conclusion. It's clear that such error in a game is non-fatal in terms of security. But it may become fatal. Therefore, don't try to guess whether an error is dangerous. It's always better to fix a bug.
SAST: in search of vulnerabilities and potential vulnerabilities
There are two types of SAST tools.
Analyzers of the first type search for known vulnerabilities. They operate pretty much like antivirus software. Such analyzers detect common vulnerabilities (CVE) in code fragments.
Some old libraries may contain a known vulnerability. If a programmer used such a library, an analyzer would find a vulnerability. Database search tools almost do not issue false positives. However, they can't find errors in new code (zero-day vulnerabilities).
Analyzers of the second type search for zero-day vulnerabilities. Suppose an application contains a hidden error. If a hacker finds such a bug, they may create a new vulnerability.
Analyzers of the second type detect errors that are likely to cause a vulnerability. CWE provides a large list of such error patterns. Many analyzer developers use CWE as a guide.
The PVS-Studio analyzer is a SAST tool of the second type. It can classify warnings according to CWE. In other words, PVS-Studio prevents zero-day vulnerabilities.
Additional links
- PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerabilities
- How Can PVS-Studio Help in the Detection of Vulnerabilities?
- Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities
- PVS-Studio code analyzer as a tool for finding security defects and providing application security. Report by Forrester Research on SAST, Q3 2020
- What Is the Difference between DevOps and DevSecOps?
- OWASP, Vulnerabilities, and Taint Analysis in PVS-Studio for C#
0