Security Vulnerabilities in Third Party Code - Fix All the Things!

Security Vulnerabilities in Third Party Code: FIX ALL THE THINGS!KYMBERLEE PRICEBUGCROWD

whoami?

Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Investigator Security Evangelist Behavioral Psychologist Lawful Good @kym_possible

Agenda

Quick overview of problem space A deeper look at 7 specific libraries Library Management SDL Recommendations Case study

Development Realities

Can only pick two!

security

Hint!

Where the Vulns Are

“Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014”

http://www.net-security.org/secworld.php?id=16448

When reviewing this report, you find that it is flawed and

not referring to 3rd Party Libraries but third party

software i.e. non-Microsoft programs.

Vulnerabilities by Type

Source: VulnDBJuly, 14 2015

Logjam

bashHOLE?

Shell Shock.. meh

BashBleed

2013-01-12 – GNU C Library Function Heap Buffer Overflow (GHOST)

2005-06-08 – Microsoft IE Script Code Obfuscation (Ghost)

How many vulnerabilities do you think there have been in OpenSSL

since Heartbleed?(please don’t use the Secunia counting method!)

Lets Play Another Game!

IDåç Disc Date CVSSTitle124300 7/9/2015 4 OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass  123176 6/11/2015 10 OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption  123175 6/11/2015 7.8 OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS  123174 6/11/2015 7.8 OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS  123173 6/11/2015 8.5 OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue  123172 6/11/2015 7.8 OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS  122875 6/2/2015 10 OpenSSL NewSessionTicket Ticket Re-use Double-free Remote Unspecified Issue  122733 5/26/2015 7.8 OpenSSL crypto/bn/random.c BN_rand() Function Off-by-one Buffer Overflow DoS  122331 5/19/2015 4 Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)  122984 5/19/2015 7.5 OpenSSL crypto/bn/bn_print.c BN_bn2hex() Function Off-by-one Buffer Overflow Weakness  119692 3/18/2015 7.8 OpenSSL Invalid Signature Algorithms Extension Renegotiation NULL Pointer Dereference Remote DoS  119760 3/16/2015 7.1 OpenSSL ssl/d1_lib.c dtls1_listen() Function SSL Object State Preservation DoS  119757 3/16/2015 7.8 OpenSSL SSLv2 CLIENT-MASTER-KEY Message Handling Assertion Remote DoS  119758 3/16/2015 7.1 OpenSSL ssl/s3_pkt.c ssl3_write_bytes() Function Multiblock Implementation DoS  119614 3/16/2015 7.8 OpenSSL Client Authentication DHE Ciphersuite Zero-length ClientKeyExchange Message Handling Remote DoS  119756 3/16/2015 7.1 OpenSSL PKCS#7 Missing Outer ContentInfo Handling NULL Pointer Dereference DoS  119759 3/16/2015 7.1 OpenSSL crypto/rsa/rsa_ameth.c rsa_item_verify() Function Invalid PSS Parameters Handling NULL Pointer Dereference DoS  119755 3/16/2015 9.3 OpenSSL crypto/asn1/tasn_dec.c ASN1_item_ex_d2i() Function ASN.1 Structure Reuse Memory Corruption  119761 3/16/2015 7.1 OpenSSL crypto/asn1/a_type.c ASN1_TYPE_cmp() Function Invalid Read DoS  119673 3/10/2015 2.6 OpenSSL s3_clnt.c ssl3_client_hello() Function Unseeded PRNG Handshake Completion Predictable Output  120058 3/3/2015 2.6 OpenSSL Malformed TLS Handshake False Start Data Remote MitM Disclosure Weakness  119328 3/2/2015 5.4 OpenSSL crypto/x509/x509_req.c X509_to_X509_REQ() Function Public Key Handling NULL Pointer Dereference DoS  118817 2/25/2015 10 OpenSSL crypto/ec/ec_asn1.c d2i_ECPrivateKey() Function Error Handling Use-after-free DoS  117855 1/19/2015 2.6 Secure Sockets Layer Version 3 (SSLv3) / Transport Layer Security (TLS) Protocols RC4 Cipher Key Invariance Weakness MitM Plaintext Disclosure (BAR-MITZVAH)  116791 1/8/2015 7.8 OpenSSL dtls1_buffer_record() Function DTLS Record Saturation Handling Memory Leak Remote DoS  116793 1/8/2015 7.8 OpenSSL dtls1_get_record DTLS Message Handling NULL Pointer Dereference Remote DoS  116790 1/8/2015 5.1 OpenSSL TLS DH Certificate Missing Certificate Verify Message Handling MitM Spoofing (SKIP-TLS)  116796 1/8/2015 5.1 OpenSSL Bignum Squaring Incorrect Result Weakness  116794 1/6/2015 4 OpenSSL RSA Temporary Key Handling EXPORT_RSA Ciphers Downgrade MitM (FREAK)  116792 1/5/2015 4.3 OpenSSL Signature Algorithm / Signature Encoding Modification Certificate Fingerprint Manipulation Weakness  116795 1/5/2015 5 OpenSSL Missing Server Key Exchange Message Handling ECDH Ciphersuite Downgrade Issue  116423 10/16/2014 7.8 OpenSSL s23_srvr.c ssl23_get_client_hello() Function SSLv3 Handshake Handling NULL Pointer Dereference Remote DoS 113377 10/15/2014 5 OpenSSL no-ssl3 Build Option SSL 3.0 Handshake Handling Weakness  113373 10/14/2014 7.8 OpenSSL DTLS SRTP Extension Parsing Code Handshake Message Handling Memory Leak Remote DoS  113374 10/14/2014 7.8 OpenSSL SSL/TLS/DTLS Server Failed Session Ticket Verification Handling Memory Leak Remote DoS  113251 10/13/2014 2.6 SSL 3.0 Protocol CBC-mode Ciphers Fallback MitM Remote Cleartext Information Disclosure (POODLE)  109892 8/6/2014 7.8 OpenSSL DTLS Handshake Messages Processing Memory Consumption Remote DoS  109893 8/6/2014 7.8 OpenSSL DTLS Packet Handling Double-free Remote DoS  109894 8/6/2014 5 OpenSSL OBJ_obj2txt Multiple Pretty Printing Functions Pretty Printing Output Remote Information Disclosure  109898 8/6/2014 7.1 OpenSSL SRP Ciphersuite NULL Pointer Dereference Remote DoS  109891 8/6/2014 7.8 OpenSSL Crafted DTLS Packet Handling Memory Leak Remote DoS  109897 8/6/2014 10 OpenSSL SRP Protocol Code Multiple Parameter Remote Buffer Overflow  109896 8/6/2014 2.6 OpenSSL SSL/TLS Server Code ClientHello Message Fragmentation Forced TLS Downgrade Weakness  109902 8/6/2014 9.3 OpenSSL ssl_parse_serverhello_tlsext Resumed Session EC Point Format Extension Handling Race Condition Use-after-free Issue  109895 8/6/2014 7.8 OpenSSL Anonymous (EC)DH Ciphersuite Crafted Handshake Messages NULL Pointer Dereference Remote DoS  107731 6/4/2014 7.8 OpenSSL TLS Client Anonymous ECDH Ciphersuite Unspecified Remote DoS  107730 6/4/2014 10 OpenSSL Invalid DTLS Fragment Handling Remote Buffer Overflow  107732 6/4/2014 7.8 OpenSSL ssl/d1_both.c dtls1_get_message_fragment() Function Invalid DTLS Handshake Handling Remote DoS  107729 6/3/2014 4 OpenSSL Crafted Handshake Weak Keying Material Rollback MitM Weakness  119743 5/6/2014 9.3 OpenSSL crypto/evp/encode.c EVP_DecodeUpdate() Function Base64 Decoding Integer Underflow  106531 4/30/2014 7.8 OpenSSL / LibReSSL ssl/s3_pkt.c do_ssl3_write() Function NULL Pointer Dereference Remote DoS  105763 4/11/2014 4 OpenSSL ssl/s3_pkt.c ssl3_read_bytes() Function Use-after-free Remote Content Injection  105465 4/7/2014 5 OpenSSL TLS Heartbeat Extension Packets Handling Out-of-bounds Read Remote Memory Disclosure (Heartbleed) 

47 NewVulns

10 CVSSv2 Score Max

10 Had Exploit

Public or PoC

Average CVSS 5.23

14 Had Private Exploit

Lets Talk Data

Vulnerability data Spreadsheet software Probably a browser

Putting Data to Use(without being a data scientist)

Data from public sources is limitedFFMPEG: CVE Details vs. VulnDB

CVE Details: 191VulnDB: 1,000+

DATA CAVEAT

“Fixes the following vulnerabilities [CVE LIST] …and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities.”

Vuln Spread:

…And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Novell, OpenBSD, Intel, Juniper, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…

Vuln Spread:

And also… OSX, Webkit, Firefox, OpenJDK, OpenOffice, StarOffice, Ubuntu, Gentoo, Oracle Solaris, SUSE, Slackware, BlackBerry products, Fedora, RedHat, Debian, Avaya products, PlayStation 3/4/Vita, Opera for Wii, multiple video games…

Vuln Spread:

Visio, PowerPoint, Adobe Photoshop/Flash/Illustrator, Webkit, iOS, OSX, Android, GIMP, Fedora, Debian, Ubuntu, Slackware, Red Hat, SUSE, Gentoo, Oracle Solaris, VMWare Server, and countless applications.

Vuln Spread:

Tivoli, Fedora, HP-UX, Ubuntu, NetIQ, Attachmate…

Vuln Spread:

Linux, Opera, Konqueror, HP, Sony & Logitech Google TVs…

Vuln Spread:

Library Vuln Count

Vulns Per Year

Releases Per Year

Average CVSS

90 10-11 3 5.4950 6 2 7.4328 3 2-3 6.65

100 12 5 4.72522 80 11 8.96539 98 4 7.07*2010-to present

*2009-to present

2015 Vulns

% total

29 32.2%0 0%0 0%4 4%

135 25.9%58 10.7%

The Numbers: Jan 2007-July 2015

Efficiency At What Cost?

Not just one library impacting many organizations

A single application may have as many as 100 different third party libraries implemented That is a whole lot of patching to keep up on for

both devs and customers

What should you measure library quality on? Count of vulnerabilities Frequency of update releases Average severity of vulns (CVSS or other) Existence of POC or Exploit

DEBATE

Yes!

Take Aways

Open source is secure because everyone can review it - more eyes

makes all bugs shallow.

Everyone *could* look at it, but they don’t.

Accountability for quality is deferred.

Code Quality

That means closed source is more secure because no one

can review it and it is supported by big enterprises,

right?

Bad code is just that, bad code.Bad code exists in Closed Source

software as well.

Code Quality

Vulnerability Management

Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security.

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering.

https://en.wikipedia.org/wiki/Vulnerability_management

So Vuln Mgmt is A NetSec Issue!

Cost to Fix Vulnerabilities

The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 25+ times the cost of fixes performed during the design phase.

tl;dr: Pay me now or pay me later… with interest.

“

”

Fix vulnerabilities as early as is practical, resulting in fewer vulnerabilities to patch at the most expensive time - late in the development cycle.

THE GOAL OF VULNERABILITY MANAGEMENT

Easy, right?

Securityversus…

Performance

Usability

Functionality

Development cost & time

Secure Development Lifecycle

Training Requirements Design Implementation Verification Release Response

Vulnerabilities introduced

Vulnerabilities identified

Vulnerabilities identified

OSS Vulnerabilities identified

Vulnerability Management Process

Identify Issue1 Assess

Impact2 Dev & Test Fix3 Deploy

Fix4 Post Release5

Patch

Tuesday!

Incident Response

Identify Issue1 Assess

Impact2 Dev & Test Fix3 Public

Release w/ CVE

4 Post Release5

Identify Issue1 Assess

Impact2 Dev & Test Fix3 Release4 Post

Release5So you’re a software vendor…

Enterprise admin?

Your patch lifecycle starts

HERE

But wait!

The vulnerability

was in a third

party library!

Identify Issues

Internal Security Research Team, Consultants – pre-release vuln assessments External Security Researchers – post release incident response, bug bounties Third Party Libraries/OSS Disclosures – both pre and post release Automated Tools & Analysis Crash log analysis

Lots of vulnerabilities to manage Vulnerability Management

Identify Issue1

Assess Impact: Prioritization Matters

You have 150 vulnerabilities open with CVSS 7.5+ Your inbound new vulnerabilities average 15 dev tasks

per week, from both internal and external sources What do you fix first?

Highest CVSS Score? FIFO? LIFO? Externally known issues? Issues with Exploit Presence in Metasploit?

Intelligent prioritization reduces risk

Assess Impact2

Dev & Test Fix

“Just ship it, we can patch that later” is not cost effective, but becomes more likely the closer you get to release dates

Vulnerabilities are inevitable. Choose those that you fix pre-release and those you postpone to post-release carefully.

Don’t put off fixing the complicated vulnerabilities – they won’t get easier once the product is in customer hands

Sustainment planning is not just for post-release – you will have to patch vulnerabilities in perfectly functional code before RTM

Dev & Test Fix3

Now lets go write some code!secure^

Vulnerability Management in SDL

Define guiding Security principles

Define prioritization model and sustainment plan

Requirements Design Implementation Verification

Design for security and reduce attack surface

Evaluate vuln trends in libraries as part of selection criteria

Automated static analysis tools

Deprecate unsafe functions

Code scanning tools to monitor all third party libraries – know what you use and where

Automated static and dynamic analysis tools, fuzzing

Manual pen testing & attack surface review

Update 3rd party libraries regularly

Be Prepared

Analysis of vulnerability trends to predict future workload How many vulnerabilities are identified per month? What are their sources?

What are the vulnerability types? Is dev training indicated? How quickly is your vulnerability backlog growing (or shrinking)? What is your average Time To Fix? What early monitoring processes can you put in place to minimize

surprises? Can you identify low friction areas to diminish risk?

Network Admins

Ask potential software vendors about their SDL program and vulnerability trends

Monitor the third party libraries being used in software you deploy and press vendors for security fixes

Make it clear security is a priority

Case Study

Strong security team in rapidly growing enterprise software company

Attended my OSS talk with Jake Kouns at BlackHat 2014 Requested a copy of our slides for internal use

Shared both their own SIRT data and our data regarding security risk with Leadership

Case Study: VMWare

Already had mature incident response monitoring of 3rd party libraries in released products

Adding proactive evaluation and rating/approval of third party libraries in development phase

Case Study: VMWare

Evaluated and implemented code scanning tool for finding third party libraries in products

MOOSECON internal security conference session on 3rd party library vulnerabilities

Case Study: VMWare

Active testing of third party and OSS libraries along with native code in products

Partnering with dev teams to create proactive plans for routine patching cadence as part of dev lifecycle

Case Study: VMWare

ThanksJAKE KOUNSRISK BASED SECURITY

Discussion

Kymberlee Price Senior Director of Researcher Operations@kym_possible Bugcrowd