[BreachExchange] Researchers Find One Million Vulnerabilities?!

Inga Goddijn inga at riskbasedsecurity.com
Tue Aug 15 10:17:30 EDT 2017


https://www.riskbasedsecurity.com/2017/08/researchers-find-one-million-vulnerabilities/

No researcher has yet claimed to find one million vulnerabilities, but we
are sure to see that headline in the future. Every so often we see news
articles touting a security researcher who found an incredible number of
vulnerabilities in one product or vendor. Given that most disclosures
involve a single vulnerability, or sometimes a dozen or two, a headline
claiming ‘thousands’ of vulnerabilities is eye-catching, suspect, and
problematic to the industry.

Perhaps one of the biggest cases of this came between May and July in the
form of headlines such as “‘Thousands’ of known bugs found in pacemaker
code” (BBC) and “Code Blue: Thousands of Bugs Found on Medical Monitoring
System” (Security Ledger). The headlines were clear, thousands of
vulnerabilities in a critical medical device. Reading past the headline in
the Security Ledger article however, it wasn’t so clear:

In-brief: The Department of Homeland Security warned of hundreds of
vulnerabilities in a hospital monitoring system sold by Philips. Security
researchers who studied the system said the security holes may number in
the thousands.

After another mention of “in the thousands”, a less dramatic paragraph
followed saying that ICS-CERT warned of 460 vulnerabilities, while one of
the researchers again emphasized the bigger number:

The Department of Homeland Security’s Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT) issued an alert on July 14 about the
discovery of 460 vulnerabilities in the Philips Xper-IM Connect system,
including 360 with a severity rating of “high” or “critical” severity. But
an interview with one of the researchers who analyzed the Xper system said
that the true number of vulnerabilities was much higher, numbering in the
thousands.

After digging into these claims a bit, it came to light that a majority of
them were due to the use of outdated third-party libraries. While these
library vulnerabilities may impact a device like a pacemaker, the
opportunity for any one of them to be exploited could be an issue or may be
non-existent. If an attacker can’t reach the vulnerable code, then it
likely isn’t an issue. As such, while there are real issues with
vulnerabilities in third-party libraries, claims of ‘thousands’ of
vulnerabilities are often creative at best, and untrue at worst. The
alarming headlines don’t help anyone with a potentially vulnerable
pacemaker, and the lack of proper analysis of those flaws to determine
which are critical is a disservice to the medical and InfoSec industries.

The Curious Case of Tizen OS Security

Tizen is an operating system, that many likely have never heard of before,
based on the Linux Kernel, first released on January 5, 2012, designed to
offer a consistent user experience regardless of the device running it.
According to Wikipedia, it “works on a wide range of devices, including
smartphones, tablets, in-vehicle infotainment (IVI) devices, smart TVs,
PCs, smart cameras, wearable computing (such as smartwatches), Blu-ray
players, printers and smart home appliances (such as refrigerators,
lighting, washing machines, air conditioners, ovens/microwaves and a
robotic vacuum cleaner).” As such, this operating system is poised to have
a massive digital fingerprint on devices moving forward, even more so than
the millions of Samsung TVs that run it currently.

Since it is based on Linux, one might expect it to be fairly mature code
from the start, and not prone to serious vulnerabilities. While Linux has
its share of vulnerabilities over the years, a majority of them are local
issues resulting in a denial of service or information disclosure. For the
first five years, Tizen certainly seemed like it was more mature with a
single low-risk vulnerability disclosed in 2012. This year however, has
seen a spectacular explosion in Tizen vulnerabilities… maybe?

In April, researcher Amihai Neiderman told Vice “it may be the worst code
I’ve ever seen” and told ThreatPost that he “found 40 bugs, and most of
them look exploitable”. Neiderman presented his findings at the Kaspersky
Security Analyst Summit in a 20 minute talk that only gave details on four
of the issues, alluding to many others. During his talk, he also confirmed
that he had only verified a single vulnerability was exploitable, and that
the rest look exploitable. All of that only produced six actionable
vulnerabilities based on the information made public.

Last month, Tizen hit the news again, this time with a spectacular headline
that the operating system contains 27,000 bugs according to researcher
Andrey Karpov!

>From the article:

After finding almost a thousand bugs in Tizen code, Karpov contacted
Samsung to pitch for the sale of static analyser PVS-Studio software, but
Youil Kim from Samsung declined the offer.

You may note that he contacted Samsung after finding “almost a thousand
bugs”, a far cry from the 27,000 in the headline. The Register goes on to
explain this disparity better:

It does look bad. According to Andrey Karpov, founder and CTO of Program
Verification Systems, the Russia-based maker of static code analyzer
PVS-Studio, Tizen’s codebase contains approximately 27,000 programming
blunders.

This is, though, based on extrapolating from 900 errors found in 3.3 per
cent of the 72.5 million lines of C/C++ code (excluding comments) that
compose the Tizen project.

This is certainly an eye-catching figure and one that might scare the most
seasoned user of the operating system, if they actually even knew they were
running it. What isn’t mentioned in the news articles or any form of
disclosure from Karpov is the reality of such claims. While he has shared a
somewhat detailed list of the nature of the flaws, there is no indication
which of them, if any, are exploitable. As we often see, and disclaim in
many of our vulnerability entries in VulnDB, is that issues found via
static code analysis cannot be taken at face value without additional
validation. Since Karpov used PVS-Studio to find these code defects, the
same disclaimer would apply. In fact, Karpov was questioned on the false
positive rate of his findings and blogged that 10 – 15% may be invalid.

First, even if these flaws are buffer overflows, memory corruption issues,
or other serious flaws that can lead to code execution, it doesn’t mean
that any of these discovered or extrapolated issues have legitimate attack
vectors. Second, the more time you spend in vendor bug trackers watching
the discussion of such reports, the more you are exposed to
“vulnerabilities” that are relegated to a “theoretical” status as no one,
researcher or developer, can demonstrate a user-controlled code path to
reach the flaw. Yes, we’re well aware of the pitfalls around calling a
vulnerability “theoretical”!

In the meantime, we strongly encourage news outlets to report such stories,
but to do so in a more mindful and responsible way. Explosive and
potentially misleading headlines simple do not help the world of security.
As Brian Krebs recently pointed out, in a very similar vein to the above,
“beware of security by press release”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170815/66296445/attachment.html>


More information about the BreachExchange mailing list