1.6 The impact associated with types of vulnerabilities Flashcards
Race conditions
Occur when the outcome from execution processes is directly dependent on the order and timing of certain events/multiple threads, and those events fail to execute in the order or timing intended by the developer.
End-of-life systems
System that is no longer supported by its developer or vendor, no longer recieve security updates and so represent a critical vulnerability.
Embedded systems
A complete computer system that is designed to perform a specific dedicated function. ex. a microcontroller in a medical drip or components in a control sys managing a water treatment plant.
Lack of vendor support
No security life-cycle management
Misconfiguration/weak configuration
Ex. a system that may leave admin access protected with a default account or password that is publicly available.
Ex. Leaving sensitive ports open to the Internet.
Resource exhaustion
Overloading a service by using CPU, system RAM, disk space, or network bandwidth.
Improperly configured accounts
When an account is either to restricted resulting in tons of support calls. Or the account is granted too many privileges, weakening the security of the system.
Weak cipher suites and implementations
A cipher that cannot use long keys. Vulnerable to brute force attacks
Memory/buffer vulnerability
Allows an attacker to run arbitrary code on a system.
Memory leak
When a program doesn’t release unused memory. Could lead to a system crash due to lack of memory.
Integer overflow
An attack that causes the target software to calculate a value that exceeds the bounds of the integer data type.
Buffer overflow
An attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.
Pointer dereference
Accessing a pointer/memory address.
DLL injection
A software vulnerability that occurs when a Windows-based application attempts to force another running application to load a Dynamic Link Library (DLL) in memory that could cause the victim application to experience instability or leak sensitive information.
System sprawl/undocumented assets
These undocumented systems represent an exploitable vulnerability.
Architecture/design weakness
Examples:
1) “pinch points” relying on a single hardware server or network channel.
2) Complex dependencies: services that require many different systems to be available.
3) Availability of confidentiality and integrity.
4) Lack of documentation and change control.
5) Overdependence on perimeter security: network architecture is “flat” (meaning any host can contact any other host) gives the attacker freedom of movement.
Improper certificate and key management
1) if the attacker obtains the private key, confidentiality is compromised.
2) if the attacker gains the ability to create ‘valid’ signed certificates, then the attacker will be trusted.
3) if the key for encryption is destroyed any data encrypted using that key will be inaccessible.
Improper input validation
An attack that passes invalid data to the application, and because the input handling is inadequate, it causes the app or OS to behave in unexpected ways. Two general vulnerabilities are the following:
Overflow—the attacker submits input that is larger than the variables assigned by the application to store it can cope with.
Injection—the attacker embeds code within the input or appends code to it that executes when the server processes the submission.
