Vulnerable and Outdated Components: Introduction
Woahhh!! Is your office still running Windows 2000? Umm…Yes! Why does it surprise you? I am thrilled by this fact because you still aren’t targeted by any hacker. An intruder can easily gain access to these systems due to them being considered obsolete and in no support zone by Microsoft which actively released security patches for these systems. You need to revamp your IT infrastructure very soon else you can be their next target as well.
This scenario might be quite familiar with organizations that are still operating on legacy hardware and software for which no active security patches are released by their manufacturers. Vulnerable and Outdated components chart on OWASP Top 10 list at #6 rank with a special case that this category is the only category for which Common Vulnerability and Exposures (CVEs) cannot be mapped to the included CWEs.
Attack Surface
-
Outdated Operating System with no active support
This type of attack surface is most vulnerable to attack due to the reason being that the operating system utilized by the organization for their daily work or as part of some application has over the years been deprecated by the organization maintaining the OS due to which no new security patches and updates are released, which makes it vulnerable to new forms of attack which were discovered after the end of life of the OS.
Example: After the end of support for Windows XP on April 8, 2014, there existed a zero-day vulnerability CVE-2013-5065 which was not patched the reason that the OS is not supported now because of which the zero-day was exploited very widely in the wild is no patch was available until some time.
-
Outdated API/Library
This type of vulnerability allows the attacker to exploit the outdated API and libraries utilized by some parts of the application with the help of the presently available vulnerabilities which are not patched by the vendor or the organization using the application. It is recommended to upgrade the API and libraries to the present stable supported release or to an LTS (Long term support) release which is guaranteed to be supported by the vendor for a good viable time.
Example: An attacker while browsing through the application founds a vulnerable instance of a JavaScript library utilized by the application for handling data. The attacker can exploit that vulnerable library to perform malicious actions.
-
Outdated DBMS (Database management systems)
If not patched or configured properly, DBMS may become vulnerable to many presents discovered vulnerabilities which an attacker can actively utilize for performing malicious actions or gaining access to the server.
Example: An attacker finds an unsupported and unpatched version of a database being utilized by an application. The attacker then exploits the vulnerabilities found for the version to gain access to the server or to perform malicious actions.
-
Default configuration
It is also one of the most common attacks surfaces that attackers target often to check if an application is configured in a default manner. If the application is configured in a default manner, chances are that many security functionalities and other functionalities are accessible without any extra privileges.
Example: An attacker founds that a default admin account exists in the webmail client of an organization with the default password. This account can be used to view all the emails of other user accounts and modification can also be done.
Examples of Vulnerable and Outdated Components Attack
Because components often operate with the same permissions as the program itself, defects in any component might have a significant negative effect. These defects may be inadvertent (such as a coding error) or malicious (e.g., a backdoor in a component). Among the found exploitable component vulnerabilities are:
- Significant breaches have been attributed to CVE-2017-5638, a Struts 2 remote code execution vulnerability that allows the server to execute arbitrary code.
- Although repairing the Internet of Things (IoT) is usually difficult or impossible, it might be crucial (e.g., biomedical devices). If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.
Automated technologies are available to assist hackers to locate vulnerabilities or incorrectly set up computers. For instance, you may use the IoT search engine Shodan to find gadgets that are still vulnerable to the April 2014 Heartbleed patch.
What’s the Impact of Vulnerable and Outdated Components?
Organizations struggle to test and assess risk related to vulnerable and outdated components mainly due to a lack of updated IT infrastructure inventory and best practices. The impact of Vulnerable and Outdated components can be as equally devastating as opening a hole in a secure jail through which an outsider can gain access to every part of the network or in this case the jail without any additional permission. Patching legacy components of an application is very crucial so as to bring it to par with the current security standards of the world.
What’s the remediation of Vulnerable and Outdated Components?
A patch management procedure or policy should be in place which would be responsible for consistently maintaining the IT infrastructure inventory and helping the organization manage the resources efficiently. Here are some points to be included in the patch management procedure:
- Eliminate redundant dependencies, extraneous components, features, files, and documentation.
- Utilize tools like versions, OWASP Dependency Check, retire.js, etc. to continuously inventory the versions of client-side and server-side components (such as frameworks, libraries, etc.) and their dependencies. Keep an eye out for flaws in the components by regularly checking databases like the National Vulnerability Database (NVD) and Common Vulnerability and Exposures (CVE). Automate the procedure by using tools for software composition analysis. Register for email notifications when components you use have security issues.
- Include components only from reputable providers over secure channels. Prefer signed packages to lessen the possibility of a changed, harmful component being included (See A08:2021-Software and Data Integrity Failures).
- Keep an eye out for libraries and components that lack maintenance or don’t produce security updates for previous iterations. Consider implementing a virtual patch to monitor, detect, or defend against the found issue if patching is not an option.
- For the duration of the application or portfolio, each company must have a continuous process in place for monitoring, prioritizing, and implementing updates or configuration changes.
Vulnerable and outdated components may present a risk for a number of reasons. In the first place, these components can pose a security threat. Furthermore, they can be difficult to update and maintain, as well as cause compatibility issues. Then there is the financial and reputational risk of data breaches. Thus, it becomes a best practice to use the latest software updates and components.
To learn more about how to manage risk in your organization, contact ASPIA Infotech.