Software security vulnerabilities in
practice
Jan Žižka, M.Sc.
Principal Technical Leader at Nokia
DMTS, Nokia Bell Labs
PhD student at FI MUNI
Jan Žižka
●
30+ years of software development
●
25 years at Nokia
●
Leading Linux OS development for
Nokia Radio Cloud Products
●
Responsible for software security
vulnerability corrections
●
PhD student at FI MUNI
Agenda
●
Software security vulnerabilities
●
Life cycle of a vulnerability
●
Vulnerabilities in large scale
software systems
●
Examples
Generated by Adobe Firefly
Prompt: agenda for software vulnerability presentation
So how many software
vulnerabilities are discovered per
year?
26 448 (2022)
https://bit.ly/3SmnQrz
https://bit.ly/3SmnQrz
https://bit.ly/3SmnQrz
https://bit.ly/3SmnQrz
What are software security
vulnerabilities?
Terminology
– CVE – Common Vulnerabilities and Exposures
– CVSS – Common Vulnerability Scoring System
– CWE – Common Weakness Enumeration
Software bugs affecting:
– Confidentiality
– Integrity
– Availability
https://bit.ly/3SpTnZF
Life of a security vulnerability
Programmer
Security expert
UserProgrammer
Cracker
Reality of large scale software system
10-1000s 100-10000s
1-10s
10-100s
100-10000s
1000-1000000s
100-1000s
Security Bug Generated by Adobe Firefly
v4, v5, v6, ..
v1, v2, v3, ..
Traceability
Scanning
Accuracy
Automation
Generated by Adobe Firefly
Traceability
The Software Package Data Exchange
Open Vulnerability and Assessment Language
Generated by Adobe Firefly
Prompt: software list of packages
Dangers of EOLs
No-one knows what
bugs are in EOL
software ...
Generated by Adobe Firefly
Prompt: unknown; dangerous; end
of life; software; obsolete; old
… except for
malicious attackers
Scanning●
Tools
– Trivy
– Anchore
– Clair
– Grype
●
Databases
– cve.org
– VulDB
– NVD
– OVAL
●
When
– Continuously
●
Where
– Delivery chain
– Production
https://bit.ly/40nrVOm
Vulnerability
assessment
https://bit.ly/3MkC7RR
https://bit.ly/3SlECXG
Importance of Environmental setup
Vim editor
Log4j glibc
Remediation SLA – Service Level
Agreement
Low 300 days
Medium 30 days
High 5 days
Critical 2 days
Example
Remediation – some of the options
False Positive Generated by Adobe Firefly
1. False positive
or
Accept
2. Eliminate attack vector
3. Mitigate by configuration
4. Patch5. Release fix
CVE-2023-1355
NULL Pointer Dereference in vim/vim
CVE-2023-4911
Buffer overflow in ld.so leading to privilege escalation
CVE-2021-44228
Log4Shell
Apache Log4j2 JNDI features do not protect against attacker
controlled LDAP and other JNDI related endpoints
26 448
Links
●
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/AR:H/MAV:N/MAC:
H
●
https://www.cve.org/CVERecord?id=CVE-2023-1355
●
https://nvd.nist.gov/vuln/detail/CVE-2023-1355
●
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-1355&vector=AV:L/AC:L/PR:N/UI:N/S:U/C:
H/I:H/A:H&version=3.0&source=huntr.dev
●
https://access.redhat.com/security/cve/cve-2023-1355
●
https://security-tracker.debian.org/tracker/CVE-2023-1355
●
https://www.cve.org/CVERecord?id=CVE-2023-4911
●
https://nvd.nist.gov/vuln/detail/CVE-2023-4911
●
https://access.redhat.com/security/cve/cve-2023-4911
●
https://security-tracker.debian.org/tracker/CVE-2023-4911
●
https://www.cve.org/CVERecord?id=CVE-2021-44228
●
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
●
https://access.redhat.com/security/cve/cve-2021-44228
●
https://security-tracker.debian.org/tracker/CVE-2021-44228