Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 <...
Transcript of Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 <...
![Page 1: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/1.jpg)
Priori%zingVulnerabilityRemedia%onFromA7acker’sPerspec%ve
Bharat Jogi Senior Manager, Vulnerability & Threat Research
![Page 2: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/2.jpg)
Vulnerabili*es
0
1000
2000
3000
4000
5000
6000
7000
8000
2012 2013 2014 2015 2016
![Page 3: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/3.jpg)
Vulnerabili*es
0
1000
2000
3000
4000
5000
6000
7000
8000
2012 2013 2014 2015 2016
![Page 4: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/4.jpg)
Vulnerabili*esVulnerabilityisaflawinthesystemthatcouldprovideana8ackerwitha
waytobypassthesecurityinfrastructure.
![Page 5: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/5.jpg)
ExploitAnExploittriestoturnavulnerabilityintoanactualmeanstobreachasystem
![Page 6: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/6.jpg)
ExploitAnExploittriestoturnavulnerabilityintoanactualmeanstobreachasystem
![Page 7: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/7.jpg)
ExploitKitsAnexploitkitorexploitpackisatypeofatoolkitcybercriminalsuseto
a8ackvulnerabili*esinsystemssotheycandistributemalwareor
performothermaliciousac*vi*es.
![Page 8: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/8.jpg)
ExploitKits
![Page 9: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/9.jpg)
ExploitKitsExamples
![Page 10: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/10.jpg)
ExploitandVulnerabilityTrends
andhowtousethemtoouradvantage
![Page 11: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/11.jpg)
#1MostAffected
Oracle11%
Google10%
Adobe8%
MicrosoP7%
Novell6%
Others58%
![Page 12: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/12.jpg)
#2Opera*ngSystemvsApplica*ons
Opera%ngSystemExploits26%
Applica%onExploits74%
![Page 13: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/13.jpg)
#3RemoteVsLocal
Local15%
Remote85%
![Page 14: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/14.jpg)
RemoteVsLocalRemote Local
CVE-2016-0985:AdobeFlashPlayerRemoteCodeExecu%onVulnerabilty(APSB16-04) CVE-2016-7237:MicrosoPWindowsLSASSMemoryCorrup%onDoS(MS16-137)
CVE-2016-10033:PHPMailerRemoteCodeExecu%onVulnerabilityCVE-2016-7225:MicrosoPWindowsZwDeleteFileArbitraryFileDele%onPrivilegeEscala%on(MS16-138)
CVE-2016-2004:HPDataProtectorMul%pleSecurityVulnerabili%es(HPSBGN03580)
CVE-2016-5195:LinuxKernel2.6.22<3.9-'DirtyCOW''PTRACE_POKEDATA'RaceCondi%onPrivilegeEscala%on
CVE-2016-3081:ApacheStrutsDynamicMethodInvoca%onRCEVulnerability(S2-032) CVE-2016-1793:MacOSXKernelNullPointerDereferenceVulnerability
CVE-2016-3642:SolarwindsVirtualiza%onManagerJavaJMX-RMIRemoteCodeExecu%onVulnerability
CVE-2016-3220:MicrosoPWindowsKernel-'ATMFD.dll'NamedEscape0x250CPoolCorrup%on
CVE-2016-6366:CiscoASASNMPRemoteCodeExecu%onVulnerability(EXTRABACON)
CVE-2016-3216:MicrosoPWindows'gdi32.dll'HeapBasedMemoryDisclosure(MS16-074)
![Page 15: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/15.jpg)
#4LateralMovement
![Page 16: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/16.jpg)
#4HighLateralMovementCVE Vulnerability
CVE-2016-3643 SolarwindsVirtualiza%onManagerLocalPrivilegeEscala%onVulnerability
CVE-2016-1464 CiscoWebExMee%ngsPlayerforWRFFilesCodeExecu%onVulnerability
CVE-2016-2298 MeteocontrolWEBlogPasswordExtractor
CVE-2016-1909 For%OSFor%manager_AccessSSHInterac%veLoginVulnerability
CVE-2016-0099 MicrosoPWindowsSecondaryLogonEleva%onofPrivilegeVulnerability(MS16-032)
CVE-2016-2005 Hewle7PackardEnterpriseDataProtectorEXEC_BARUserNameBufferOverflowExploit
CVE-2016-3646 SymantecMul%pleProductsDecomposerEngineMul%pleFileParsingVulnerabili%es(SYM16-010)
![Page 17: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/17.jpg)
#4HighLateralMovementCVE Vulnerability
CVE-2016-3643 SolarwindsVirtualiza%onManagerLocalPrivilegeEscala%onVulnerability
CVE-2016-1464 CiscoWebExMee%ngsPlayerforWRFFilesCodeExecu%onVulnerability
CVE-2016-2298 MeteocontrolWEBlogPasswordExtractor
CVE-2016-1909 For%OSFor%manager_AccessSSHInterac%veLoginVulnerability
CVE-2016-0099 MicrosoPWindowsSecondaryLogonEleva%onofPrivilegeVulnerability(MS16-032)
CVE-2016-2005 Hewle7PackardEnterpriseDataProtectorEXEC_BARUserNameBufferOverflowExploit
CVE-2016-3646 SymantecMul%pleProductsDecomposerEngineMul%pleFileParsingVulnerabili%es(SYM16-010)
50%ofexploitshadlateralmovementpoten*al
![Page 18: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/18.jpg)
#5ExploitsforEOLSystems
![Page 19: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/19.jpg)
#5ExploitsforEOLSystems
![Page 20: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/20.jpg)
#6<7%ofvulnerabili*eshadexploits
0
1000
2000
3000
4000
5000
6000
7000
8000
2012 2013 2014 2015 2016
Exploits CVEs
![Page 21: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/21.jpg)
ExploitKitsfromLastYearCVE Vulnerability ExploitKit
CVE-2016-0034 MicrosoPSilverlightRemoteCodeExecu%onVulnerability(MS16-006) AnglerEK,RIG
CVE-2016-0189 MicrosoPJScriptandVBScriptRemoteCodeExecu%onVulnerabili%es(MS16-053) NeutrinoSundown,RIG,Magnitude
CVE-2016-7201 MicrosoPEdgeCumula%veSecurityUpdate(MS16-129) Sundown,Neutrino
CVE-2016-7202 MicrosoPEdgeCumula%veSecurityUpdate(MS16-129) Sundown,Neutrino
CVE-2016-4117 AdobeFlashPlayerandAIRMul%pleVulnerabili%es(APSA16-02)(APSB16-15)
Magnitude,Nutrino,Angler,Sundown
CVE-2016-1001 AdobeFlashPlayerandAIRSecurityUpdate(APSB16-08) Angler
CVE-2016-1019 AdobeFlashPlayerandAIRMul%pleVulnerabili%es(APSA16-01)(APSB16-10)
NuclearPack,Magnitude,Neutrino
![Page 22: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/22.jpg)
#7<1%ofvulnsareinexploitkits
0
1000
2000
3000
4000
5000
6000
7000
8000
2012 2013 2014 2015 2016
ExploitKit Exploits CVEs
![Page 23: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/23.jpg)
ApplyingExploitKnowledgeNextWeek:Createinventoryof:
§ Applica*onswithweaponizedExploit§ EOLApplica*onsandEOLOpera*ngSystems§ Vulnerabili*eswithworkingexploits§ Vulnerabili*esthatcanberemotelycompromised
NextMonth:§ UpgradeEOLapplica*ons§ Patchingallvulnerabili*eswithExploitpacks
NextQuarter:§ Automa*cinventoryandaler*ng§ Debateifmostexploitedapplica*ons,likeFlash,arerequiredforbusiness
![Page 24: Priori%zing Vulnerability Remediaon From A7acker’s PerspecveCVE-2016-5195: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condi%on Privilege Escalaon CVE-2016-3081:](https://reader033.fdocuments.net/reader033/viewer/2022053003/5f078d387e708231d41d8c49/html5/thumbnails/24.jpg)
ThankYou
Bharat Jogi Senior Manager, Vulnerability & Threat Research