Software security vulnerabilities in practice Jan Žižka, M.Sc. Principal Technical Leader at Nokia DMTS, Nokia Bell Labs PhD student at FI MUNI Jan Žižka ● 30+ years of software development ● 25 years at Nokia ● Leading Linux OS development for Nokia Radio Cloud Products ● Responsible for software security vulnerability corrections ● PhD student at FI MUNI Agenda ● Software security vulnerabilities ● Life cycle of a vulnerability ● Vulnerabilities in large scale software systems ● Examples Generated by Adobe Firefly Prompt: agenda for software vulnerability presentation So how many software vulnerabilities are discovered per year? 26 448 (2022) https://bit.ly/3SmnQrz https://bit.ly/3SmnQrz https://bit.ly/3SmnQrz https://bit.ly/3SmnQrz What are software security vulnerabilities? Terminology – CVE – Common Vulnerabilities and Exposures – CVSS – Common Vulnerability Scoring System – CWE – Common Weakness Enumeration Software bugs affecting: – Confidentiality – Integrity – Availability https://bit.ly/3SpTnZF Life of a security vulnerability Programmer Security expert UserProgrammer Cracker Reality of large scale software system 10-1000s 100-10000s 1-10s 10-100s 100-10000s 1000-1000000s 100-1000s Security Bug Generated by Adobe Firefly v4, v5, v6, .. v1, v2, v3, .. Traceability Scanning Accuracy Automation Generated by Adobe Firefly Traceability The Software Package Data Exchange Open Vulnerability and Assessment Language Generated by Adobe Firefly Prompt: software list of packages Dangers of EOLs No-one knows what bugs are in EOL software ... Generated by Adobe Firefly Prompt: unknown; dangerous; end of life; software; obsolete; old … except for malicious attackers Scanning● Tools – Trivy – Anchore – Clair – Grype ● Databases – cve.org – VulDB – NVD – OVAL ● When – Continuously ● Where – Delivery chain – Production https://bit.ly/40nrVOm Vulnerability assessment https://bit.ly/3MkC7RR https://bit.ly/3SlECXG Importance of Environmental setup Vim editor Log4j glibc Remediation SLA – Service Level Agreement Low 300 days Medium 30 days High 5 days Critical 2 days Example Remediation – some of the options False Positive Generated by Adobe Firefly 1. False positive or Accept 2. Eliminate attack vector 3. Mitigate by configuration 4. Patch5. Release fix CVE-2023-1355 NULL Pointer Dereference in vim/vim CVE-2023-4911 Buffer overflow in ld.so leading to privilege escalation CVE-2021-44228 Log4Shell Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints 26 448 Links ● https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/AR:H/MAV:N/MAC: H ● https://www.cve.org/CVERecord?id=CVE-2023-1355 ● https://nvd.nist.gov/vuln/detail/CVE-2023-1355 ● https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-1355&vector=AV:L/AC:L/PR:N/UI:N/S:U/C: H/I:H/A:H&version=3.0&source=huntr.dev ● https://access.redhat.com/security/cve/cve-2023-1355 ● https://security-tracker.debian.org/tracker/CVE-2023-1355 ● https://www.cve.org/CVERecord?id=CVE-2023-4911 ● https://nvd.nist.gov/vuln/detail/CVE-2023-4911 ● https://access.redhat.com/security/cve/cve-2023-4911 ● https://security-tracker.debian.org/tracker/CVE-2023-4911 ● https://www.cve.org/CVERecord?id=CVE-2021-44228 ● https://nvd.nist.gov/vuln/detail/CVE-2021-44228 ● https://access.redhat.com/security/cve/cve-2021-44228 ● https://security-tracker.debian.org/tracker/CVE-2021-44228