Find the Next Heartbleed-like Vulnerability

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low, Heartbleed has definitely been one of the most severe security events the Internet has never seen.

It is found in the Open SSL cryptographic software library, which is omnipresent on the Internet, and it exploits a buffer over-read weakness in the library, a situation where more data can be read than should be allowed (https://en.wikipedia.org/wiki/Heartbleed). More than a half-million servers were found exposed to this vulnerability, which accounts for 30 – 70% of the Internet.

Based on this situation, it would seem that the CVSSv2 base score for the vulnerability is not robust enough of an indicator in evaluating the true impact of a vulnerability as it fails to consider facts such as the distribution of targets and efforts of a successful exploitation. In fact, the increasing number of vulnerabilities requires that we determine the risks accurately in order to prioritize the remediation efforts.

The NopSec Vulnerability Risk Score

To address this problem we developed the NopSec Vulnerability Risk Score in order to precisely calculate the risk that certain vulnerabilities pose to the customer’s environment. Specifically, the technical risk of each vulnerability is estimated based on historical records from National Vulnerability Database (NVD) – https://nvd.nist.gov/– and vulnerability samples from our customer vulnerability feed. This score serves as guidance in search of the next “big” Heartbleed-like vulnerability.

The NopSec Vulnerability Risk Score combines vulnerability impact and exploitability vectors, vulnerability exposure, and threat intelligence data. This Technical Risk Score ranges from 0 to 1 indicating the probability of successful exploitation on the vulnerability. This score is in line the CVSSv2 score in NVD, but also clarifies the real risk each vulnerability faces in the wild. The Technical Risk Score was further modified with the distribution of targets and scan context to address the business risks the organization is facing when a certain asset is targeted on its network.

The table below shows the Technical Risk Score of five vulnerabilities with an identical CVSSv2 score of 10. Based on the CVSSv2 standard, all of these vulnerabilities are identified as “Critical”, and it is therefore impossible to decide where to start with analysis and remediation. The Technical Risk Scores, however, help to differentiate the risks. These scores range from 0.7 to 0.0008, which suggest that we should pay special attention to the Oracle JRE vulnerability CVE-2012-0507. Also in the table we find that Heartbleed has a high Technical Risk Score of 0.516 even though its CVSSv2 base score is lower than that of each of the other five vulnerabilities.

How is the Technical Risk Score Calculated?

Various data feeds from public and private sources are used to calculate the Technical Risk Score. For instance, we found that publicly exploitable vulnerabilities are more likely to be targeted. Our previous research also revealed that if a vulnerability has more coverage in the social media, then it would require more attention from the remediation standpoint. Moreover, open source softwares are usually more vulnerable than commercial software, and the attacks on public libraries (Open SSL, JQuery, Apache Web Server, Tomcat, etc.) can impact millions of users.

All such factors are combined in the NopSec Vulnerability Risk Score calculation. Some of the parameters from CVSSv2 base, exploitability, and impact metrics are also present in this formula. The base metrics, for example, utilize the Access Complexity, Access Vector and Authentication to capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it. In the environmental metrics the Confidentiality, Integrity, and Availability vectors capture the attributes of vulnerabilities that are associated with the user’s network environment.

Combining all such parameters, the NopSec Risk Scoring system helps to predict the exploitation of the next Heartbleed-like vulnerability and guides the users to achieve the greatest risk reduction by fixing the vulnerabilities that “matter” the most to their risk posture.