Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/16/2014
12:40 PM
Marc Maiffret
Marc Maiffret
Commentary
50%
50%

2014: The Year of Privilege Vulnerabilities

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.

The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization's internal network and furthered their access by taking advantage of privileged accounts and passwords.

Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee's Active Directory accounts are added to the local computer's Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist -- not only in small, underfunded companies, but also in large, established enterprises.

Part of the challenge is that IT security is a booming area of job growth, and some long-known best practices that seasoned security professionals now take for granted are simply new to those just entering the field. We see this all the time in the failure to implement "least privilege" environments. We all understand that innocent employees with increased privileges can make simple mistakes that waste the help desk staff's time. And, of course, malicious employees can try to abuse their rights for data theft or disruption. However, least privilege is also helpful in limiting the impacts of malware and raising the bar of difficulty an attacker will have to overcome to move laterally from an initially compromised workstation to a server housing sensitive data.

When attackers gain a foothold in an environment, the level of damage they are able to inflict is often dependent on the initial level of privilege they are able to obtain. Environments with employees running as local Administrator are simply not putting up any fight against attackers who can now more easily leverage secondary post-exploitation tools to further embed within an organization and make their way toward servers and data.

Least privilege environments create hurdles that attackers must clear before gaining Administrator-level access. This can both hinder attackers and act as an early warning system that organizational breaches are under way. There are many examples of why it's critical to honor and enable privilege separation via privilege management technologies. More importantly, we can measure to some degree the number and types of vulnerabilities that could have a decreased impact in environments that employ a proper privilege management strategy.

If we look back across all Microsoft Security Bulletins for 2014, we can see just how much privileges can play a role in lessening the impact that attackers and malware might have when capitalizing on known security vulnerabilities within an organization. Microsoft, for example, issued more than 85 unique security bulletins this year, covering a wide range of client and server applications.

  • Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
  • Of the 30 security bulletins that were given Microsoft's highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
  • Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft's most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.

I've used Microsoft as an example, but Microsoft technologies are by no means the only problem areas where least privilege can help mitigate the practice of handing out root privileges well beyond what is necessary or in any way secure. In analyzing Microsoft's security bulletins, however, we can derive measureable data to better understand how often vulnerabilities have a privilege aspect to them.

It is important to understand that, though attackers have a finite number of ways to break into systems, there are an infinite number of ways they can leverage a compromised machine, use secondary privilege escalation exploits, or craft smarter malware. This point is important to underscore because privilege management practices are a great part of any defense-in-depth strategy. But they are by no means a panacea for preventing attackers and malware outright. The only surefire way to mitigate the impact of a vulnerability is by following a rigorous vulnerability management process.

A security strategy that tackles the well-regarded best practices of vulnerability and privilege management will create a solid foundation to build on. You will greatly strengthen your environment in a way that will douse day-to-day security fires, allowing IT to concentrate on enabling your business and security to focus on tackling even more advanced threats.

In 2015, there will no doubt be organizations still seeking the next silver bullet while ignoring the basics. Will you be the type of organization that still has users running as local Administrator and passwords being managed in spreadsheets?

Marc leads BeyondTrust's Advanced Research labs, responsible for identifying new trends in enterprise security for the benefit of the BeyondTrust product roadmap. He joined BeyondTrust via the acquisition of eEye Digital Security, which he co-founded in 1998 and served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...