Public Vulnerabilities
Overview
- Critical vulnerabilities: Can be exploited externally without local access.
- Cause: Typically due to coding mistakes in back-end components.
- Types: Vary from simple to complex depending on web application architecture.
Public CVEs and Exploits
- Public web apps (open-source or proprietary) are widely tested → many vulnerabilities discovered.
- Vulnerabilities assigned CVE records and scores.
- Proof of Concept (PoC) exploits are often available for public testing.
Identification Process
-
Identify Web Application Version
- Check source code (e.g.,
version.php). - Look for the same in the deployed app.
- Check source code (e.g.,
-
Search for Public Exploits
- Google search:
<App Name> <Version> exploit. - Use exploit databases:
- Google search:
-
Prioritize
- Look for:
- CVSS score 8–10
- Remote Code Execution (RCE) exploits
- Also check plugins or external components used by the app.
- Look for:
Common Vulnerability Scoring System (CVSS)
- Open-source standard to assess vulnerability severity.
- Used by orgs/governments to prioritize remediation.
- Take a look at: Analyzing Vulnerabilities and Vulnerability Scans
Metrics
- Base: Characteristics of vulnerability.
- Temporal: Changes over time.
- Environmental: Specific to organizational context.
CVSS Versions
CVSS v2.0 Ratings
| Severity | Score Range |
|---|---|
| Low | 0.0–3.9 |
| Medium | 4.0–6.9 |
| High | 7.0–10.0 |
CVSS v3.0 Ratings
| Severity | Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1–3.9 |
| Medium | 4.0–6.9 |
| High | 7.0–8.9 |
| Critical | 9.0–10.0 |
- NVD: Provides Base scores, not Temporal/Environmental.
- More information about the differences between the two scoring systems can be found here.
- Use CVSS calculators to adjust scores.
Back-End Server Vulnerabilities
-
Web Servers: Exposed over TCP → high risk.
- Example: Shellshock (2014) affecting Apache servers, exploited via HTTP requests.
- Utilized
HTTPrequests to gain remote control over the back-end server.
- Utilized
- Example: Shellshock (2014) affecting Apache servers, exploited via HTTP requests.
-
Back-end/database vulnerabilities:
- Typically need local/internal access.
- Used to escalate privileges or move laterally within network.
- Must still be patched to prevent full system compromise.
Exercise
What is the CVSS v2.0 score of the public vulnerability CVE-2017-0144?
Description for CVE-2017-0144
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Metrics
- CVSS Version 2.0
- NIST: NVD
- Base Score: 9.3 HIGH
flag: 9.3