Vulnerability management vendor Rapid7 has launched a new community-driven platform that allows security professionals to exchange information about emerging flaws to better understand their impact and determine likelihood of those vulnerabilities being exploited by attackers.
Called AttackerKB, the platform was launched as a closed beta program in January and was opened to the public April 15. An open API will make the data available automatically to other services and tools that enterprise security teams use.
“We heard a lot from members of the community, whether they are contributors to the Metasploit Framework [the popular open-source penetration testing tool maintained by Rapid7] or penetration testers that are also part of that community, who said: ‘Look, we don’t have a place where we can start to really try to boil down which of these vulnerabilities are valuable for attackers, as well as the associated high impact that remediators can get from resolving some vulnerabilities’,” Cindy Stanton, vice president for vulnerability and risk management at Rapid7 tells CSO.
It’s an attempt to add a level of context around vulnerabilities being published, so that people can get that signal-to-noise ratio and a better place where they can ask, “Is this vulnerability truly important or not that important?” so they can go to their remediation teams with confidence, she says.
Not all vulnerabilities are created equal
When vendors publicly disclose vulnerabilities and patch notes in security advisories, they receive a severity score based on an industry standard called the Common Vulnerabilities Scoring System (CVSS). While these scores help defenders prioritize patches and are widely used in vulnerability management products, it’s well known in the security community that they don’t always reflect the immediate risk. Flaws with the same or similar scores can pose different levels of threat to organizations or systems depending on whether they’re already used in attacks or the availability of functional exploit code for them.
For example, two remote code execution vulnerabilities that can be targeted over the network without authentication and can lead to a complete system compromise can differ significantly when it comes to actual exploit development. This means one flaw could be more appealing to attackers than the other even though they are both similar in other aspects. Moreover, vulnerabilities that are already being exploited in the wild pose a bigger threat than similar flaws for which exploit code is not yet available or for which only proof-of-concept exploit code exists.
Proof-of-concept exploits are generally meant to prove the existence of an issue in the code, for example, demonstrating a memory corruption flaw by triggering an application crash. Based on the vulnerability’s technical details, researchers and developers can determine that the issue can theoretically also lead to arbitrary code execution but achieving it might require chaining additional flaws to disclose protected memory addresses or to overcome certain system-level defenses. While the bug can be catalogued and disclosed as an arbitrary code execution vulnerability, it doesn’t mean that code execution has been proven in practice.
Therefore, the availability of fully functional and reliable exploit chains can make a huge difference for defenders when it comes to patch prioritization or to the deployment of other mitigation and detection mechanisms. That’s the sort of additional context that AttackerKB is designed to provide.
A recent example is CVE-2020-0796, a.k.a. EternalDarkness or SMBGhost, a potentially wormable remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, which is available in Windows 10 version 1903 and later. The vulnerability was inadvertently disclosed on March 10 when some Microsoft partners listed it in their Patch Tuesday advisories despite Microsoft withdrawing the patch shortly before its scheduled release. This situation meant that the existence of a potentially very serious flaw — like the one leveraged by the WannaCry and NotPetya ransomware worms — became public knowledge without an official patch being available.
Microsoft released an out-of-band fix for the vulnerability a couple of days later, but in the meantime, AttackerKB started sharing information as it was becoming available. This included links to proof-of-concept exploit code and their own assessments of the risk the vulnerability posed.
“This is still going to be hell to actually develop a useful exploit for because of the limited real-world install base for this particular version of Windows, especially on the server side, and ASLR enhancements to Windows 10 that make this a PITA without an info leak,” one expert commented on March 15. “And, today with everyone Coronavirus sequestered, you’re unlikely to inflict any sort of at-scale exploitation if everyone’s at home on a host-isolated VPN and literally inaccessible from a mass networking PoV in an office. Hey, maybe working from home is good for security!”
In addition to comments, AttackerKB users can add certain tags to their assessments. These are vulnerability characteristics that can reflect an increased risk of attack such as “common in enterprise,” “present in default configuration,” “allows high-privileged access,” “pre-authentication,” “easy to weaponize,” while others reflect a lower risk such as “requires physical access” or “no useful access.”
Users can also rate flaws according to “attacker value” and “exploitability” with values ranging from very low to very high. These ratings can be very useful for defenders when they come from penetration testers, who generally have a lot of experience using exploits, or from Metasploit contributors who have experience writing exploits.
A gap in open-source vulnerability information
Most IT professionals are familiar with the Common Vulnerabilities and Exposures (CVE) catalogue — the source of unique vulnerability identifiers — and the National Vulnerability Database (NVD), the US government’s public repository of vulnerability information. Neither of these databases are complete and have faced strong criticism from the security community in recent years. CVE does not cover vulnerabilities in certain types of products, while NVD has been slow to publish information about some vulnerabilities even after they’ve been publicly known and documented for a long time.
Some vulnerability intelligence vendors maintain their own, more complete vulnerability databases that are used by their own products or are licensed to others. Meanwhile, some community-driven databases such as the Open Sourced Vulnerability Database (OSVDB) have shut down in recent years.
Rapid7’s AttackerKB is not really a replacement for projects like OSVDB, as it will not cover all historical vulnerabilities and won’t even include every new flaw that appears in hardware and software products. Whether a vulnerability is covered in AttackerKB depends on community members willing to publish an assessment for it. This doesn’t diminish the platform’s potential value to the security community and enterprise security teams, however.
“We’ve had a lot of customers tell us that when there’s an emergent vulnerability that’s targeted in ongoing attacks, raising its criticality, they have the construct of a war room, if you will, and AttackerKB would be a source of information in that war room to help them come up with a mitigation plan,” Stanton tells CSO. “How quickly do we have to do this? If we can’t patch what are some of the steps that are adequate? AttackerKB can help them assess the various trade-offs they can make to quickly address a problem, so it’s another source of information for those kinds of decisions,” she says.