Please nitpick the following (or suggest an authority, such as NIST or CISA )
-
@adamshostack Would it make sense to say that a vulnerability can be exploited to attain some goal or achieve further compromise? Or is that what you mean by "milestone"?
@cford that is what i meant by milestone. I think it's misleading to claim that there are people who care about controlling EiP. They care about something else and that's a stepping stone along the way
-
@adamshostack Nitpick: This seems to imply a progression from a PoC demo (something generally produced with the aim demonstrating a bug so it can be fixed) to actual exploit code. While that can certainly happen, we don't know that that distinction is always present for malicious exploits (it's only one path).
Also, people react to the term "weaponize". It carries some baggage. It doesn't particularly bother me, but some people dislike it.
@mattblaze thanks! I thought about productize, bit not all 'fully developed' exploits are in products. do you have a better term handy?
-
@adamshostack I know. I was asking myself that question every time I answer Bug-Bounty reports.
NIST defines it quite well in https://nvd.nist.gov/vuln - but that definition focuses on the attacked party and the impact on them.
Which is why I asked....
@heiglandreas Yeah, I looked at that, and frankly, respond really negatively to "a negative impact to confidentiality, integrity, or availability" ; I've never found C/I/A to be that useful around RCE
-
@mattblaze thanks! I thought about productize, bit not all 'fully developed' exploits are in products. do you have a better term handy?
@adamshostack "Fieldable"
-
Please nitpick the following (or suggest an authority, such as NIST or CISA )
A vulnerability is a weakness that can be exploited to gain some goal or milestone for an attacker, such as the ability to run code. Vulnerabilities are usually bugs which get patched, and weaknesses are a broader set that includes susceptibility to threats. Code which demonstrates that a vulnerability is exploitable is called “proof-of-concept” or PoC. A PoC may be developed into an exploit, which is code that actually achieves that goal. Weaponized exploit code has been made production-ready with reliability or integration into some attack framework. The attackers may be not be malicious, for example external researchers or penetration testers.
Some vulnerabilities can't be exploited in ways that lead to attacker success, e.g. the next/previous line of defense is sound, but they're still vulnerabilities in that they allow one or more lines of defense to be bypassed.
I'd also ask:
- do bugs usually get patched?
- is this definition supposed to cover social-engineering or insider threats?
- is this definition supposed to cover volumetric DOS? -
@heiglandreas Yeah, I looked at that, and frankly, respond really negatively to "a negative impact to confidentiality, integrity, or availability" ; I've never found C/I/A to be that useful around RCE
@adamshostack well does RCE not negatively influence integrity and confidentiality?
I mean... when someone can execurlte anything on a server, then integrity is compromised and confidentiality can't be guaranteed...
-
@adamshostack Nitpick: This seems to imply a progression from a PoC demo (something generally produced with the aim demonstrating a bug so it can be fixed) to actual exploit code. While that can certainly happen, we don't know that that distinction is always present for malicious exploits (it's only one path).
Also, people react to the term "weaponize". It carries some baggage. It doesn't particularly bother me, but some people dislike it.
@adamshostack Another nitpick: consider changing “gain” to “reach” or “achieve”.
I agree with Prof. @mattblaze about “weaponize”. It’s my preferred alternative, but his suggestion “fieldable” works fine. Also consider “operational” or “operationalized” as alternatives closer to “weaponized”.
-
@adamshostack well does RCE not negatively influence integrity and confidentiality?
I mean... when someone can execurlte anything on a server, then integrity is compromised and confidentiality can't be guaranteed...
@heiglandreas It absolutely does, but in a nuanced way that's far less salient than say, "pwned."
-
Please nitpick the following (or suggest an authority, such as NIST or CISA )
A vulnerability is a weakness that can be exploited to gain some goal or milestone for an attacker, such as the ability to run code. Vulnerabilities are usually bugs which get patched, and weaknesses are a broader set that includes susceptibility to threats. Code which demonstrates that a vulnerability is exploitable is called “proof-of-concept” or PoC. A PoC may be developed into an exploit, which is code that actually achieves that goal. Weaponized exploit code has been made production-ready with reliability or integration into some attack framework. The attackers may be not be malicious, for example external researchers or penetration testers.
I would include under the umbrella of weakness "lack of observability."
It's a definite weakness if there's no monitoring in place to alert on obvious suspicious behaviour, and I don't see that accounted for in what's written.
-
Please nitpick the following (or suggest an authority, such as NIST or CISA )
A vulnerability is a weakness that can be exploited to gain some goal or milestone for an attacker, such as the ability to run code. Vulnerabilities are usually bugs which get patched, and weaknesses are a broader set that includes susceptibility to threats. Code which demonstrates that a vulnerability is exploitable is called “proof-of-concept” or PoC. A PoC may be developed into an exploit, which is code that actually achieves that goal. Weaponized exploit code has been made production-ready with reliability or integration into some attack framework. The attackers may be not be malicious, for example external researchers or penetration testers.
@adamshostack nails it pretty well imo
