Don’t build your defensive expectations around VEX and EPSS
VEX and EPSS are often touted as extensions to SBOM to solve shortcomings in the SBOM model. Both are interesting data points, but they are not what you should be building your defensive program around.
It's a Bad Idea to use public analysis of exploitability as a threshold to determine the risk of a vulnerability. Exploitability is not a distinctly knowable thing apriori. Exploitability is a function of the skill of the exploit author and the state of research in the bug type, defensive mitigations, and the operating environment.
There is an entire class of vulnerability research called "N-day" where exploit authors turn once-believed unexploitable bugs into exploitable bugs. This happens constantly which changes the state of research frequently. There are entire companies dedicated to doing only N-day research to produce exploits for "non-zero-day bugs." This work is part of a common growth path for a new vuln researcher seeking to level up.
A variable we have to consider here is the market forces that change vulnerability notifications. Exploits for bugs that affect large amounts of software are rarely released to the public anymore, but rather are sold for Scrooge McDuck piles of money. This change happened acutely in the security research industry in the past ~10 years. The lack of evidence of a public exploit for a bug is just a couple notches above meaningless. Looking at conference submissions in or around the years 2006-2013, one will see an overwhelming amount of information on how to exploit different bug classes. That has completely stopped aside from Project Zero. The reason it stopped is because of the amount of money that can be made by holding those techniques close to the chest. Therefore, public knowledge of exploitability is not something we can rely on.
The asymmetric nature of offense and defense weighs very heavily here. Defenders might spend hours on a bug trying to determine exploitability. Attackers will spend months. Defenders have to evaluate all the bugs that can affect them. Attackers only have to get one working.
领英推荐
Even in the ideal case, the risk here is that this can, and will, change overnight in ways that will cause cascading side effects of whiplash through organizations. A great example is the timeline of log4shell. When the first exploit was detected, and the world became aware of the vulnerability, literally thousands of people around the globe began "bug-hunting by ambulance." They audited the code around the vulnerability and deeply analyzed any similar vulnerability in the log4j package. Over the course of a week or so, the understanding of which versions of log4j were vulnerable changed numerous times. This isn't surprising - it happens all the time.
Now imagine you're a company bought into SBOM + VEX and you have processes setup to handle the state of vulnerabilities based on the information you get from automated updating VEX elements. The cascading effects from tying oneself to the state of exploitability of the bug would make the situation worse. A company with "less mature" processes that simply evaluated how they use log4j would spend less time bouncing back and forth in confusion because the list of things they thought they had to fix would not be constantly changing out from under them.
That is the ideal case. The (best) worst case version is: the world doesn't know that 0.5% of "unexploitable bugs" have private exploits that have been sold, traded and in use for months. That is a laughably conservative percentage, which off of GitHub Security Advisories today would account for nearly a thousand publicly known vulnerabilities.
This is why I'm so bullish on vulnerability reachability, and why Phylum is releasing this shortly. Reachability is something that can asserted with much higher accuracy. No, it's not 100% perfect in all cases, but it is the best threshold to discuss the impact and prioritization of fixing a bug in a world where private exploit sales happen constantly. If a bug is reachable, assume its exploitable and treat it as such. The End.
Agree that public evidence of exploitability can't be *relied* on, but it is at least a trailing indicator.
VP, Security Engineering & GRC
2 年I feel like VEX and EPSS were just a gateway drug for you to drop some reality checks across a half-dozen areas people keep getting wrong in security, so A++ would read again. "It's a?Bad Idea?to use public analysis of exploitability as a threshold to determine the risk of a vulnerability." When someone writes, "this is not exploitable, though" I read, "I couldn't figure out how to exploit this given a finite amount of skill, time, and effort" instead. Your post does a great job framing this. I cringe at the amount of time pentesting teams still waste on PoCs. I get the "flash" some people want to see, but I just want as many bugs as possible - and every hour writing up a PoC, is $350 I am paying for something I didn't need to see to decide to patch. "This happens constantly which changes the state of research frequently." https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf -- I remember seeing this deck back then and was like, "WAIT WHAT?" to half a dozen approaches here. So many bugs people did one URI for and went "k cool, still safe!" until they saw this haha. Thanks, Pete and reachability++