Vulnerability (computing) Study Guide

📖 Core Concepts Vulnerability – a flaw/weakness in design, implementation, or management that lets an attacker breach confidentiality, integrity, or availability. Vulnerability Management Process – identify assets → prioritize → scan → remediate/mitigate → accept residual risk. Lifecycle of a Vulnerability – discovery → (optional) public disclosure → exploitation window → patch/mitigation → end‑of‑life. Severity Scoring (CVSS) – rates exploitability, impact on CIA, required access, and user interaction to produce a numeric score. Disclosure Types – Full disclosure (public before patch) vs Coordinated/Responsible disclosure (private until patch). Active vs Dormant vs Carrier – Active: running and exploitable; Dormant: present but not running; Carrier: code exists but not yet configured to execute. 📌 Must Remember A bug becomes a vulnerability only when it can be exploited to affect CIA. Zero‑day = vulnerability exploited before any patch exists. CVSS evaluates: exploitability, impact (confidentiality, integrity, availability), access level, and user interaction. Remediation = apply a patch; Mitigation = reduce exploitability/impact without fixing the flaw. Full disclosure raises awareness but also attacker opportunity; coordinated disclosure limits immediate risk. Scanners detect known flaws from databases (CVE) but cannot find zero‑days and may generate false positives. Input validation failures → buffer over/underflow, XSS, SQLi, command injection. Access‑control failures → privilege escalation, unauthorized data access. Configuration errors and race conditions are top‑ranked root causes in the NVD taxonomy. 🔄 Key Processes Vulnerability Management Workflow Asset inventory → risk‑based prioritization → automated scanning → triage → remediation/mitigation → verification → documentation. Vulnerability Lifecycle Discovery → (internal or third‑party) → disclosure decision (full vs coordinated) → public announcement → exploit development → patch creation → patch release → adoption → retirement. Remediation vs Mitigation Decision Tree Patch available? → Remediate. No patch & risk high? → Mitigate (e.g., disable feature, restrict access). Risk low & cost high? → Accept residual risk. Penetration Testing Process Scope definition → reconnaissance → exploit attempts (automated + manual) → report findings → prioritize for remediation. 🔍 Key Comparisons Full Disclosure vs Coordinated Disclosure Full: immediate public info → higher short‑term attack risk. Coordinated: vendor gets time to patch → lower immediate risk. Remediation vs Mitigation Remediation: eliminates flaw (patch). Mitigation: lowers chance or impact (e.g., firewall rule, sandbox). Active vs Carrier vs Dormant Vulnerabilities Active: running code, exploitable now. Carrier: code present but not configured to run. Dormant: installed but not currently executing. Input Validation vs Access‑Control Failures Input validation: stops malicious data entry (XSS, SQLi). Access‑control: enforces who can do what (privilege escalation). ⚠️ Common Misunderstandings “All bugs are vulnerabilities.” – Only bugs that can be exploited to affect CIA count. “Patch = instant safety.” – Patches may introduce regressions; deployment lag leaves a window of exposure. “Scanners find every problem.” – They miss zero‑days and can flag false positives. “Code review eliminates all bugs.” – Inadequate or rushed reviews still miss many issues. “Legacy systems cannot be secured.” – Mitigation (network segmentation, limited exposure) can reduce risk even if patches are unavailable. 🧠 Mental Models / Intuition “Hole in a fence” – A vulnerability is a hole; remediation patches the hole, mitigation puts a temporary fence around it. CVSS as a “risk thermometer” – Higher score = hotter, more urgent to fix. Disclosure as “fire alarm” – Coordinated alarm gives occupants time to evacuate (patch) before the fire spreads. 🚩 Exceptions & Edge Cases Patch regressions – Applying a fix can break functionality; test before full rollout. False positives – Scanner alerts that are not real vulnerabilities; always verify. Zero‑day exploits – No known fix; rely on mitigation (network isolation, IDS signatures). Legacy systems – May lack vendor patches; use virtual patching (WAF, ACLs) as a stop‑gap. 📍 When to Use Which Remediation – Use when a reliable patch exists and downtime is acceptable. Mitigation – Use when no patch exists, risk is high, or patch rollout is delayed. Automated scanner – Good for inventorying known CVEs quickly. Manual penetration test – Needed for complex business‑logic flaws, zero‑days, or when compliance demands thorough validation. Full disclosure – Consider only when public interest outweighs immediate risk (e.g., government‑mandated). Coordinated disclosure – Default choice for most responsible researchers and vendors. 👀 Patterns to Recognize Unvalidated input → XSS / SQLi / Command injection – Look for any data that reaches a command, query, or script without sanitization. Over‑permissive permissions → Privilege escalation – Files or services with “Everyone” or “admin” rights are red flags. Missing authentication/authorization checks → Access‑control failures – Endpoints that perform actions without verifying user identity. Repeated timing differences → Race conditions – Code that accesses shared resources without locks or proper ordering. Default or unchanged configurations → Configuration errors – Services running with default credentials or open ports. 🗂️ Exam Traps “Scanners detect zero‑day vulnerabilities.” – Trick answer; scanners only match known signatures. “Full disclosure always improves security.” – Wrong – it can accelerate attacks before patches exist. “If a vulnerability is listed in CVE, it must be critical.” – CVE ID does not indicate severity; check CVSS score. “Remediation is always cheaper than mitigation.” – Not true; patch testing, downtime, and regression fixes can be costly. “Legacy systems can be ignored because they are not internet‑facing.” – Internal exposure can still be exploited; ignore at your peril.