Vulnerability (computer security)


In computer security, vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security.
Despite a system administrator's best efforts to achieve complete correctness, virtually all hardware and software contain bugs where the system does not behave as expected. If the bug could enable an attacker to compromise the confidentiality, integrity, or availability of system resources, it can be considered a vulnerability. Insecure software development practices as well as design factors such as complexity can increase the burden of vulnerabilities.
Vulnerability management is a process that includes identifying systems and prioritizing which are most important, scanning for vulnerabilities, and taking action to secure the system. Vulnerability management typically is a combination of remediation, mitigation, and acceptance.
Vulnerabilities can be scored for severity according to the Common Vulnerability Scoring System and added to vulnerability databases such as the Common Vulnerabilities and Exposures database. As of November 2024, there are more than 240,000 vulnerabilities catalogued in the CVE database.
A vulnerability is initiated when it is introduced into hardware or software. It becomes active and exploitable when the software or hardware containing the vulnerability is running. The vulnerability may be discovered by the administrator, vendor, or a third party. Publicly disclosing the vulnerability is associated with an increased risk of compromise, as attackers can use this knowledge to target existing systems before patches are implemented. Vulnerabilities will eventually end when the system is either patched or removed from use.

Causes

Despite a system administrator's best efforts, virtually all hardware and software contain bugs. If a bug creates a security risk, it is called a vulnerability. Software patches are often released to fix identified vulnerabilities, but zero-days are still liable for exploitation. Vulnerabilities vary in their ability to be exploited by malicious actors, and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system. Although some vulnerabilities can only be used for denial-of-service attacks, more dangerous ones allow the attacker to perform code injection without the user's awareness. Only a minority of vulnerabilities allow for privilege escalation, which is typically necessary for more severe attacks. Without a vulnerability, an exploit typically cannot gain access. It is also possible for malware to be installed directly, without an exploit, through social engineering or poor physical security such as an unlocked door or exposed port.

Design factors

Vulnerabilities can be worsened by poor design factors, such as:
  • Complexity: Large, complex systems increase the possibility of flaws and unintended access points.
  • Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw. However, using well-known software, particularly free and open-source software, comes with the benefit of having more frequent and reliable software patches for any discovered vulnerabilities.
  • Connectivity: any system connected to the internet can be accessed and compromised. Disconnecting systems from the internet can be extremely effective at preventing attacks, but it is not always feasible.
  • Legacy software and hardware is at increased risk by nature. System administrators should consider upgrading from legacy systems, but this is often prohibitive in terms of cost and downtime.

    Development factors

Poor software development practices can affect the likelihood of introducing vulnerabilities to a code base. Lack of knowledge or training regarding secure software development, excessive pressure to deliver, or an excessively complex code base can all allow vulnerabilities to be introduced and left unnoticed. These factors can also be exacerbated if security is not prioritized by the company culture. Inadequate code reviews can also lead to missed bugs, but there are also static code analysis tools that can be used during the code review process to help find some vulnerabilities.
DevOps, a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities. Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the attack surface by paring down dependencies to only what is necessary. If software as a service is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.

National Vulnerability Database classification

The National Vulnerability Database classifies vulnerabilities into eight root causes that may be overlapping, including:
  1. Input validation vulnerabilities exist when input checking is not sufficient to prevent the attacker from injecting malicious code. Buffer overflow exploits, buffer underflow exploits, and boundary condition exploits typically take advantage of this category.
  2. Access control vulnerabilities enable an attacker to access a system that is supposed to be restricted to them, or engage in privilege escalation.
  3. When the system fails to handle and exceptional or unanticipated condition correctly, an attacker can exploit the situation to gain access.
  4. Configuration vulnerability come into existence when configuration settings cause risks to the system security, leading to such faults as unpatched software or file system permissions that do not sufficiently restrict access.
  5. A race condition—when timing or other external factors change the outcome and lead to inconsistent or unpredictable results—can cause a vulnerability.

    Vulnerabilities by component

Hardware

Deliberate security bugs can be introduced during or after manufacturing and cause the integrated circuit not to behave as expected under certain specific circumstances. Testing for security bugs in hardware is quite difficult due to limited time and the complexity of twenty-first century chips, while the globalization of design and manufacturing has increased the opportunity for these bugs to be introduced by malicious actors.

Operating system

Although operating system vulnerabilities vary depending on the operating system in use, a common problem is privilege escalation bugs that enable the attacker to gain more access than they should be allowed. Open-source operating systems such as Linux and Android have a freely accessible source code and allow anyone to contribute, which could enable the introduction of vulnerabilities. However, the same vulnerabilities also occur in proprietary operating systems such as Microsoft Windows and Apple operating systems. All reputable vendors of operating systems provide patches regularly.

Client–server applications

s are downloaded onto the end user's computers and are typically updated less frequently than web applications. Unlike web applications, they interact directly with a user's operating system. Common vulnerabilities in these applications include:
  • Unencrypted data that is in permanent storage or sent over a network is relatively easy for attackers to steal.
  • Process hijacking occurs when an attacker takes over an existing computer process.

    Web applications

run on many websites. Because they are inherently less secure than other applications, they are a leading source of data breaches and other security incidents. They can include:
  • Authentication and authorization failures enable attackers to access data that should be restricted to trusted users.
  • Business logic vulnerability occurs when programmers do not consider unexpected cases arising in business logic.
Attacks used against vulnerabilities in web applications include:
  • Cross-site scripting enables attackers to inject and run JavaScript-based malware when input checking is insufficient to reject the injected code. XSS can be persistent, when attackers save the malware in a data field and run it when the data is loaded; it can also be loaded using a malicious URL link. Attackers can also insert malicious code into the domain object model.
  • SQL injection and similar attacks manipulate database queries to gain unauthorized access to data.
  • Command injection is a form of code injection where the attacker places the malware in data fields or processes. The attacker might be able to take over the entire server.
  • Cross-site request forgery is creating client requests that do malicious actions, such as an attacker changing a user's credentials.
  • Server-side request forgery is similar to CSRF, but the request is forged from the server side and often exploits the enhanced privilege of the server.
  • Business logic vulnerability occurs when programmers do not consider unexpected cases arising in business logic.

    Taxonomy

Security bugs generally fall into a fairly small number of broad categories that include:
There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures. Although estimating the risk of an attack is not straightforward, the mean time to breach and expected cost can be considered to determine the priority for remediating or mitigating an identified vulnerability and whether it is cost effective to do so. Although attention to security can reduce the risk of attack, achieving perfect security for a complex system is impossible, and many security measures have unacceptable cost or usability downsides. For example, reducing the complexity and functionality of the system is effective at reducing the attack surface.
Successful vulnerability management usually involves a combination of remediation, mitigation, and accepting some residual risk. Often a defense in depth strategy is used for multiple barriers to attack. Some organizations scan for only the highest-risk vulnerabilities as this enables prioritization in the context of lacking the resources to fix every vulnerability. Increasing expenses is likely to have diminishing returns.