Zero-day bugs: what they are and how to defend against them


The MOVEit Transfer attacks have made it abundantly clear that zero-day vulnerabilities and other flaws can cause millions of dollars in damage. However, the only way to avoid bugs is to properly understand them.

As we become increasingly reliant on digital platforms for communication, commerce, and critical infrastructure, the potential threats to our data, privacy, and overall security continue to grow. One of the foundational pillars of a robust cybersecurity strategy is a comprehensive understanding of vulnerabilities.

Vulnerabilities, in the context of cybersecurity, are weaknesses or flaws in software, hardware, or protocols that malicious actors can exploit to gain unauthorized access, compromise data integrity, or disrupt operations. These vulnerabilities can manifest in various forms, from programming errors and design flaws to configuration oversights and human errors.

Why understanding vulnerabilities matters

Understanding vulnerabilities is not solely the realm of cybersecurity professionals and researchers. It’s a fundamental concept that impacts individuals, businesses, governments, and organizations across all sectors. Here's why grasping the nature and implications of vulnerabilities is crucial:

  • Proactive defense: By properly comprehending vulnerabilities, individuals and organizations can proactively identify potential points of weakness within their systems and applications. This knowledge empowers them to take preventive measures, implement robust security controls, and patch vulnerabilities before they can be exploited.
  • Risk mitigation: In-depth knowledge of vulnerabilities allows for informed risk assessment and mitigation strategies. Organizations can prioritize resources to address the most critical vulnerabilities that pose the highest risk to their operations and data.
  • Incident response: When a cyber incident occurs, understanding the vulnerabilities that were exploited is essential for effective incident response. It aids in determining the root cause of the breach, assessing the extent of the damage, and implementing immediate remediation steps.
  • Informed decision-making: Business leaders and policymakers need to make informed decisions about technology adoption, investment in security measures, and regulatory compliance. Understanding vulnerabilities provides the necessary insights to make these decisions wisely.
  • Collaboration and communication: Effective communication between security teams, developers, and stakeholders requires a shared understanding of vulnerabilities. This collaborative approach ensures that security concerns are adequately addressed throughout the development lifecycle

Types of vulnerabilities

  • Zero-day

A zero-day vulnerability is one that was discovered by cybercriminals and exploited before a patch was available. Zero-day vulnerabilities like Log4j are often the most famous and damaging vulnerabilities because attackers have the opportunity to exploit them before they can be fixed.

Life cycle of a zero-day
  • Remote code execution (RCE)

An RCE vulnerability allows an attacker to execute malicious code on the vulnerable system. This code execution can allow the attacker to steal sensitive data, deploy malware, or take other malicious actions on the system.

Remote code execution
  • Injection vulnerabilities

Many attacks – such as SQL injection and buffer overflows – involve an attacker submitting invalid data to an application. A failure to properly validate data before processing leaves these applications vulnerable to attack.

SQL injection
  • Unpatched software

Software vulnerabilities are common, and they are corrected by applying patches or updates that fix the issue. A failure to properly patch out-of-date software leaves it vulnerable to exploitation.

  • Unauthorized access

It’s common for companies to assign employees and contractors more access and privileges than they need. These additional permissions create security risks if an employee abuses their access or their account is compromised by an attacker.

It’s worth mentioning that there are more types of vulnerabilities, as we covered some of them.

A closer look at the zero-day flaw

Zero-day vulnerabilities represent a unique breed of cyber threat, one that leaves no room for error and grants attackers an unprecedented advantage.

Imagine a secret passage into a fortress that only a select few know about, allowing them to breach the walls undetected, plunder its treasures, and vanish before anyone even notices the breach. This is the essence of a zero-day vulnerability – a hidden doorway for cybercriminals to exploit software weaknesses, often with devastating consequences. Let’s take a look at the zero-day vulnerability known as CVE-2021-41773.

CVE-2021-41773: Path traversal zero-day in Apache HTTP server PoC

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased patches, this could allow for remote code execution. This issue is known to be exploited in the wild.

Apache HTTP server
Image by Cybernews.

The image above shows successful exploitation. Successful exploitation gave the attacker access to arbitrary files outside of the document root on the vulnerable web server.

After successful exploitation, bad actors may proceed with various malicious activities aimed at maintaining control, stealing sensitive data, or launching further attacks:

  • The attackers may install backdoors, rootkits, or other malicious software to ensure continued access even if the original vulnerability is patched. This helps them maintain control over the compromised server.
  • Bad actors may attempt to escalate their privileges on the compromised system to gain administrative access and control over other parts of the network.
  • If the compromised server is part of a larger network, attackers may attempt to move laterally to other systems or servers within the same network to expand their reach and potentially compromise more assets.
  • Attackers may attempt to steal sensitive data stored on the server, such as user credentials, personal information, financial data, or intellectual property. This stolen data can be used for various malicious purposes, including identity theft or selling on the dark web.

According to the Shodan search engine, 3768 Apache HTTP servers are still running this vulnerable version.

Path traversal

Key takeaways

  • A zero-day vulnerability is a security flaw in software, hardware, or firmware that’s unknown to the vendor or developers. It's called "zero-day" because the attackers exploit it and the developers have had "zero days" to fix it.
  • Attackers can exploit zero-day vulnerabilities to gain unauthorized access to systems, steal sensitive data, launch malware, or perform other malicious activities.
  • Since these vulnerabilities are unknown, there are usually no patches or defenses available when they are exploited. This makes them highly dangerous and difficult to defend against.
  • Zero-day vulnerabilities are highly valuable to attackers and may be sold on the dark web or used for espionage purposes. Governments, criminal organizations, and other threat actors seek them out.
  • Zero-day attacks often follow a life cycle: discovery, exploitation, and patching. During the exploitation phase, attackers may use the vulnerability until it's discovered and patched.

Significance

The significance of zero-day vulnerabilities lies in their potential to cause significant harm to digital systems, organizations, and individuals. Here are some key points that highlight the significance of zero-day vulnerabilities:

  • Since these vulnerabilities are unknown and no patches are available, attackers can launch stealthy and targeted attacks, often remaining undetected for extended periods.
  • Zero-day vulnerabilities are highly sought after in the cybercriminal underground and are often sold for large sums of money. This attracts sophisticated hackers and state-sponsored threat actors.
  • Zero-day vulnerabilities can also exist in third-party software or components, creating supply chain risks that can affect multiple organizations.
  • The absence of patches or known defenses makes mitigating zero-day vulnerabilities challenging. Organizations may have limited options to protect themselves until a patch is released.

How to protect against zero-day vulnerabilities

Protecting against zero-day vulnerabilities requires a multi-faceted approach that combines proactive measures, robust cybersecurity practices, and timely response strategies. While it's impossible to completely eliminate the risk of zero-days, these steps can help mitigate the potential impact:

  • Keep software up to date: Regularly update operating systems, software applications, and plugins to the latest versions. Vendors often release patches and updates to address known vulnerabilities, including zero-days.
  • Implement Intrusion Detection and Prevention Systems (IDPS): IDPS can monitor network traffic and detect suspicious or malicious activities. They can also block or alert potential zero-day attacks based on behavior anomalies.
  • Network segmentation: Divide your network into segments to limit the potential spread of an attack. This can contain the impact of a zero-day vulnerability by isolating affected systems.
  • Regular security audits and penetration testing: Conduct regular security audits and penetration testing to identify vulnerabilities, including zero-days. Address findings promptly to strengthen your defenses.
  • User training and awareness: Educate users about phishing attacks, social engineering, and safe online practices to prevent attackers from exploiting human vulnerabilities.

Zero-day vulnerabilities represent one of the most dynamic and ever-changing aspects of cybersecurity. Organizations should stay informed about the latest threats, adopt best practices, and maintain a robust security posture to minimize their risks. And of course, understanding vulnerabilities in cybersecurity can give an advantage when dealing with zero-day exploits.