[This was originally published on RiskBasedSecurity.com.]
No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve a single vulnerability, or sometimes a dozen or two, a headline claiming ‘thousands’ of vulnerabilities is eye-catching, suspect, and problematic to the industry.
Perhaps one of the biggest cases of this came between May and July in the form of headlines such as “‘Thousands’ of known bugs found in pacemaker code” (BBC) and “Code Blue: Thousands of Bugs Found on Medical Monitoring System” (Security Ledger). The headlines were clear, thousands of vulnerabilities in a critical medical device.
Reading past the headline in the Security Ledger article however, it wasn’t so clear: In-brief; The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands. After another mention of “in the thousands”, a less dramatic paragraph followed saying that ICS-CERT warned of 460 vulnerabilities, while one of the researchers again emphasized the bigger number:
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on July 14 about the discovery of 460 vulnerabilities in the Philips Xper-IM Connect system, including 360 with a severity rating of “high” or “critical” severity. But an interview with one of the researchers who analyzed the Xper system said that the true number of vulnerabilities was much higher, numbering in the thousands.
After digging into these claims a bit, it came to light that a majority of them were due to the use of outdated third-party libraries. While these library vulnerabilities may impact a device like a pacemaker, the opportunity for any one of them to be exploited could be an issue or may be non-existent. If an attacker can’t reach the vulnerable code, then it likely isn’t an issue. As such, while there are real issues with vulnerabilities in third-party libraries, claims of ‘thousands’ of vulnerabilities are often creative at best, and untrue at worst.
The alarming headlines don’t help anyone with a potentially vulnerable pacemaker, and the lack of proper analysis of those flaws to determine which are critical is a disservice to the medical and InfoSec industries.
The Curious Case of Tizen OS Security
Tizen is an operating system, that many likely have never heard of before, based on the Linux Kernel, first released on January 5, 2012, designed to offer a consistent user experience regardless of the device running it.
According to Wikipedia, it “works on a wide range of devices, including smartphones, tablets, in-vehicle infotainment (IVI) devices, smart TVs, PCs, smart cameras, wearable computing (such as smartwatches), Blu-ray players, printers and smart home appliances (such as refrigerators, lighting, washing machines, air conditioners, ovens/microwaves and a robotic vacuum cleaner).” As such, this operating system is poised to have a massive digital fingerprint on devices moving forward, even more so than the millions of Samsung TVs that run it currently.
Since it is based on Linux, one might expect it to be fairly mature code from the start, and not prone to serious vulnerabilities. While Linux has its share of vulnerabilities over the years, a majority of them are local issues resulting in a denial of service or information disclosure. For the first five years, Tizen certainly seemed like it was more mature with a single low-risk vulnerability disclosed in 2012. This year however, has seen a spectacular explosion in Tizen vulnerabilities… maybe?
In April, researcher Amihai Neiderman told Vice “it may be the worst code I’ve ever seen” and told ThreatPost that he “found 40 bugs, and most of them look exploitable”. Neiderman presented his findings at the Kaspersky Security Analyst Summit in a 20 minute talk that only gave details on four of the issues, alluding to many others. During his talk, he also confirmed that he had only verified a single vulnerability was exploitable, and that the rest look exploitable. All of that only produced six actionable vulnerabilities based on the information made public. Last month, Tizen hit the news again, this time with a spectacular headline that the operating system contains 27,000 bugs according to researcher Andrey Karpov!
From the article: After finding almost a thousand bugs in Tizen code, Karpov contacted Samsung to pitch for the sale of static analyser PVS-Studio software, but Youil Kim from Samsung declined the offer. You may note that he contacted Samsung after finding “almost a thousand bugs”, a far cry from the 27,000 in the headline. The Register goes on to explain this disparity better:
It does look bad. According to Andrey Karpov, founder and CTO of Program Verification Systems, the Russia-based maker of static code analyzer PVS-Studio, Tizen’s codebase contains approximately 27,000 programming blunders. This is, though, based on extrapolating from 900 errors found in 3.3 per cent of the 72.5 million lines of C/C++ code (excluding comments) that compose the Tizen project.
This is certainly an eye-catching figure and one that might scare the most seasoned user of the operating system, if they actually even knew they were running it. What isn’t mentioned in the news articles or any form of disclosure from Karpov is the reality of such claims. While he has shared a somewhat detailed list of the nature of the flaws, there is no indication which of them, if any, are exploitable.
As we often see, and disclaim in many of our vulnerability entries in VulnDB, is that issues found via static code analysis cannot be taken at face value without additional validation. Since Karpov used PVS-Studio to find these code defects, the same disclaimer would apply. In fact, Karpov was questioned on the false positive rate of his findings and blogged that 10 – 15% may be invalid.
First, even if these flaws are buffer overflows, memory corruption issues, or other serious flaws that can lead to code execution, it doesn’t mean that any of these discovered or extrapolated issues have legitimate attack vectors.
Second, the more time you spend in vendor bug trackers watching the discussion of such reports, the more you are exposed to “vulnerabilities” that are relegated to a “theoretical” status as no one, researcher or developer, can demonstrate a user-controlled code path to reach the flaw.
Yes, we’re well aware of the pitfalls around calling a vulnerability “theoretical”! In the meantime, we strongly encourage news outlets to report such stories, but to do so in a more mindful and responsible way. Explosive and potentially misleading headlines simple do not help the world of security. As Brian Krebs recently pointed out, in a very similar vein to the above, “beware of security by press release”.