A vulnerability is a security flaw. In most cases, it comes from a weakness in designing an information system (IS), a hardware or software component.

Not all vulnerabilities lead to a cyber attack. Indeed, they are mostly made public and fixed. It is said that they are treated in “full disclosure”.

Currently, less than 5% of published vulnerabilities* have a final exploit code. It is this code that allows the vulnerability to be exploited and makes an attack possible. Indeed, most of the vulnerabilities are not used (no exploitation code or difficulty to get it, lack of interest).

For a vulnerability to be interesting to exploit, it must meet the following criteria:

• reach a large number of targets;
• be simple to operate;
• have a direct (ransomware) or indirect (theft of data for resale or blackmail) profit goal.

As long as a vulnerability is unknown and exploited by a hacker, it is called 0-day or zero-day.

To detect vulnerabilities as early as possible, software publishers and computer component manufacturers use internal or external researchers. The contribution of these external researchers can be made via:

• companies specialized in vulnerability research;
• companies specialized in code auditing;
• bug bounty : these are contests open to everyone where the discovery of vulnerabilities is rewarded financially.

Furthermore, zero-day vulnerabilities are the subject of a market where the buyers can be states or criminal organizations.

Vulnerabilities can have a wide variety of consequences: from a simple equipment malfunction to the destruction of a production line. It all depends on the nature of the infrastructure equipped and the solution targeted.

As a result, the set of vulnerabilities being very heterogeneous, some of them have enabled fearsome attacks, such as the WannaCry attack in 2017 that infected more than 300,000 computers in 150 countries. WannaCry used the EternalBlue vulnerability whose development is attributed to the National Security Agency (NSA), based on a flaw in Microsoft Windows file server**. It was also used for the NotPetya attack the same year. NotPetya infected hundreds of thousands of computers worldwide.

To solve vulnerability, publishers develop patches. These patches can be temporary or associated with upgrades. This is why updates are critical: they guarantee that the software version is up to date with the latest knowledge in the field.

No computer program is infallible and vulnerabilities, which can be code-writing errors, are almost inevitable.

Once discovered, vulnerabilities can be identified in a process called CVE for Common Vulnerabilities and Exposures. Upon request by researchers, this is provided by the Massachusetts Institute of Technology Research Establishment (MITRE).

This entity may also delegate its powers of identification to a company or research center. The latter then become a CNA (CVE Numbering Authority).

Notes:

*Source: CERT Orange Cyberdefense, Vulnerability Intelligence Watch department, 2019

**SMBv1