Update at Your Own Risk: Analysis and Recommendations for Update-Related Vulnerabilities

Update at Your Own Risk: Analysis and Recommendations for Update-Related Vulnerabilities

연구 분야: Analysis

학회: IFIP International Conference on ICT Systems Security and Privacy Protection

This paper presents an empirical analysis of software and firmware update vulnerabilities in computing systems, resulting in a set of recommendations for implementing more secure update mechanisms. Using a Common Vulnerabilities and Exposures (CVE) dataset, we analyze trends over the past eight years, focusing on the frequency and impact of these vulnerabilities on confidentiality, integrity, and availability, as well as their associated attack vectors and severity levels. We identify distinctive patterns compared to the broader vulnerability dataset, offering insights for risk assessment and management. Our findings reveal that vulnerabilities in software and firmware update (and upgrade) processes have a greater impact than the average disclosed vulnerability. Our results also indicate that the primary attack vector for update-related vulnerabilities is local, whereas for overall vulnerabilities, exploitation typically occurs over the network. Furthermore, we investigate the most common weakness classifications associated with these vulnerabilities, identifying scenarios that illustrate their adverse effects on systems and what they enable an attacker to achieve. Common weaknesses among update-related vulnerabilities include improper verification of cryptographic signatures, improper certificate validation, and improper input validation. From the top most prevalent weaknesses, we systematically derive a set of recommendations to help mitigate or eliminate attacks and breaches that occur during the update process.