Assessing the impact of a particular vulnerability in a specific deployment can be a complex discipline as it requires you to know both the vulnerability and how the code is used in the service in question. Twistlock Vulnerability Explorer already makes these assessments easier by combining vendor assessments of the CVE with analysis of how the image is built and deployed to calculate a risk score that takes into account factors like whether the image has mitigations that would limit the impact of the vulnerability (such as AppArmor & SELinux), how the image can be accessed when running as a container (such as open ports), and what level of access the container has (such as if it’s running as a privileged container).
In Twistlock version 2.3, we are extending these analytics using additional information about the ease of exploiting the vulnerability and the potential impact of successful exploitation to increase the usefulness of the risk score. Additionally, all this information is available at-a-glance in Vulnerability Explorer.
Factors that impact risk
Specific risk factors are clearly surfaced within the UI. Some of the specific factors that have been added are:
- Attack complexity: Some vulnerabilities are difficult to reliably exploit while others require very little effort. Low complexity vulnerabilities are more likely to be successfully leveraged.
- Attack vector: For solutions deployed in containers, remotely-exploitable vulnerabilities are more interesting than ones that require interactive usage.
- Exploit code exists: The availability of exploit code makes it easier for attackers to leverage the associated vulnerability.
- Impact: Does the vulnerability allow for remote code execution or a denial of service?
- Freshness: Was this vulnerability recently disclosed? This helps to contextualize whether or not this vulnerability represents a new and emerging threat.
Unpacking an example vulnerability
Here is an example of a vulnerability shown in Vulnerability Explorer:
Unpacking this view, we can see a lot of details that help us understand the potential impact of this vulnerability. First of all, we can see that this image has listening ports (thus, it’s available to the outside world) and that the image is running as root (increasing the impact of a successful exploit). The risk factors tell us that this is a critical vulnerability that has been fixed. They also tell us that it’s easy to exploit, that it can be exploited remotely, and that it can be used to remotely execute code.
When we combine all of this contextual information, we can easily see why this has a high risk score — an attacker would require little effort to use this vulnerability and, by remotely executing code as root, they could accomplish a great deal within the container. Since a fix is available, the next step should be to include the updated packages in the affected images and redeploy them.
Assessing, mitigating, and resolving known vulnerabilities is an important part of securing any service. In Twistlock 2.3, we’ve put many of the details you need to effectively gauge impact into a single pane so that you can invest less time and effort in the assessment and move more quickly to fixing things.
Follow @Twistlockteam on Twitter to get updates on what’s next with Twistlock and cloud native cybersecurity.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.