Understanding the low-hanging-fruit of vulnerabilities is one of the most important things to understand about an environment. Thankfully, there are some easy ways, through fingerprinting, to get a wide variety of different vulnerability information from assets. But to do that, it is important to understand a little about CPEs first.
CPE stands for Common Platform Enumeration and it is the default syntax for how equipment, operating systems and software is indicated. It is a structured naming schema for the assets and the software living on the assets. Here are a few examples:
- cpe:/o:microsoft:windows
- cpe:/a:php:php:5.6.25
In the first example we can see a “/o” which indicates this is an operating system. The operating system manufacturer is “microsoft” and the operating system in question is “windows”. Now, sometimes it is not possible to extract the version information like “vista”, but this still gives you a quick view into what is easily found externally. While this does not necessarily have vulnerability information that can be easily extracted, it can be useful if you know that a certain type of equipment is at its end of serviceable life, or if you believe there should be none of XYZ operating systems or hardware deployed. Therefore, being able to search on CPE data is actually quite useful.
In the second example above, we can see a “/a” which indicated that this is an application, or the software that runs the service in question. We see that it is running “php” and version number “5.6.25”. That is a relatively old version of PHP and has some known vulnerabilities in it. The vulnerabilities lead us to CVE data.
CVE stands for Common Vulnerabilities and Exposures, and is the short-hand code for the industry-standard way of discussing a vulnerability by using a short-hand code. By extracting the known issues found in PHP version 5.6.25 and before, we can see a huge list of issues:
CVE-2016-10160, CVE-2017-11143, CVE-2017-11144, CVE-2016-10159, CVE-2017-11142, CVE-2016-10158, CVE-2017-11145, CVE-2017-11147, CVE-2016-10161, CVE-2016-10397, CVE-2017-11628, CVE-2017-12933, CVE-2018-10546, CVE-2018-10548, CVE-2018-10547, CVE-2018-10549, CVE-2018-10545, CVE-2016-3078, CVE-2017-16642, CVE-2016-4344, CVE-2016-4345, CVE-2016-4346, CVE-2016-5385, CVE-2015-8880, CVE-2015-9253, CVE-2015-8994, CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418, CVE-2016-7478, CVE-2016-7480, CVE-2016-7568, CVE-2018-14851, CVE-2018-14883, CVE-2018-15132, CVE-2016-9138, CVE-2016-9137, CVE-2016-9934, CVE-2016-9935, CVE-2018-17082, CVE-2017-7272, CVE-2017-7890, CVE-2017-7963, CVE-2018-19396, CVE-2018-19395, CVE-2018-19518, CVE-2017-8923, CVE-2018-19935, CVE-2018-19520, CVE-2018-20783, CVE-2018-5712, CVE-2018-5711, CVE-2019-9020, CVE-2019-9021, CVE-2019-9024, CVE-2019-9023, CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9641, CVE-2018-7584, CVE-2019-6977
It is not surprising to see this many potential issues for such an old version of an application that’s as popular as PHP is. It is not to say that all CVEs are made equal. Some CVEs are going to be for internal privilege escalation – therefore it requires an adversary to be able to run arbitrary commands on the machine first before they can exploit it. That becomes a chicken and egg problem – how did they get onto the machine first, that seems like the real vulnerability.
That said, local users who are not supposed to have administrative access might be a very real threat in a multi-user environment, or when an employee wants to hide their tracks. It is difficult to know ahead of time what matters and what is inconsequential. Therefore, it is up to the company in question to triage and make sure these issues are not worth fixing, or if they can be mitigated in other ways, like using a web application firewall or some other active deterrent.
