Airbus Protect explains: Vulnerability Management

What is vulnerability management? Vulnerability analyst Pierre Louis Gensou explains.

Vulnerability management and vulnerability intelligence are crucial elements of IT security. As a vulnerability analyst, my role is to identify security flaws, assess their impact on the components we monitor, and inform customers of the associated risks.

What is a vulnerability?

When we say “vulnerability”, we’re actually talking about a specific entry in the “CVE” (Common Vulnerabilities and Exposures) glossary. The system offers a method for publicly sharing information on cybersecurity vulnerabilities and exposures. Each vulnerability has a unique identifier that differentiates it for monitoring purposes. 

When analysts like me assess a vulnerability, we use a centralised methodology known as the CVSS (Common Vulnerability Scoring System) to ensure consistency. The CVSS scores each vulnerability from 0 to 10 to detail the impact, exploitation methods, and potential severity. This is calculated based on three metrics:

Base score

This score is calculated based on various sub-scores. For instance, how can this vulnerability be exploited (via physical access, via an adjacent local network or via the network)? How complex is it? Does the attacker need to be authenticated? And what impact does it have on the three principles of IT security: confidentiality, integrity and availability?

Once calculated, a vulnerability’s base score stays the same.

Time score

This score varies according to the timeliness of a vulnerability. For example, have patches been released? Have attackers developed new exploits?

Environmental score

This is the score that varies the most. That’s because the impact of a CVE can vary depending on the company or project being monitored. For example, if a network is isolated from the outside world by its configuration, then a vulnerability with a local attack vector will have minimal risk. These metrics differentiate the importance of each component or group of components within the system and are generally calculated upstream by our customers.

What’s an example of a recently identified vulnerability?

New vulnerabilities are being identified all the time. In fact, there are currently 240,000+ in the CVE database.

A recently identified example is a vulnerability affecting PHP (Hypertext Processor). According to CERT-FR, CVE-2024-4577 has a base score of 9.8 and has an impact deemed critical by the vendor, as it can cause remote code execution. It was discovered during a pentest exercise by Devcore’s teams.

This vulnerability is actually a bypass of the patch correcting CVE-2012-1823 (discovered in 2012!), which clearly shows the dynamic between publishers developing patches to secure systems and attackers trying to find new flaws. It is important to point out that it is not necessarily hackers who find vulnerabilities, but also cybersecurity experts like pentesters.

What’s the difference between passive and active vulnerabilities?

Airbus Protect’s Threat Management Centre (TMC) team separates vulnerability activities into two categories:

Passive vulnerability management

Passive vulnerability monitoring allows us to identify and deal with vulnerabilities that impact the project components we monitor on a daily basis. When a security vulnerability is relevant, our team drafts a security bulletin for customers to explain in detail which components are affected, which patches need to be installed, and the level of criticality for the project. This is referred to as passive vulnerability management, as it is not proactive monitoring and we do not scan any assets.

Before writing a security bulletin, our team waits for a vulnerability to be listed by various vendors(e.g. Microsoft, Cisco, Red Hat) or the authorities (e.g. CERT-FR, CISA, NIST).

Our experts have a list of components for each project, including their version and operating system. We are currently monitoring several thousand components for around fifteen projects from external customers, and publish an average of around one hundred bulletins per month. To facilitate information processing and detection, the vulnerability team works with various tools, including:

• Feedly: This aggregates all relevant sources and provides access to each publisher’s publications. Each vulnerability can be tracked to detect any new exploitations by attackers.
• Vulnerability Intelligence Platform (VIP): We developed this platform ourselves, and use it to draft security bulletins. Each component is identified by its “CPE” (Common Platform Enumeration) in the form cpe:/<part>:<vendor>:<product>:<version>. For example:

cpe:/a:microsoft:edge:121.0.2277.83 represents version 121.0.2277.83 of Microsoft Edge.

part: application

vendor: microsoft

product: edge

version: 121.0.2277.83

We identify all the vulnerabilities affecting this version of the product and then write the security bulletin.

Active vulnerability monitoring

Active vulnerability monitoring involves completely different tools and clients. In this instance, we monitor all the entities of Airbus Group using the Qualys detection scanner, which probes computer systems for vulnerabilities. The aim is to identify and then patch them as quickly as possible.

Conclusion

Vulnerability management is one of the most critical tasks in cybersecurity. It is essential to have access to the latest information on vulnerabilities that could affect your operating system and infrastructure, as time is usually of the essence when it comes to remedying them!

Are you interested in a vulnerability monitoring service? Contact our experts.