Nov. 8, 2013
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 41,000~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2013 (July 1 to September 30, 2013) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 41,000 (See Table 1-1, Figure 1-1).
As for the English version, the total of 949 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||149 cases|
|JVN||130 cases||2,755 cases|
|NVD||1,148 cases||38,912 cases|
|Total||1,280 cases||41,816 cases|
|English Version||Domestic Product Developers||2 cases||149 cases|
|JVN||26 cases||800 cases|
|Total||28 cases||949 cases|
~Vulnerabilities in Content Management Systems account for 96 percent (1,669)!~
Unauthorized modification of websites have been sharply increasing this year. IPA issued a security alert(*4) in September 2013 to warn the users of the danger. One of the factors that facilitate attacks on the websites is that the users keep using the old-version of software applications and the attackers are actively exploiting the vulnerabilities in them.
The software applications that are often exploited include the web application frameworks(*5) and middleware(*6), such as Apache Struts and Parallels Plesk Panel, and content management systems (CMS)(*7) such as WordPress, Drupal and Joomla. A lot of vulnerabilities have been reported with these software applications.
The figure 1-2-1 illustrates the registration status of some software applications that are "often exploited" in the website attacks. With them, 1,879 vulnerabilities have been reported in total and in 2013, 155 vulnerabilities have been reported so far as of the end of September. Looking at them individually, the number of reports for Joomla! has been decreasing since its peak in 2010 while WordPress and Drupal account for the most of the vulnerabilities reported this year.
JVN iPedia rates each vulnerability according to the CVSS(*8) and publishes its severity level. Figure 1-2-2 shows the ratio of the severity of the vulnerabilities in the specific software applications addressed in the figure 1-2-1. Among them, 688 vulnerabilities were labeled level III ("High"), 981 were labeled level ll ("Medium") and 210 were level I ("Low"). The number of the vulnerabilities with high severity (more than level II), such as those that may lead to service outage, was 1,669 out of 1,879 (about 89 percent). Especially, CMS software such as WordPress, Drupal, Joomla!, Movable Type and XOOPS, accounted for 96 percent of those often-exploited vulnerabilities (1,807 out of 1,879), and the number of the severest Level III vulnerability among them was 660 out of 1,807 (36 percent).
In JVN iPedia, a lot of highly serious vulnerabilities that have been exploited in the real attacks are registered. It is essential for IT users to check on vulnerability information on a daily basis, and update and/or apply security patches as soon as possible.
~A case study: Vulnerability in emergency alert system of Montana TV & radio network hacked~
In February 2013, there was a happening that an emergency alert system of a Montana television and radio network in the U.S. broadcasted an emergency alert warning the attack by Zombies. It was later revealed that someone exploited the vulnerabilities in DASDEC, a system used to receive and process the alerts. These vulnerabilities are available to read in JVN iPedia as well (Table 1-2.).
|ID (JVN iPedia)||Title||CVSS
|JVNDB-2013-003170||Compromised root SSH key in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS||10.0|
|JVNDB-2013-003171||Log information disclosure in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS||7.8|
|JVNDB-2013-003172||Predictable password generation in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS||7.5|
|JVNDB-2013-003173||Default password in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS||10.0|
Fortunately, this incident caused little trouble, but in a worst case scenario, the attacker could have used the emergency alert system and caused a serious social chaos. The attacks known so far are mostly against information systems, but this is beginning to change and spreading into software and systems in other fields, like industrial systems and embedded systems. Especially, vulnerability reports for industrial control systems (ICS) used in industrial operations, such as production lines in plant, have been increasing since 2011. Figure 1-3-1 shows the number and severity of the reported software vulnerabilities in industrial control systems. As of the end of September, 413 vulnerabilities have been reported. In 2013, the number of ICS vulnerabilities with the highest severity, level III, are 66 out of 108 (about 61 percent), keeping its trend seen in the past years.
JVN iPedia provides the vulnerability information about not only information system software, such as OS, document software and web server software widely used on PC and servers, but also provides the vulnerabilities in critical system software used in social infrastructure.
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter of 2013, sorted by their vulnerability type using CWE(*9).
The types of vulnerabilities that have been reported most during this quarter are: CWE-119 (Buffer Errors) with 217 cases, CWE-79 (Cross-Site Scripting) with 187 cases, CWE-264 (Permissions, Privileges and Access Controls) with 130 cases, CWE-20 (Improper Input Validation) with 115 cases, CWE-399 (Resource Management Errors) with 58 cases and CWE-94 (Code Injection) with 54 cases.
Most of them are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides the guidelines that address these vulnerabilities, such as "Secure Programming Course"(*10), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*11)" to promote secure programming.
Figure 2-2 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of September 30, 2013, 44 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 7 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
The severity of 93 percent of known vulnerabilities was level II or higher. To avoid threats from known vulnerabilities, it is essential for IT users to update and apply security patches as soon as possible.
Figure 2-3 shows the annual transitions in the type of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 86 percent of the total.
Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have started to be added. It was 8 vulnerabilities in 2008, 10 in 2009, 21 in 2010, 93 in 2011, 173 in 2012, and 108 as of the end of September in 2013. The total number is 413 and the number has been increasing since 2011.
Figure 2-4 shows the annual transitions in the registered vulnerabilities found in open source software (OSS) and non-OSS software based on the date they were first published. The total of 16,670 OSS vulnerabilities have been registered. One of the reasons that the number of non-OSS vulnerabilities registered seems higher than before after 2007 is because all the NVD data released in and after 2007 have been added. Overall, 40 percent of them are OSS and 60 percent are non-OSS.
Figure 2-5-1 and 2-5-2 show the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia as of September 30. The vendors are categorized into either domestic vendors, overseas vendors with Japan office, or overseas vendors without Japan office.
As seen in the graphs, the vendors without Japan office account for the most. As for OSS vendors, the overseas vendors without Japan office account for 96.3 percent, and as for non-OSS vendors, it is 91.4 percent. You can see that JVN iPedia offers a vast amount of vulnerability information on the products developed by the overseas vendors that do not have an office or base in Japan in Japanese.
The positive aspects of using OSS software are that it is free and a wide choice of software is available. But on the other hand, there is a possibility that the OSS vendors do not offer a sufficient support. If the users do not have a proper knowledge such as how to apply security patches, they should carefully think about pros and cons of using OSS software.
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 3rd quarter of 2013 (July - September).
Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2013-003253||Android Arbitrary Code Execution Vulnerability||9.3||2013/7/11|
|2||JVNDB-2013-000085||VMware ESX and ESXi Vulnerable to Buffer Overflow||7.5||2013/9/6|
|3||JVNDB-2012-000051||Logitec LAN-W300N/R Series Fails to Restrict Access Permissions||7.5||2012/5/25|
|4||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server||4.3||2012/2/1|
|5||JVNDB-2013-003469||Apache Struts Vulnerable to Remote Command Execution||7.5||2013/7/23|
|6||JVNDB-2013-000084||VMware ESX and ESXi Vulnerable to Directory Traversal||6.4||2013/9/6|
|7||JVNDB-2013-000076||JP1/IT Desktop Management - Manager and Hitachi IT Operations Director Vulnerable to Privilege Escalation||5.5||2013/7/29|
|8||JVNDB-2013-000070||Oracle Outside in Vulnerable to Buffer Overflow||7.5||2013/7/17|
|9||JVNDB-2013-000072||JBoss RichFaces Vulnerable to Remote Code Execution||6.8||2013/7/19|
|10||JVNDB-2013-000087||Multiple Broadband Routers May Behave as Open Resolvers||5.0||2013/9/19|
|11||JVNDB-2013-002948||Arbitrary Command Execution Vulnerability in mod_rewrite Module in Apache HTTP Server||5.1||2013/6/12|
|12||JVNDB-2013-003349||Denial of Service (DoS) Vulnerability in ext/xml/xml.c in PHP||6.8||2013/7/16|
|13||JVNDB-2012-002110||WordPress Vulnerable to Cross-Site Scripting||4.3||2012/4/24|
|14||JVNDB-2013-003320||Denial of Service (DoS) Vulnerability in mod_dav.c in Apache HTTP Server||4.3||2013/7/12|
|15||JVNDB-2013-000069||Cybozu Office Session Management Vulnerability||4.0||2013/7/16|
|16||JVNDB-2013-000075||docomo Overseas Usage Application Vulnerability in the Connection Process||3.3||2013/8/7|
|17||JVNDB-2011-001638||Denial of Service (DoS) Vulnerability in apr_fnmatch.c and fnmatch.c used in Apache Portable Runtime Library||4.3||2011/5/27|
|18||JVNDB-2013-003441||Apache Struts Arbitrary OGNL Code Execution Vulnerability||9.3||2013/7/19|
|19||JVNDB-2013-000062||EC-CUBE Vulnerable to Code Injection||7.5||2013/6/27|
|20||JVNDB-2013-000068||AQUOS PhotoPlayer HN-PP150 Vulnerable to Denial-of-Service (DoS)||5.0||2013/7/11|
|1||JVNDB-2013-003073||Vulnerability in JP1/HIBUN Advanced Edition Information Cypher Removable Media Encryption||1.2||2013/6/19|
|2||JVNDB-2013-003074||Cross-site Scripting Vulnerability in Hitachi Command Suite Products||4.3||2013/6/19|
|3||JVNDB-2013-002796||Arbitrary Commands Execution Vulnerability in JP1/Integrated Management - TELstaff Alarm View||10.0||2013/5/24|
|4||JVNDB-2013-002770||Cross-site Scripting Vulnerability in JP1/Automatic Operation||4.3||2013/5/21|
|5||JVNDB-2013-002427||Buffer Overflow Vulnerability in Hitachi IT Operations Director||10.0||2013/4/23|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2011 and before||Published in 2012||Published in 2013|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*8) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen
(*9) Common Weakness Enumeration.
http://www.ipa.go.jp/security/vuln/CWE.html (in Japanese)
(*11) Hands-on vulnerability learning and experiencing tool "AppGoat"
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)