Dev

Vulnerabilities have Registration Numbers like Humans?

Apr 11, 2022

Author: Jisu Park | CEO

This article discusses security topics that every developer should be aware of. We can learn about the details of vulnerabilities, the vulnerable software, and their severity through CVE. Let's explore how to safely manage services by subscribing to CVEs with specific keywords!


Vulnerabilities and Exploits


The first concept to understand is vulnerability and exploit. There is a significant difference between being vulnerable and being exploitable, so let's examine the differences between the two.


A vulnerability refers to a flaw or weakness in a program that allows an unauthorized attacker to perform functions they shouldn't be able to. In contrast, an exploit refers to actually carrying out unauthorized functions through the threat of a vulnerability. In other words, the following relationship holds.


취약점과 익스플로잇의 관계

The relationship between vulnerabilities and exploits


For example, an attacker may seize access rights or initiate denial-of-service attacks (DoS) through an exploit that performs unauthorized functions based on vulnerabilities in software.



The Resident Registration Number for Vulnerabilities: CVE


In South Korea, the resident registration number system is used to clearly distinguish individuals' identities. This not only facilitates large-scale administrative tasks but also helps identify the identities of crime victims or accident victims. Similarly, there is something that serves as a resident registration number for vulnerabilities, and that is CVE.


CVE stands for Common Vulnerabilities and Exposure, which means "information about publicly disclosed information security vulnerabilities or risks." Before the introduction of CVE, each country, organization, and company had its own system for managing vulnerabilities, which led to inconsistencies and frequent confusion.


Consequently, a nonprofit organization in the United States, MITRE, devised CVE to effectively and systematically manage software vulnerabilities. CVE later provided data to the National Vulnerability Database (NVD) operated by the National Institute of Standards and Technology (NIST), and it continues to be widely used today.


CVE issues a unique identification number for each reported exploitation-prone vulnerability, which is analyzed by security experts. If approved, that vulnerability is added to CVE. Each CVE entry has a detailed page where one can find information regarding the vulnerability, severity, references, etc. CVE identification numbers are assigned according to the following rules.


CVE 식별 번호의 규칙

Rules for CVE identification numbers


You can search for and verify actual CVE information on the following site.



Understanding CVE through the batchOverflow Vulnerability


Let's take a famous smart contract vulnerability, batchOverflow, as an example. If you search for the keyword batchOverflow at the link above, you will encounter the vulnerability CVE-2018–10299 as a result. When you access the vulnerability page, you'll see a display like this.


batchOverflow로 알려져있는 CVE-2018–10299 취약점


The vulnerability CVE-2018–10299 known as batchOverflow


Thanks to classifying the vulnerability that can be called in many different ways such as batchOverflow, BatchOverflow, integer overflow by the CVE system, it can be referred to as CVE-2018–10299.


Additionally, the Current Description section provides information about the vulnerability, and the Impact section provides the severity level. At this time, the severity is calculated based on the likelihood of occurrence and the degree of impact according to the risk grading methodology of OWASP.


OWASP의 위험 등급 방법론

OWASP's risk grading methodology



Learning More About CVE-2018–10299


Now that we have learned about CVE, let's take a closer look at the previously mentioned vulnerability. This vulnerability, also known as batchOverflow, was discovered in a smart contract written in Solidity, one of the Ethereum programming languages. More specifically, it was found in the batchTransfer function implemented to send a specified number of tokens to multiple wallets in the ERC-20 token contract.


오버 플로우 현상처럼 플립 카운터도 9을 초과하면 0이 된다

Just like an overflow phenomenon, if the flip counter exceeds 9, it becomes 0


Users calling the batchTransfer function can directly specify the number of coins, and depending on that value, an overflow can occur, allowing them to receive an enormous number of tokens. Although there was a condition to prevent sending more tokens than held, the condition was satisfied due to the overflow. The severity level of this vulnerability is relatively high at 7.5, and as a result, many exchanges have halted transactions for ERC-20 tokens for extensive inspections.


ERC-20 토큰에 대한 거래를 일시 정지한 Poloniex

Poloniex paused transactions for ERC-20 tokens


Therefore, one should continually pay close attention to whether an overflow or underflow occurs when performing operations in smart contracts. Another method is to use the SafeMath library from the open-source openzeppelin-solidity maintained by Open Zeppelin. However, since it is necessary to check whether SafeMath is used for every operation, it is recommended to entrust your code audit process to a company specializing in vulnerability verification.


Need more detailed information or a code audit? Join us at SOOHO.IO!

👉 Contact Us



SOOHO.IO Official Channels