Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
The 0-days, these uncorrected flaws.
Published on
In the official journal of March 21, 2021, new French translations have appeared with some gems like:
- backdoor / trapdoor, translated by software poterne 😱 while the expression porte dérobée is already used and understandable but let's pass...;
- zero-day / zero-day flaw / zero-day vulnerability, translated by uncorrected flaw, which for me is a mistake and changes the meaning (read to the end before protesting 😉).
The origin
Without rewriting the rather complete Wikipedia article https://en.wikipedia.org/wiki/Zero-day_(computing), here are some complements.
Zero day or 0-day comes originally from the Warez (1) of the 90s and 2000s, an activity that consisted (2) in obtaining software (games, roms, movies, music...) closed and/or paying to unlock them (the "cracker") and then disseminate them on different channels (BBS, DCC on irc, news group, FTP or FXP dump...) by monetizing or exchanging other software or against private access to other dumps or for free. Former member of Undernuke, MJ13, Les Foqs, Post Scriptum, Alliance-Team, #Hamac, #Princess, #warez-france, #warez-humour, CdC BO2K team and Paradox, if you read me: kisses 😘.
When a software (game, movie, you got it) was illegally released, even before its public and/or commercial release, it was called "Zero Day": it was released zero days after its release (this sentence is strange 😉 ). In France, we also used to talk about "fresh".
The "0" of 0-day is opposed to the "n" of n-days, describing a content published n days after its public release.
Zero-day in security
The term has migrated from Warez to computer security (cybersecurity today) describing the freshness of a vulnerability. I'm talking about vulnerability but often the term 0-day also includes having the exploit code for the vulnerability, allowing to compromise the software in question.
A so-called 0-day vulnerability is therefore a bug with a security scope (a flaw), discovered in software (3) and known only to the discoverer and to a limited circle of people or entities with whom he shared it (no, I'm not going to talk about bug collisions, that's another subject). In general, the software publisher is excluded from these knowledgeable people.
To make it very very simple: if there are no security patches, it is a 0-day.
When a security expert says "I have a WordPress 0-day", understand "I know (or someone gave me) a vulnerability and associated exploit code, affecting the WordPress software and not known to the vendor or known to the vendor but without a patch available at this time"
The details of the definition are debatable, but in general, once a security patch is released by the vendor, the vulnerability is no longer considered a 0-day but an n-day.
There is a 0-day market, with several buy/sell programs publishing their prices publicly like Zerodium (ex-Vupen), Exodus Intelligence... and also an n-days market with Exodus intelligence and others. There are of course several French companies that are specialized in this field, but not finding this information on their website, I prefer not to quote them 😉.
Eroded ?
I immediately stop those who will tell me about the "eroded", misunderstanding of an editor of the Russian propaganda site Sputnik, during a telephone interview having understood "the eroded" (the-zero-days) instead of the "zero-days" 🤦♂️ :
"There is no reason to think that the "eroded", these famous computer flaws, used by insider hackers, exist"
https://fr.sputniknews.com/france/201703081030371219-france-vote-electronique-opinion/
Unpatched flaw, according to Légifrance
When Légifrance translates 0-day by "uncorrected flaw, uncorrected vulnerability" it changes the meaning or can leave room for the interpretation that it is not corrected because the patch is available but has not been deployed.
The devil is always in the details, so I have to moderate my statement because the full text speaks of "A vulnerability identified by users of a computer system, for which there is no fix yet" which seems to me more accurate.
Fun fact and extended definition
To go into the subtleties of 0-day, there are in fact several categories:
- Vulnerabilities affecting software (3) known, monitored and referenced by the major organizations overseeing cybersecurity (such as NIST): Windows, Apple iOS, Google Chrome, all Cisco products, Oracle ... for the best known. Depending on how you count, there are around one million software products monitored. These vulnerabilities are referenced by identifiers, the famous "CVEs", such as CVE-2021-27078 affecting Exchange or the CNNVDs (Chinese CVEs), such as CNVD-2021-14770 (corresponding to CVE-2021-27078);
- Vulnerabilities affecting little-known, unmonitored or unreferenced software and whose vulnerabilities are not referenced;
- Vulnerabilities affecting software developed specifically for companies and whose vulnerabilities are not referenced. Generally (again 😉 ), when people talk about 0-day, it concerns the first category and sometimes the second. By the way, a few years ago, I had interviewed to join a team and one of the managers had asked me "have you ever found any 0-days?" (Team manager 1, if you recognize yourself 😉 ).
To which I had answered: no, but without being able to detail, because I was thinking mainly about the first category, while 0-day vulnerabilities, I/we find them every week on unmonitored or specifically developed products.
Why all this?
Simply because it is important to define things well, to have a common vocabulary to be able to deal with these very technical and critical issues like 0-days.
A real 0-day will not be treated like a known vulnerability with a patch not yet deployed.
(1) yes, I always said "the warez", some say "the warez". I'm waiting for the French academy to decide, like for the covid 😉
(2) and which is still going on !
(3) I'm talking about software in a broad sense because finally, everything is software: Windows is software, an iPhone is software, a washing machine is software that runs on specific hardware, ASICs are software in the form of integrated/printed circuits (yes, I'm pulling the model a bit but it's not far from being true)...