Below are the CVE Initiative’s definitions of the terms "Vulnerability" and "Exposure":
An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies in which all users are trusted, or where there is no consideration of risk to the system).
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
- allows an attacker to execute commands as another user
- allows an attacker to access data that is contrary to the specified access restrictions for that data
- allows an attacker to pose as another entity
- allows an attacker to conduct a denial of service
Examples of vulnerabilities include:
- phf (remote command execution as user "nobody")
- rpc.ttdbserverd (remote command execution as root)
- world-writeable password file (modification of system-critical data)
- default password (remote command execution or other access)
- denial of service problems that allow an attacker to cause a Blue Screen of Death
- smurf (denial of service by flooding a network)
Review vulnerabilities on the Common Vulnerabilities
and Exposures (CVE) List.
An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:
- allows an attacker to conduct information gathering activities
- allows an attacker to hide activities
- includes a capability that behaves as expected, but can be easily compromised
- is a primary point of entry that an attacker may attempt to use to gain access to the system or data
- is considered a problem according to some reasonable security policy
Examples of exposures include:
- running services such as finger (useful for information gathering, though it works as advertised)
- inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
- running services that are common attack points (e.g., HTTP, FTP, or SMTP)
- use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)
Review exposures on the Common Configuration
Enumeration (CCE) List.