nerdexam
ExamsCAS-002Questions#625
CompTIA

CAS-002 · Question #625

CAS-002 Question #625: Real Exam Question with Answer & Explanation

The correct answer is B: The company's custom code was not patched.. When patching extensible software, only the vendor's core components are covered - custom code and third-party plug-ins remain unpatched and can leave exploitable vulnerabilities.

Question

An extensible commercial software system was upgraded to the next minor release version to patch a security vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is called in to troubleshoot the issue and reports that all core components were updated properly. Which of the following has been overlooked in securing the system? (Select TWO).

Options

  • AThe company's IDS signatures were not updated.
  • BThe company's custom code was not patched.
  • CThe patch caused the system to revert to http.
  • DThe software patch was not cryptographically signed.
  • EThe wrong version of the patch was used.
  • FThird-party plug-ins were not patched.

Explanation

When patching extensible software, only the vendor's core components are covered - custom code and third-party plug-ins remain unpatched and can leave exploitable vulnerabilities.

Common mistakes.

  • A. IDS signature updates are a separate operational task and would not cause an intrusion by themselves - they relate to detection, not the exploited vulnerability.
  • C. A minor version patch reverting the system to HTTP is not a documented or expected side effect and is not supported by the scenario.
  • D. Cryptographic signing of the patch verifies authenticity but has no bearing on whether extensible components outside the core were addressed.
  • E. Using the wrong patch version would be identified by the vendor during troubleshooting; the vendor confirmed core components were updated correctly.

Concept tested. Patch management for extensible software and third-party components

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice