CVSS v2 Vulnerability Metrics

Questions and Answers

What does a CVSS v2 Access Vector of 'Local (L)' indicate?

• The attack can be performed remotely over the internet.
• The attack requires no access at all.
• The attack requires physical access to the system. (correct)
• The attack is possible within the same network segment, but not remotely.

Which CVSS v2 Access Vector (AV) value has the highest point value?

• Local (L)
• Network (N) (correct)
• Adjacent Network (A)
• Multiple (M)

What does 'Access Complexity (AC)' describe in CVSS v2?

• The conditions required to exploit the vulnerability. (correct)
• The level of authentication required to exploit the vulnerability.
• The network location of the vulnerability.
• The type of data exposed by the vulnerability.

Which CVSS v2 Authentication (Au) value indicates that no authentication is required to exploit a vulnerability?

None (N) (D)

What does a CVSS v2 Confidentiality (C) value of 'Complete (C)' signify?

All sensitive data is exposed. (B)

Which CVSS v2 metric measures unauthorized modification of data?

Integrity (D)

What does a CVSS v2 Integrity (I) value of Partial (P) indicate?

Some data can be modified. (C)

Which Access Complexity (AC) value represents the easiest exploit scenario?

Low (L) (D)

What Attack Vector does the Dirty COW vulnerability exploit?

Local (D)

What is the severity of the Dirty COW vulnerability according to its CVSS score?

High (D)

What type of system was targeted by the EternalBlue exploit?

Windows SMB v1 (A)

What CVSS Attack Complexity is associated with the EternalBlue vulnerability?

Low (C)

Which of the following is a characteristic of the EternalBlue exploit?

Can be exploited remotely (A)

What is the final CVSS score for EternalBlue?

10.0 (B)

Which ransomware attack utilized the EternalBlue exploit?

WannaCry (D)

What is the main implication of a 'Changed' scope in CVSS v3.1, as seen in the EternalBlue vulnerability?

Other systems can be affected. (D)

Which metric value contributes to a higher Exploitability score in CVSS v3.1 for EternalBlue?

Network Attack Vector (B)

In the CVSS v3.1 formula, what does the Impact sub-score calculation represent?

The potential consequences to confidentiality, integrity, and availability. (B)

What does a 'Complete' Availability (A) value signify in CVSS v3.1?

The system is completely down. (B)

What does a 'Partial' Availability (A) value signify in CVSS v3.1?

Performance degradation. (B)

What does a 'None' Availability (A) value signify in CVSS v3.1?

No impact on the system. (D)

Which Attack Vector (AV) requires physical access to exploit?

Physical (P) (B)

Which Attack Vector (AV) can be performed remotely?

Network (N) (B)

What does a Low (L) Attack Complexity (AC) mean?

The exploit is easy to perform. (B)

If Scope is Unchanged (U) and Privileges Required (PR) is High (H), what level of access is needed?

Admin/root access. (B)

What does User Interaction (UI) being Required (R) mean?

Requires user action. (D)

What does an Attack Vector (AV) of Adjacent Network (A) mean?

Attack is possible only within the same network. (D)

What does 'Confidentiality: High (H)' mean in the context of CVSS?

Full data exposure. (B)

What does 'Integrity: High (H)' mean in the context of CVSS?

Full control over data. (A)

In the CVSS v3.1 formula, what does a higher score indicate?

More severe vulnerability (B)

What is the final CVSS score for Log4Shell (CVE-2021-44228)?

10.0 (Critical) (A)

Flashcards

CVSSv2 Access Vector: Local (L)

Attack requires physical access to the system.

CVSSv2 Access Vector: Adjacent Network (A)

Attack is possible within the same network segment.

CVSSv2 Access Vector: Network (N)

Attack can be performed remotely over the internet.

CVSSv2 Access Complexity: High (H)

Exploit requires special or hard to meet conditions.

CVSSv2 Access Complexity: Medium (M)

Exploit is somewhat difficult but possible under normal conditions.

CVSSv2 Access Complexity: Low (L)

Exploit is easy to execute.

CVSSv2 Authentication: None (N)

Requires no authentication to exploit.

CVSSv2 Confidentiality: Complete (C)

All sensitive data is exposed due to vulnerability.

Availability (A) - None (N)

No impact on system availability.

Availability (A) - Partial (P)

Performance degradation, but the system remains online.

Availability (A) - Complete (C)

The system is completely down and unavailable.

Attack Vector (AV) - Physical (P)

Requires physical access to the system.

Attack Vector (AV) - Local (L)

Attack requires local access to the system.

Attack Vector (AV) - Adjacent Network (A)

Attack is possible within the same network.

Attack Vector (AV) - Network (N)

Attack can be performed remotely.

Attack Complexity (AC) - High (H)

Exploit requires specific conditions.

Attack Complexity (AC) - Low (L)

Exploit is easy to perform.

Privileges Required (PR) - High (H) - Unchanged Scope (U)

Requires admin/root access (unchanged scope).

User Interaction (UI) - Required (R)

Requires user interaction to succeed.

Confidentiality (C) - None (N)

No data exposure from the vulnerability.

What is the CVSS v3.1 score of Log4Shell?

Full CVSS v3.1 score for Log4Shell.

Dirty COW

A privilege escalation vulnerability in the Linux kernel.

Log4Shell

Allows remote code execution by logging a crafted string.

CVSS v3.1 Attack Vector: Local (L)

Requires access to the local system.

CVSS v3.1 Attack Complexity: Low (L)

No special conditions are required to exploit.

CVSS v3.1 Privileges Required: Low (L)

Requires basic user-level access to exploit.

CVSS v3.1 User Interaction: None (N)

Exploit works without any user intervention.

CVSS v3.1 Scope: Changed (C)

Vulnerability affects resources beyond the attacker's control.

CVSS v3.1 Confidentiality: High (H)

Attacker gains complete control over the system.

CVSS v3.1 Integrity: High (H)

Attacker can modify any system files or data.

CVSS v3.1 Availability: High (H)

System becomes completely unusable due to the attack.

EternalBlue (CVE-2017-0144)

Remote exploit in Windows SMBv1; used by WannaCry.

CVSS v3.1 Privileges Required: None (N)

No authentication is needed to exploit the vulnerability.

Study Notes

CVSS v2 Base Metrics

• Access Vector (AV) values indicate how an attacker can access the system.
  • Local (L) access requires system access (0.395 points), such as malware via USB.
  • Adjacent Network (A) access is within the same network segment (0.646 points), like ARP spoofing on Wi-Fi.
  • Network (N) access is remote (1.0 point), such as RCE in a web server.
• Access Complexity (AC) describes the difficulty of exploitation.
  • High (H) complexity requires special conditions (0.35 points), like specific software versions.
  • Medium (M) complexity is somewhat difficult under normal conditions (0.61 points), such as SQL Injection.
  • Low (L) complexity is easily executed (0.71 points), like a Metasploit exploit.
• Authentication (Au) specifies the number of authentications needed.
  • Multiple (M) requires several authentications (0.45 points), like VPN and SSH.
  • Single (S) requires one authentication (0.56 points), like a web admin panel login.
  • None (N) requires no authentication (0.704 points), like an open FTP server.
• Confidentiality (C) details the data exposure level.
  • None (N) means no data exposure (0.0 points).
  • Partial (P) indicates some data exposure (0.275 points), like leaked usernames.
  • Complete (C) means all sensitive data is exposed (0.660 points), like a full database dump.
• Integrity (I) specifies the extent of data modification.
  • None (N) means no data modification (0.0 points).
  • Partial (P) indicates some data modification (0.275 points), like low-privilege file edits.
  • Complete (C) means full system control (0.660 points), like root access.
• Availability (A) indicates the impact on system availability.
  • None (N) means no impact (0.0 points).
  • Partial (P) indicates performance degradation (0.275 points), like a rate-limited DoS.
  • Complete (C) means the system is down (0.660 points), like a DDoS attack.

CVSS v3.1 Base Metrics

• Attack Vector (AV) specifies how an attacker exploits the vulnerability.
  • Physical (P) requires physical access (0.20 points) via an evil maid attack.
  • Local (L) requires local system access (0.55 points) like malware running on logged-in user.
  • Adjacent Network (A) is possible only within the same network (0.62 points) via Wi-Fi deauthentication.
  • Network (N) allows remote attacks (0.85 points) via web-based RCE.
• Attack Complexity (AC) indicates the conditions required to exploit.
  • High (H) requires specific conditions (0.44 points), such as a non-default setting.
  • Low (L) means the exploit is easy to perform (0.77 points), like automated SQL Injection.
• Privileges Required (PR) indicate necessary privileges.
  • For Unchanged Scope (U):
    • High (H) requires admin/root access (0.27 points) to exploit a Linux kernel bug.
    • Low (L) requires standard user access (0.62 points) for escalation from user to admin.
    • None (N) requires no privileges (0.85 points) and is exploitable by any attacker.
  • For Changed Scope (C):
    • High (H) affects other components (0.50 points) like a hypervisor escape from a VM.
    • Low (L) needs limited privilege, but affects a broader system (0.68 points) like cloud account hijacking.
    • None (N) needs no privileges (0.85 points) like a zero-click exploit.
• User Interaction (UI) specifies if user action is needed.
  • Required (R) needs user action (0.62 points) like a malicious email attachment.
  • None (N) needs no user interaction (0.85 points), like a wormable exploit.
• Confidentiality (C) describes the data exposure.
  • None (N) means no data exposure (0.0 points).
  • Low (L) means some data exposure (0.22 points), like a partial password hash leak.
  • High (H) indicates full data exposure (0.56 points), like a full database dump.
• Integrity (I) specifies the extent of data modification.
  • None (N) means no data modification (0.0 points).
  • Low (L) means some data modification (0.22 points), like limited file editing.
  • High (H) gives full control over the data (0.56 points), like total system compromise.
• Availability (A) indicates the impact on system availability.
  • None (N) means no impact (0.0 points).
  • Low (L) causes some performance degradation (0.22 points), like slowdowns from DoS.
  • High (H) means the system is completely down (0.56 points), like a DDoS attack.

CVSS v3.1 Notes

• CVSS v3.1 has more realistic impact calculations, including Privileges Required (PR) scope changes and User Interaction (UI).
• Higher point values indicate more severe vulnerabilities.
• Each component influences the final CVSS score.

Log4j (Log4Shell) - CVE-2021-44228

• Log4Shell is a Remote Code Execution (RCE) vulnerability in Apache Log4j.
• Attackers can execute arbitrary code by logging a crafted string.
• Attackers can exploit Log4Shell remotely with no authentication, gaining full control of affected systems.
• Attack Vector (AV): Network (N) - Exploitable over the internet (0.85 points).
• Attack Complexity (AC): Low (L) - No special conditions needed (0.77 points).
• Privileges Required (PR): None (N) - No authentication needed (0.85 points).
• User Interaction (UI): None (N) - No user action needed (0.85 points).
• Scope (S): Changed (C) - Affects components beyond the vulnerable system (1.0).
• Confidentiality (C): High (H) - Allows full data access (0.56 points).
• Integrity (I): High (H) - Attacker can modify system files (0.56 points).
• Availability (A): High (H) - Can crash or take over the system (0.56 points).
• Impact = 0.911, Exploitability = 4.94, Base Score = 10.0.
• Log4Shell has a CVSS score of 10.0 (Critical), making it one of the most severe vulnerabilities ever.

Dirty COW - CVE-2016-5195

• Dirty COW is a Linux kernel privilege escalation vulnerability.
• It allows a normal user to overwrite read-only files and gain root access.
• Attack Vector (AV): Local (L) - Needs access to the local system (0.55 points).
• Attack Complexity (AC): Low (L) - No special conditions are needed (0.77 points).
• Privileges Required (PR): Low (L) - Needs basic user access (0.62 points).
• User Interaction (UI): None (N) - Exploit works without user action (0.85 points).
• Scope (S): Unchanged (U) - Only affects the local system.
• Confidentiality (C): High (H) - Attacker gets full system access (0.56 points).
• Integrity (I): High (H) - Attacker can modify all system files (0.56 points).
• Availability (A): High (H) - System can be completely taken over (0.56 points).
• Impact = 0.911, Exploitability = 2.23, Base Score = 7.8.
• Dirty COW has a CVSS score of 7.8 (High Severity) but needs local access.

EternalBlue - CVE-2017-0144

• EternalBlue is a remote exploit in Windows SMB v1.
• It enables unauthenticated attackers to run code remotely.
• EternalBlue was used in WannaCry ransomware and is based on leaked NSA exploits.
• Attack Vector (AV): Network (N) - Can be exploited remotely (0.85 points).
• Attack Complexity (AC): Low (L) - No special conditions needed (0.77 points).
• Privileges Required (PR): None (N) - No authentication needed (0.85 points).
• User Interaction (UI): None (N) - Doesn't need user action (0.85 points).
• Scope (S): Changed (C) - Affects other systems via self-propagation (1.0).
• Confidentiality (C): High (H) - Full system compromise (0.56 points).
• Integrity (I): High (H) - Allows full data modification (0.56 points).
• Availability (A): High (H) - Causes total system failure (0.56 points).
• Impact = 0.911, Exploitability = 4.94, Base Score = 10.0.
• EternalBlue has a CVSS Score of 10.0 (Critical), which led to major global cyberattacks.

Summary of Exploits

• Log4Shell: CVSS Score 10.0, Critical.
• Dirty COW: CVSS Score 7.8, High Severity.
• EternalBlue: CVSS Score 10.0, Critical.