lec 2 Secure.pdf

Full Transcript

1
 Introduction
Qualitative Severity Rating Scale
Base metric group
– Exploitability Metrics
(Attack Vector (AV))
(Attack Complexity (AC))
(Attack Requirements (AT))
(Privileges Required (PR))
(User Interaction (UI))
– Impact Metrics
Confidentiality
Integrity
Availability
Threat Metrics
Exploit Maturity (E)
Environmental Metrics
– Confidentiality, Integrity and Availability Requirements (CR, IR, AR)
Supplemental Metrics
Vector String 2
Qualitative Severity Rating Scale

3
Introduction

CVSS stands for the Common Vulnerability Scoring System.

The Common Vulnerability Scoring System (CVSS) is a method used

to supply a qualitative measure of severity.

An open framework for communicating the characteristics and

severity of software vulnerabilities.

Its outputs include numerical scores indicating the severity of a

vulnerability relative to other vulnerabilities.

It's a way to evaluate and rank reported vulnerabilities in a

standardized and repeatable way.
4
Qualitative Severity Rating Scale
CVSS generates a score from 0 to 10 based on the severity of the
vulnerability.
A score of 0 means the vulnerability is less significant than the highest
vulnerability with a score of 10,
By using CVSS to prioritize vulnerabilities, you can focus on the most critical
ones first and reduce the overall risk to your organization.
Rating CVSS Score
None 0.0
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 10.0

5
Metrics

6
Metrics
CVSS consists of four metric groups:
Base, Threat, Environmental, and Supplemental.

Base group

Represents the core qualities of a vulnerability that
are constant over time and across user
environments

Threat group

Reflects the characteristics of a vulnerability that
change over time

7
Metrics

Environmental group

Represents the characteristics of a vulnerability that are
unique to a user's environment.

Supplemental metrics

Do not modify the final score, and are used as additional
insight into the characteristics of a vulnerability.

Base metric values to produce a score ranging from 0 to 10. To
further refine a resulting severity score, Threat and
Environmental metrics can then be amended based on
applicable threat intelligence and environmental considerations.
A CVSS vector string consists of a compressed textual
representation of the values used to derive the score.
8
Metrics

9
Base metric group

10
Base metric group
It is composed of two sets of metrics: the Exploitability metrics and
the Impact metrics.

Exploitability metrics

Reflect the ease and technical means by which the
vulnerability can be exploited.

Impact metrics

Reflect the direct consequence of a successful exploit,
and represent the consequence to the “things that
suffer the impact”, which may include impact on the
vulnerable system and/or the downstream impact on
what is formally called the “subsequent system(s)”.

11
Base metric group - Exploitability Metrics (Attack Vector (AV))

Attack Vector (AV)

Reflects the context by which vulnerability
exploitation is possible.
This metric value will be larger the more remote
(logically, and physically) an attacker can be in order
to exploit the vulnerable system.
A vulnerability that could be exploited from across a
network is larger than the number of potential
attackers that could exploit a vulnerability requiring
physical access to a device.

12
Base metric group - Exploitability Metrics (Attack Vector (AV))
Metric Value Description
Network (N) The vulnerable system is bound to the network stack.
often termed “remotely exploitable”
attack being exploitable at the protocol level
across one or more routers
EX: an attacker causing a denial of service (DoS) by
sending a specially crafted TCP packet across a wide
area network.
Adjacent (A) The vulnerable system is bound to a protocol stack.
but the attack is limited at the protocol level to a logically
adjacent topology.
Attack must be launched from the same shared proximity
(e.g., Bluetooth, NFC,Wifi, or IEEE 802.11) or logical
network (e.g., local IP subnet), or from within a secure or
otherwise limited administrative domain
EX: flood leading to a denial of service on the local LAN
segment

13
Base metric group - Exploitability Metrics (Attack Vector (AV))

Metric Value Description

Local (L) The vulnerable system is not bound to the network stack
and the attacker’s path is via read/write/execute
capabilities. Either:
the attacker exploits the vulnerability by accessing the
target system locally
the attacker relies on User Interaction by another
person to perform actions (opening a malicious
document).
Physical (P) The attack requires the attacker to physically touch or
manipulate the vulnerable system.
EX: include peripheral attacks via FireWire/USB Direct
Memory Access (DMA).
14
Base metric group - Exploitability Metrics (Attack Complexity (AC))

Attack Complexity (AC))

This metric captures measurable actions that must
be taken by the attacker to actively circumvent
existing built-in security-enhancing conditions
in order to obtain a working exploit.
A vulnerability exploitable without a target-specific
variable has a lower complexity than a
vulnerability that would require non-trivial
customization.

15
Base metric group - Exploitability Metrics (Attack Complexity (AC))

Metric Value Description
Low (L) The attacker must take no measurable action to exploit the
vulnerability.
The attack requires no target-specific circumvention to
exploit the vulnerability.
High (H) The successful attack depends on the circumvention of
security-enhancing techniques in place that would
otherwise hinder the attack. These include:
The attacker must have additional methods available to
bypass security measures in place.
Obtaining target-specific secrets. The attacker must gather
some target-specific secret before the attack can be
successful. A secret is any piece of information that cannot
be obtained through any amount of reconnaissance
(e.g. knowledge of a secret key may be needed to break a
crypto channel). This operation must be performed for each
attacked target.

16
Base metric group - Exploitability Metrics (Attack Requirements (AT))

Attack Requirements (AT)

This metric captures the prerequisite deployment
and execution conditions or variables of the
vulnerable system that enable the attack.
These differ from security-enhancing
techniques/technologies If the attacker does not
take action to overcome these conditions, the
attack may succeed only occasionally or not
succeed at all.

17
Base metric group - Exploitability Metrics (Attack Requirements (AT))

Metric Value Description
None (N) The successful attack does not depend on the
deployment and execution conditions of the vulnerable
system.
Present (P) The successful attack depends on the presence of
specific deployment and execution conditions of the
vulnerable system that enable the attack.
These include:.
The attack may need to be launched multiple times
against a single target before being successful.
Network injection. The attacker must inject themselves
into the
logical network path between the target and the resource
requested by the victim (e.g. vulnerabilities requiring an on-
path attacker).

18
Base metric group - Exploitability Metrics (Privileges Required (PR))

Privileges Required (PR)

This metric describes the level of
privileges an attacker must possess prior
to successfully exploiting the vulnerability.
The resulting score is greatest if no
privileges are required

19
Base metric group - Exploitability Metrics (Privileges Required (PR))

Metric Value Description
None (N) The attacker is unauthenticated prior to attack, and
therefore does not require any access to settings or
files of the vulnerable system to carry out an attack.
Low (L) The attacker requires privileges that provide basic
capabilities that are typically limited to settings and
resources owned by a single low-privileged user.
Alternatively, an attacker with Low privileges has the
ability to access only non-sensitive resources.
High (H) The attacker requires privileges that provide
significant (e.g., administrative) control over the
vulnerable system allowing full access to the
vulnerable system’s settings and files.

20
Base metric group - Exploitability Metrics (User Interaction (UI))

User Interaction (UI)

This metric captures the requirement for a human user,
other than the attacker, to participate in the successful
compromise of the vulnerable system.
This metric determines whether the vulnerability can be
exploited solely at the will of the attacker, or whether a
separate user (or user-initiated process) must
participate in some manner.
The resulting score is greatest when no user
interaction is required.

21
Base metric group - Exploitability Metrics (User Interaction (UI))

Metric Value Description
None (N) The vulnerable system can be exploited without interaction from
any human user, other than the attacker. Examples include:
a remote attacker is able to send packets to a target system
a locally authenticated attacker executes code to elevate
privileges
Passive (P) Requires limited interaction by the targeted user with the
vulnerable system
Examples include:
- running an application that calls a malicious binary that has
been planted on the system
- using an application which generates traffic over an untrusted
or compromised network.
Active (A) Requires a targeted user to perform specific interactions with
the vulnerable system
Examples include:
- importing a file into a vulnerable system in a specific manner
placing files into a specific directory prior to executing code.
- submitting a specific string into a web application (e.g. reflected
or self XSS)
22
Base metric group - Impact Metrics

The Impact metrics capture the effects of a successfully

exploited vulnerability. Analysts should constrain impacts to a

reasonable, final outcome which they are confident an attacker

is able to achieve.

Impacts both to the Vulnerable System and impacts outside of

the Vulnerable System. These impacts are established by two

sets of impact metrics: “Vulnerable System impact” and

“Subsequent System impact”.
23
Base metric group - Impact Metrics (Confidentiality (VC/SC))

Confidentiality (VC/SC)

This metric measures the impact to the
confidentiality of the information managed by the
system due to a successfully exploited vulnerability.
Confidentiality refers to limiting information access and
disclosure to only authorized users, as well as
preventing access by, or disclosure to, unauthorized
ones.
The resulting score is greatest when the loss to the
system is highest.

24
Base metric group - Impact Metrics (Confidentiality (VC/SC))

Metric Value Description
High (H) There is a total loss of confidentiality, resulting in all
information within the Vulnerable System
the disclosed information presents a direct, serious
impact.
For example, an attacker steals the administrator's
password, or private encryption keys of a web server.
Low (L) There is some loss of confidentiality. Access to some
restricted
information is obtained,
but the attacker does not have control over what
information is obtained, or the amount or kind of loss is
limited.
The information disclosure does not cause a direct,
serious loss to the Vulnerable System..
None (N) There is no loss of confidentiality within the Vulnerable
System
25
Base metric group - Impact Metrics (Integrity (VI/SI))

Integrity (VI/SI)

Integrity refers to the trustworthiness and
veracity of information.(Ability to modify)
The resulting score is greatest when the
consequence to the system is highest.

26
Base metric group - Impact Metrics (Integrity (VI/SI))

Metric Value Description
High (H) There is a total loss of integrity, or a complete loss
of protection.
For example, the attacker is able to modify any/all
files protected by the Vulnerable System.
but malicious modification would present a direct,
serious consequence to the Vulnerable System.
Low (L) Modification of data is possible, but the attacker
does not have control over the consequence of a
modification,
the amount of modification is limited.
The data modification does not have a direct,
serious impact to the Vulnerable System.
None (N) There is no loss of integrity within the Vulnerable
System.
27
Base metric group - Impact Metrics (Availability (VA/SA))

Availability (VA/SA)

this metric refers to the loss of
availability of the impacted system
itself, such as a networked service
(e.g., web, database, email).
Since availability refers to the
accessibility of information resources
The resulting score is greatest when
the consequence to the system is
highest.

28
Base metric group - Impact Metrics (Availability (VA/SA))

Metric Value Description
High (H) There is a total loss of availability,
resulting in the attacker being able to fully deny access to
resources
the Vulnerable System; this loss is either sustained (while
the attacker continues to deliver the attack) or persistent
(the condition persists even after the attack has completed).
the loss of availability presents a direct, serious
consequence to the Vulnerable System (e.g., the attacker
can prevent new connections; the attacker can repeatedly
exploit a vulnerability.
Low (L) the attacker does not have the ability to completely deny
service to legitimate users.
The resources in the Vulnerable System are either partially
available all of the time, or fully available only some of the
time,
there is no direct, serious consequence to the Vulnerable
System.
None (N) There is no impact to availability within the Vulnerable
System. 29
Threat Metrics

30
Threat Metrics

Threat Metrics

Threat metrics measure the
current state of exploit
techniques or code availability
for a vulnerability.

31
Threat Metrics (Exploit Maturity (E))

Exploit Maturity (E)

the likelihood of the vulnerability being
attacked, and is based on the current state of
exploit techniques, exploit code availability, or
active, “in-the-wild” exploitation.
Not Defined (X), Attacked (A), Proof-of-
Concept (P) and Unreported (U)

32
Environmental Metrics

33
Environmental Metrics

Environmental Metrics

Enable the consumer analyst to
customize the resulting score
depending on the importance of
the affected IT asset to a user’s
organization.

34
Environmental Metrics( Confidentiality, Integrity, and Availability
Requirements (CR, IR, AR)
Confidentiality, Integrity, and Availability
Requirements (CR, IR, AR)
These metrics enable the consumer to customize the assessment
depending on the importance of the affected IT asset to the analyst’s
organization, measured in terms of Confidentiality, Integrity, and
Availability.
Not Defined (X), High (H), Medium (M),and Low (L)
Modified Base Metrics
These metrics enable the consumer analyst to override individual Base
metric values based on specific characteristics of a user’s environment
Modified Attack Vector (MAV)
Modified Attack Complexity (MAC)
Modified Attack Requirements (MAT)
Modified Privileges Required (MPR)
Modified User Interaction (MUI)
Modified Vulnerable System Confidentiality (MVC)
Modified Vulnerable System Integrity (MVI)
Modified Vulnerable System Availability (MVA)
Modified Subsequent System Confidentiality (MSC)
Modified Subsequent System Integrity (MSI)
Modified Subsequent System Availability (MSA)

35
Supplemental Metrics

36
Supplemental Metrics

Supplemental Metrics

A new, optional metric group provides new metrics that describe
and measure additional attributes of a vulnerability.
information may be employed differently in each consumer’s
environment.
No metric will have any impact on the final calculated CVSS score
(e.g. CVSS-BTE).
Safety (S)
the degree of impact to the Safety of a human actor or participant
that can be predictably injured as a result of the vulnerability being
exploited.
Not Defined (X), Present (P) and Negligible (N)
Automatable (AU)
captures the answer to the question ”Can an attacker automate
exploitation events for this vulnerability across multiple targets?”
Not Defined (X), No (N) and Yes (Y)
Recovery (R)

37
Vector String

38
Vector String
The CVSS v4.0 vector string is a text representation of a set of CVSS
metrics. It is commonly used to record or transfer CVSS metric
information in a concise and machine-readable form.
The CVSS v4.0 vector string begins with the label “CVSS:” and a
numeric representation of the current version, “4.0”. Metric
information follows in the form of a set of metrics, each preceded by a
forward slash, “/”, acting as a delimiter.
Each metric is a metric name in abbreviated form, a colon (“:”), and
its associated metric value in abbreviated form.
Threat, Environmental, and Supplemental metrics are optional
A vector string must not include the same metric more than once.

39
Vector String

40
Vector String

41
Vector String

42
Vector String
For example, a vulnerability with Base metric values of:
Attack Vector: Network
Attack Complexity: Low
Attack Requirements: None
Privileges Required: High
User Interaction: None
Vulnerable System Confidentiality: Low
Vulnerable System Integrity: Low
Vulnerable System Availability: None
no Subsequent System impact (C/I/A),
and no specified Threat or Environmental metrics would produce the following
vector:
○ CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
The same example with the addition of Exploit Maturity: Attacked would
produce the following vector:
○ CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
43