05-netsec cvss intro · • pci-dss v2 (june 2012) • “risk rankings should be based on industry...
TRANSCRIPT
![Page 1: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/1.jpg)
NetworkSecurityAA2015/2016
VulnerabilitymeasurementDr.LucaAllodi
![Page 2: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/2.jpg)
Whytogradevulnerabilities?• Centralquestion:
à Howseverearethesecurityproblemsaffectingmysoftwareconfiguration?
• Notallvulnerabilitiesarethesame• XSSvsBoF vsSQLi vsPrivilegeescalationvs…• VulnerabilitycountingcanNOTbeameasureofseverityàWhatisthethreatlevelofyoursystems?à Clientsandusersshouldbeinformedtoo
à Notallusersare“securityexperts”à “ITknowledge”canbeassumed
à Howtomeasurecommunicate asecurityissue?
LucaAllodi- VulnerabilityassessmentwithCVSSv3 2
![Page 3: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/3.jpg)
Bestpractice
• ListentotheU.S.Government….• USCyberSecurityOrder(PressreleaseFeb’2013)
• “NISTwillworkcollaborativelywithcriticalinfrastructurestakeholderstodeveloptheframeworkrelyingonexistinginternationalstandards,practices,andproceduresthathaveproventobeeffective”
• U.S.NISTSCAPProtocolv1.2(DraftJan2012)• “OrganizationsshoulduseCVSSbasescorestoassist inprioritizingtheremediationofknownsecurity-relatedsoftwareflawsbasedontherelativeseverityoftheflaws.”
• PCI-DSSv2(June2012)• “Riskrankingsshouldbebasedonindustrybestpractices.Forexample,criteriaforranking―High‖risk vulnerabilitiesmayincludeaCVSSbasescoreof4.0orabove”
• U.S.GovernmentConfigurationBaseline(USGCB)• Supportedbytheindustryà Rapid7,Telos,VmWare,Symantec,Qualys,Retinaetc.etc.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 3
![Page 4: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/4.jpg)
TheCommonVulnerabilityScoringSystem• CVSSisanopenframeworkforcommunicatingthecharacteristicsandseverityofsoftwarevulnerabilities.• Goalistohaveasharedsystemofmetricstoanalyzeandmeasurevulnerabilities• Differentusersscorethesamevuln inthesamewayàseverityassessment• Differentpeople“read”thesamevuln andunderstandthesamethingà severitycommunication
LucaAllodi- VulnerabilityassessmentwithCVSSv3 4
![Page 5: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/5.jpg)
CVSSv(x)walkthrough• CVSSv(1)introducedbackin2004byFirst.org• Receptionwasgoodbutimplementationwasconfusing• Notpeer-reviewed
• CVSSv(2)workingsstartedin2005,releasedin2007• Peer-reviewed,industryfeedback• Becamestandard-de-facto vulnerabilityscoringsystemintheindustry
• CVSSv(3)workingsstartedin2012,releasedin2015• Buildsontopofv2• Changesthe“scoringphilosophy”• Furthersteptowardaprecisescoringsystem
LucaAllodi- VulnerabilityassessmentwithCVSSv3 5
![Page 6: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/6.jpg)
CVSSv3http://www.first.org/cvss/v3/development• CVSSisbasedonthreemetricgroups
LucaAllodi- VulnerabilityassessmentwithCVSSv3 6
![Page 7: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/7.jpg)
CVSSBasemetricoverview
• Exploitabilitymetrics• AttackVector• AttackComplexity• UserInteraction• PrivilegesRequired
• Scopemetric• Impactmetrics• Confidentiality• Integrity• Availability
LucaAllodi- VulnerabilityassessmentwithCVSSv3 7
Measuredoverthevulnerablecomponent
Measuredovertheimpactedcomponent
Auth.Authority ofVulnerableComponent=Auth.Authority ofImpactedComponent?
![Page 8: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/8.jpg)
Expl.Metrics:AttackVector
• Thismetricreflectsthecontextinwhichthevulnerabilityexploitationoccurs.• Themoreremoteanattacker(ortheattack)canbefromthetarget,thegreaterthevulnerabilityscore.• Possiblevalues:
1. Network:exploitationisboundtothenetworkstack2. AdjacentNetwork:attackerneedstobeinsamesubnet3. Local:attackisnotboundtonetworkstack,butratherto
I/Oonsystem.Insomecases,theattackermaybeloggedinlocallyinordertoexploitthevulnerability,otherwise,shemayrelyonUserInteractiontoexecuteamaliciousfile.
4. Physical:attackermustbephysicallyoperatingoverthevulnerablecomponent
LucaAllodi- VulnerabilityassessmentwithCVSSv3 8
![Page 9: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/9.jpg)
Expl.Metrics:AttackComplexity• Thismetricdescribestheconditionsbeyondtheattacker’scontrolthatmustexistinordertoexploitthevulnerability.• Possiblevalues:
1. High:Asuccessfulattackdependsonconditionsoutsidetheattacker'scontrol.Thatis,asuccessfulattackcannotbeaccomplished,butrequirestheattackertoinvestinsomemeasurableamountofeffortinpreparationorexecutionagainstthevulnerablecomponent beforeasuccessfulattackcanbeexpected.
2. Low: Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Anattackercanexpectrepeatableexploitsuccessagainstavulnerabletarget
LucaAllodi- VulnerabilityassessmentwithCVSSv3 9
![Page 10: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/10.jpg)
ExamplesforAttackComplexity:High• Forexample,asuccessfulattackmaydependonan
attackerovercominganyofthefollowingconditions:1. Theattackermustconducttarget-specificreconnaissance.For
example,ontargetconfigurationsettings,sequencenumbers,sharedsecrets,etc.
2. Theattackermustpreparethetargetenvironmenttoimproveexploitreliability.Forexample,repeatedexploitation towinaracecondition,orovercomingadvancedexploitmitigationtechniques.
3. Theattackerinjectsherselfintothelogicalnetworkpathbetweenthetargetandtheresourcerequestedbythevictiminordertoreadand/ormodifynetworkcommunications(e.g.maninthemiddleattack).
LucaAllodi- VulnerabilityassessmentwithCVSSv3 10
![Page 11: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/11.jpg)
Expl.Metrics:PrivilegesRequired
• Thismetricdescribesthelevelofprivilegesanattackermustpossessbeforesuccessfullyexploitingthevulnerability.• Possiblevalues:
1. High:Theattackerisauthorizedwith(i.e.requires)privilegesthatprovidesignificant(e.g.administrative)controloverthevulnerablecomponentthatcouldaffectcomponent-widesettingsandfiles.
2. Low:Theattackerisauthorizedwith(i.e.requires)privileges thatprovidebasicusercapabilitiesthatcouldnormallyaffectonlysettingsandfilesownedbyauser.Alternatively,anattackerwithLowprivilegesmayhavetheabilitytocauseanimpactonlytonon-sensitive resources.
3. None:Theattackerisunauthorized prior toattack,andthereforedoesnotrequireanyaccesstosettingsorfilestocarryoutanattack.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 11
![Page 12: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/12.jpg)
Expl.Metrics:UserInteraction
• Thismetriccapturestherequirementforauser,otherthantheattacker,toparticipateinthesuccessfulcompromisethevulnerablecomponent.• Thismetricdetermineswhetherthevulnerabilitycanbeexploitedsolelyatthewilloftheattacker,orwhetheraseparateuser(oruser-initiatedprocess)mustparticipateinsomemanner.• Possiblevalues:
1. Required:Successfulexploitationofthisvulnerabilityrequiresausertotakesomeactionbeforethevulnerabilitycanbeexploited.Forexample,asuccessfulexploitmayonlybepossible duringtheinstallation ofanapplicationbyasystemadministrator.
2. None: Thevulnerablesystemcanbeexploitedwithoutanyinteractionfromanyuser.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 12
![Page 13: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/13.jpg)
Scope(1)
• Scopereferstothecollectionofprivilegesdefinedbyacomputingauthority(e.g.anapplication,anoperatingsystem,orasandboxenvironment)whengrantingaccesstocomputingresources(e.g.files,CPU,memory,etc).Theseprivilegesareassignedbasedonsomemethodofidentificationandauthorization.• Whenthe vulnerabilityofasoftwarecomponentgovernedbyoneauthorizationscopeisabletoaffectresourcesgovernedbyanotherauthorizationscope,aScopechangehasoccurred.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 13
![Page 14: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/14.jpg)
Scope(2)
LucaAllodi- VulnerabilityassessmentwithCVSSv3 14
![Page 15: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/15.jpg)
Scope(3)
• Possiblevalues:• Unchanged:Anexploitedvulnerabilitycanonlyaffectresourcesmanagedbythesameauthority.Inthiscasethevulnerablecomponentandtheimpactedcomponentarethesame.• Changed:Anexploitedvulnerabilitycanaffectresourcesbeyondtheauthorizationprivilegesintendedbythevulnerablecomponent.Inthiscasethevulnerablecomponentandtheimpactedcomponentaredifferent.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 15
![Page 16: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/16.jpg)
Impactmetrics• Measuresthelosseson
• Confidentiality,à impactonconfidentialityofdata• propertythatinformationisnotmadeavailableordisclosedto unauthorized
individuals,entites,orprocesses• Integrity,à impactonintegrityofdata
• the“propertyofaccuracyandcompleteness”ofinformation• Availabilityà impactonavailabilityofthecomponent
• isthe“propertyofbeingaccessibleandusableupondemandbyanunauthorizedentity”
• Eachmetricmeasuresthelossessuffered bytheimpactedcomponent• Possiblevalues:
1. Highà totalloss2. Lowà partialloss3. Noneà noloss
LucaAllodi- VulnerabilityassessmentwithCVSSv3 16
![Page 17: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/17.jpg)
ScoringGuide/Philosophy• AccessVectorà istheattackboundtothenetworkstack?• AttackComplexityà cantheattackercontrolallfactorsrelevanttotheexploitation?
• PrivilegesRequiredà doestheattackerneedbeauthenticated?• UserInteractionà doesthevictimuserneedtointeractwiththeattack?
• Scopeà istheauthorisation authorityunderwhichthevulnerablecomponentisthesameastheimpactedcomponent?
• Impact• Confidentiality, Integrityà Data• Availabilityà Service
• Scoringrule:Whenmorethanoneassessmentispossible,gowiththemoresevereone• e.g.exploitationcanhappenboththoughlocalI/Oandonnetworkstackà gowithnetwork
LucaAllodi- VulnerabilityassessmentwithCVSSv3 17
![Page 18: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/18.jpg)
ScoringExercise(1)• MSWordDenial-of-Serviceattack(CVE-2013-6801)
• MicrosoftWord2003SP2andSP3onWindowsXPSP3allowsremoteattackerstocauseadenialofservice(CPUconsumption)viaamalformed.doc filecontaininganembeddedimage,asdemonstratedbyword2003forkbomb.doc,relatedtoa"forkbomb"issue.
AccessVector Local
AccessComplexity Low
Privileges Required None
UserInteraction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability HighLucaAllodi- VulnerabilityassessmentwithCVSSv3 18
![Page 19: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/19.jpg)
ScoringExercise(2)• CISCOhostcrash(CVE-2011-0355)
• CiscoNexus1000VVirtualEthernetModule(VEM)4.0(4)SV1(1)throughSV1(3b),asusedinVMwareESX4.0and4.1andESXi 4.0and4.1,doesnotproperlyhandledroppedpackets,whichallowsguestOSuserstocauseadenialofservice(ESXorESXihostOScrash)bysendingan802.1QtaggedpacketoveranaccessvEthernet port, akaCiscoBugIDCSCtj17451.
AccessVector Adjacent Network
AccessComplexity Low
Privileges Required None
UserInteraction None
Scope Change
Confidentiality None
Integrity None
Availability High 19
![Page 20: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/20.jpg)
ScoringExercise(3)• CVE-2009-0927• Stack-basedbufferoverflowinAdobeReaderandAdobeAcrobat9before9.1,8before8.1.3,and7before7.1.1allowsremoteattackerstoexecutearbitrarycodeviaacraftedargumenttothegetIconmethodofaCollabobject,adifferentvulnerabilitythanCVE-2009-0658.
AccessVector Network
AccessComplexity Low
Privileges Required None
UserInteraction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High 20
Analternativescoreforthisvuln exists.Ifoneassumesthatthevuln requiressomepdffiletobeopenedbyA.Reader,thenwehave:• AV:L/UI:RInthiscasewewentwiththeonethatgivesthehigherseverity(AV:N,UI:N)
![Page 21: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/21.jpg)
ScoringExercise(4)• Libvirt USBhandling (CVE-2012-2693)
• libvirt,possiblybefore0.9.12,doesnotproperlyassignUSBdevicestovirtualmachineswhenmultipledeviceshavethesamevendorandproductID,whichmightcausethewrongdevicetobeassociatedwithaguestandmightallowlocaluserstoaccessunintendedUSBdevices.
AccessVector Local
AccessComplexity High
Privileges Required Low
UserInteraction None
Scope Change
Confidentiality Low
Integrity Low
Availability Low 21
![Page 22: 05-NetSec CVSS intro · • PCI-DSS v2 (June 2012) • “Risk rankings should be based on industry best practices. For example, criteria for ranking ― High‖riskvulnerabilities](https://reader033.vdocuments.us/reader033/viewer/2022050209/5f5b9a988fb4fe3e0f3af267/html5/thumbnails/22.jpg)
Nexttime- Scoringexercise• Bringyourlaptopà exerciseongoogleclassroom
• Thescoringexercisewillbewithdifferentvulns fromthose@SecEngineering,+1metric(Scope)
• PeoplethatalreadydidCVSSassessmentswillbeconsideredas“experts”
• ThisisNOTgradedà notpartofyourfinalgrade• ExammayrequiretoscoreavulnerabilityusingCVSSv3andjustifydecision• Wewillhave4groups:A,B,C,D
• Eachstudentwillbeassignedtoagrouprandomly• Eachgroupdiffersonly forthearrangementofthevulndescription
• Allhaveidenticalvulnerabilitiestoscore• 1hourfortheexercise,remainingtimetodiscussscores
LucaAllodi- VulnerabilityassessmentwithCVSSv3 22