05-netsec cvss intro · • pci-dss v2 (june 2012) • “risk rankings should be based on industry...

NetworkSecurityAA2015/2016

VulnerabilitymeasurementDr.LucaAllodi

Whytogradevulnerabilities?• Centralquestion:

à Howseverearethesecurityproblemsaffectingmysoftwareconfiguration?

• Notallvulnerabilitiesarethesame• XSSvsBoF vsSQLi vsPrivilegeescalationvs…• VulnerabilitycountingcanNOTbeameasureofseverityàWhatisthethreatlevelofyoursystems?à Clientsandusersshouldbeinformedtoo

à Notallusersare“securityexperts”à “ITknowledge”canbeassumed

à Howtomeasurecommunicate asecurityissue?

LucaAllodi- VulnerabilityassessmentwithCVSSv3 2

Bestpractice

• ListentotheU.S.Government….• USCyberSecurityOrder(PressreleaseFeb’2013)

• “NISTwillworkcollaborativelywithcriticalinfrastructurestakeholderstodeveloptheframeworkrelyingonexistinginternationalstandards,practices,andproceduresthathaveproventobeeffective”

• U.S.NISTSCAPProtocolv1.2(DraftJan2012)• “OrganizationsshoulduseCVSSbasescorestoassist inprioritizingtheremediationofknownsecurity-relatedsoftwareflawsbasedontherelativeseverityoftheflaws.”

• PCI-DSSv2(June2012)• “Riskrankingsshouldbebasedonindustrybestpractices.Forexample,criteriaforranking―High‖risk vulnerabilitiesmayincludeaCVSSbasescoreof4.0orabove”

• U.S.GovernmentConfigurationBaseline(USGCB)• Supportedbytheindustryà Rapid7,Telos,VmWare,Symantec,Qualys,Retinaetc.etc.


TheCommonVulnerabilityScoringSystem• CVSSisanopenframeworkforcommunicatingthecharacteristicsandseverityofsoftwarevulnerabilities.• Goalistohaveasharedsystemofmetricstoanalyzeandmeasurevulnerabilities• Differentusersscorethesamevuln inthesamewayàseverityassessment• Differentpeople“read”thesamevuln andunderstandthesamethingà severitycommunication


CVSSv(x)walkthrough• CVSSv(1)introducedbackin2004byFirst.org• Receptionwasgoodbutimplementationwasconfusing• Notpeer-reviewed

• CVSSv(2)workingsstartedin2005,releasedin2007• Peer-reviewed,industryfeedback• Becamestandard-de-facto vulnerabilityscoringsystemintheindustry

• CVSSv(3)workingsstartedin2012,releasedin2015• Buildsontopofv2• Changesthe“scoringphilosophy”• Furthersteptowardaprecisescoringsystem


CVSSv3http://www.first.org/cvss/v3/development• CVSSisbasedonthreemetricgroups


CVSSBasemetricoverview

• Exploitabilitymetrics• AttackVector• AttackComplexity• UserInteraction• PrivilegesRequired

• Scopemetric• Impactmetrics• Confidentiality• Integrity• Availability


Measuredoverthevulnerablecomponent

Measuredovertheimpactedcomponent

Auth.Authority ofVulnerableComponent=Auth.Authority ofImpactedComponent?

Expl.Metrics:AttackVector

• Thismetricreflectsthecontextinwhichthevulnerabilityexploitationoccurs.• Themoreremoteanattacker(ortheattack)canbefromthetarget,thegreaterthevulnerabilityscore.• Possiblevalues:

1. Network:exploitationisboundtothenetworkstack2. AdjacentNetwork:attackerneedstobeinsamesubnet3. Local:attackisnotboundtonetworkstack,butratherto

I/Oonsystem.Insomecases,theattackermaybeloggedinlocallyinordertoexploitthevulnerability,otherwise,shemayrelyonUserInteractiontoexecuteamaliciousfile.

4. Physical:attackermustbephysicallyoperatingoverthevulnerablecomponent


Expl.Metrics:AttackComplexity• Thismetricdescribestheconditionsbeyondtheattacker’scontrolthatmustexistinordertoexploitthevulnerability.• Possiblevalues:

1. High:Asuccessfulattackdependsonconditionsoutsidetheattacker'scontrol.Thatis,asuccessfulattackcannotbeaccomplished,butrequirestheattackertoinvestinsomemeasurableamountofeffortinpreparationorexecutionagainstthevulnerablecomponent beforeasuccessfulattackcanbeexpected.

2. Low: Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Anattackercanexpectrepeatableexploitsuccessagainstavulnerabletarget


ExamplesforAttackComplexity:High• Forexample,asuccessfulattackmaydependonan

attackerovercominganyofthefollowingconditions:1. Theattackermustconducttarget-specificreconnaissance.For

example,ontargetconfigurationsettings,sequencenumbers,sharedsecrets,etc.

2. Theattackermustpreparethetargetenvironmenttoimproveexploitreliability.Forexample,repeatedexploitation towinaracecondition,orovercomingadvancedexploitmitigationtechniques.

3. Theattackerinjectsherselfintothelogicalnetworkpathbetweenthetargetandtheresourcerequestedbythevictiminordertoreadand/ormodifynetworkcommunications(e.g.maninthemiddleattack).


Expl.Metrics:PrivilegesRequired

• Thismetricdescribesthelevelofprivilegesanattackermustpossessbeforesuccessfullyexploitingthevulnerability.• Possiblevalues:

1. High:Theattackerisauthorizedwith(i.e.requires)privilegesthatprovidesignificant(e.g.administrative)controloverthevulnerablecomponentthatcouldaffectcomponent-widesettingsandfiles.

2. Low:Theattackerisauthorizedwith(i.e.requires)privileges thatprovidebasicusercapabilitiesthatcouldnormallyaffectonlysettingsandfilesownedbyauser.Alternatively,anattackerwithLowprivilegesmayhavetheabilitytocauseanimpactonlytonon-sensitive resources.

3. None:Theattackerisunauthorized prior toattack,andthereforedoesnotrequireanyaccesstosettingsorfilestocarryoutanattack.


Expl.Metrics:UserInteraction

• Thismetriccapturestherequirementforauser,otherthantheattacker,toparticipateinthesuccessfulcompromisethevulnerablecomponent.• Thismetricdetermineswhetherthevulnerabilitycanbeexploitedsolelyatthewilloftheattacker,orwhetheraseparateuser(oruser-initiatedprocess)mustparticipateinsomemanner.• Possiblevalues:

1. Required:Successfulexploitationofthisvulnerabilityrequiresausertotakesomeactionbeforethevulnerabilitycanbeexploited.Forexample,asuccessfulexploitmayonlybepossible duringtheinstallation ofanapplicationbyasystemadministrator.

2. None: Thevulnerablesystemcanbeexploitedwithoutanyinteractionfromanyuser.


Scope(1)

• Scopereferstothecollectionofprivilegesdefinedbyacomputingauthority(e.g.anapplication,anoperatingsystem,orasandboxenvironment)whengrantingaccesstocomputingresources(e.g.files,CPU,memory,etc).Theseprivilegesareassignedbasedonsomemethodofidentificationandauthorization.• Whenthe vulnerabilityofasoftwarecomponentgovernedbyoneauthorizationscopeisabletoaffectresourcesgovernedbyanotherauthorizationscope,aScopechangehasoccurred.


Scope(2)


Scope(3)

• Possiblevalues:• Unchanged:Anexploitedvulnerabilitycanonlyaffectresourcesmanagedbythesameauthority.Inthiscasethevulnerablecomponentandtheimpactedcomponentarethesame.• Changed:Anexploitedvulnerabilitycanaffectresourcesbeyondtheauthorizationprivilegesintendedbythevulnerablecomponent.Inthiscasethevulnerablecomponentandtheimpactedcomponentaredifferent.


Impactmetrics• Measuresthelosseson

• Confidentiality,à impactonconfidentialityofdata• propertythatinformationisnotmadeavailableordisclosedto unauthorized

individuals,entites,orprocesses• Integrity,à impactonintegrityofdata

• the“propertyofaccuracyandcompleteness”ofinformation• Availabilityà impactonavailabilityofthecomponent

• isthe“propertyofbeingaccessibleandusableupondemandbyanunauthorizedentity”

• Eachmetricmeasuresthelossessuffered bytheimpactedcomponent• Possiblevalues:

1. Highà totalloss2. Lowà partialloss3. Noneà noloss


ScoringGuide/Philosophy• AccessVectorà istheattackboundtothenetworkstack?• AttackComplexityà cantheattackercontrolallfactorsrelevanttotheexploitation?

• PrivilegesRequiredà doestheattackerneedbeauthenticated?• UserInteractionà doesthevictimuserneedtointeractwiththeattack?

• Scopeà istheauthorisation authorityunderwhichthevulnerablecomponentisthesameastheimpactedcomponent?

• Impact• Confidentiality, Integrityà Data• Availabilityà Service

• Scoringrule:Whenmorethanoneassessmentispossible,gowiththemoresevereone• e.g.exploitationcanhappenboththoughlocalI/Oandonnetworkstackà gowithnetwork


ScoringExercise(1)• MSWordDenial-of-Serviceattack(CVE-2013-6801)

• MicrosoftWord2003SP2andSP3onWindowsXPSP3allowsremoteattackerstocauseadenialofservice(CPUconsumption)viaamalformed.doc filecontaininganembeddedimage,asdemonstratedbyword2003forkbomb.doc,relatedtoa"forkbomb"issue.

AccessVector Local

AccessComplexity Low

Privileges Required None

UserInteraction Required

Scope Unchanged

Confidentiality None

Integrity None

Availability HighLucaAllodi- VulnerabilityassessmentwithCVSSv3 18

ScoringExercise(2)• CISCOhostcrash(CVE-2011-0355)

• CiscoNexus1000VVirtualEthernetModule(VEM)4.0(4)SV1(1)throughSV1(3b),asusedinVMwareESX4.0and4.1andESXi 4.0and4.1,doesnotproperlyhandledroppedpackets,whichallowsguestOSuserstocauseadenialofservice(ESXorESXihostOScrash)bysendingan802.1QtaggedpacketoveranaccessvEthernet port, akaCiscoBugIDCSCtj17451.

AccessVector Adjacent Network



UserInteraction None

Scope Change

Confidentiality None

Integrity None

Availability High 19

ScoringExercise(3)• CVE-2009-0927• Stack-basedbufferoverflowinAdobeReaderandAdobeAcrobat9before9.1,8before8.1.3,and7before7.1.1allowsremoteattackerstoexecutearbitrarycodeviaacraftedargumenttothegetIconmethodofaCollabobject,adifferentvulnerabilitythanCVE-2009-0658.

AccessVector Network




Scope Unchanged

Confidentiality High

Integrity High

Availability High 20

Analternativescoreforthisvuln exists.Ifoneassumesthatthevuln requiressomepdffiletobeopenedbyA.Reader,thenwehave:• AV:L/UI:RInthiscasewewentwiththeonethatgivesthehigherseverity(AV:N,UI:N)

ScoringExercise(4)• Libvirt USBhandling (CVE-2012-2693)

• libvirt,possiblybefore0.9.12,doesnotproperlyassignUSBdevicestovirtualmachineswhenmultipledeviceshavethesamevendorandproductID,whichmightcausethewrongdevicetobeassociatedwithaguestandmightallowlocaluserstoaccessunintendedUSBdevices.

AccessVector Local

AccessComplexity High

Privileges Required Low


Scope Change

Confidentiality Low

Integrity Low

Availability Low 21

Nexttime- Scoringexercise• Bringyourlaptopà exerciseongoogleclassroom

• Thescoringexercisewillbewithdifferentvulns fromthose@SecEngineering,+1metric(Scope)

• PeoplethatalreadydidCVSSassessmentswillbeconsideredas“experts”

• ThisisNOTgradedà notpartofyourfinalgrade• ExammayrequiretoscoreavulnerabilityusingCVSSv3andjustifydecision• Wewillhave4groups:A,B,C,D

• Eachstudentwillbeassignedtoagrouprandomly• Eachgroupdiffersonly forthearrangementofthevulndescription

• Allhaveidenticalvulnerabilitiestoscore• 1hourfortheexercise,remainingtimetodiscussscores


05-netsec cvss intro · • pci-dss v2 (june 2012) • “risk rankings should be based on industry...

Documents