05-netsec cvss intro · • pci-dss v2 (june 2012) • “risk rankings should be based on industry...
Post on 19-Jul-2020
1 Views
Preview:
TRANSCRIPT
NetworkSecurityAA2015/2016
VulnerabilitymeasurementDr.LucaAllodi
Whytogradevulnerabilities?• Centralquestion:
à Howseverearethesecurityproblemsaffectingmysoftwareconfiguration?
• Notallvulnerabilitiesarethesame• XSSvsBoF vsSQLi vsPrivilegeescalationvs…• VulnerabilitycountingcanNOTbeameasureofseverityàWhatisthethreatlevelofyoursystems?à Clientsandusersshouldbeinformedtoo
à Notallusersare“securityexperts”à “ITknowledge”canbeassumed
à Howtomeasurecommunicate asecurityissue?
LucaAllodi- VulnerabilityassessmentwithCVSSv3 2
Bestpractice
• ListentotheU.S.Government….• USCyberSecurityOrder(PressreleaseFeb’2013)
• “NISTwillworkcollaborativelywithcriticalinfrastructurestakeholderstodeveloptheframeworkrelyingonexistinginternationalstandards,practices,andproceduresthathaveproventobeeffective”
• U.S.NISTSCAPProtocolv1.2(DraftJan2012)• “OrganizationsshoulduseCVSSbasescorestoassist inprioritizingtheremediationofknownsecurity-relatedsoftwareflawsbasedontherelativeseverityoftheflaws.”
• PCI-DSSv2(June2012)• “Riskrankingsshouldbebasedonindustrybestpractices.Forexample,criteriaforranking―High‖risk vulnerabilitiesmayincludeaCVSSbasescoreof4.0orabove”
• U.S.GovernmentConfigurationBaseline(USGCB)• Supportedbytheindustryà Rapid7,Telos,VmWare,Symantec,Qualys,Retinaetc.etc.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 3
TheCommonVulnerabilityScoringSystem• CVSSisanopenframeworkforcommunicatingthecharacteristicsandseverityofsoftwarevulnerabilities.• Goalistohaveasharedsystemofmetricstoanalyzeandmeasurevulnerabilities• Differentusersscorethesamevuln inthesamewayàseverityassessment• Differentpeople“read”thesamevuln andunderstandthesamethingà severitycommunication
LucaAllodi- VulnerabilityassessmentwithCVSSv3 4
CVSSv(x)walkthrough• CVSSv(1)introducedbackin2004byFirst.org• Receptionwasgoodbutimplementationwasconfusing• Notpeer-reviewed
• CVSSv(2)workingsstartedin2005,releasedin2007• Peer-reviewed,industryfeedback• Becamestandard-de-facto vulnerabilityscoringsystemintheindustry
• CVSSv(3)workingsstartedin2012,releasedin2015• Buildsontopofv2• Changesthe“scoringphilosophy”• Furthersteptowardaprecisescoringsystem
LucaAllodi- VulnerabilityassessmentwithCVSSv3 5
CVSSv3http://www.first.org/cvss/v3/development• CVSSisbasedonthreemetricgroups
LucaAllodi- VulnerabilityassessmentwithCVSSv3 6
CVSSBasemetricoverview
• Exploitabilitymetrics• AttackVector• AttackComplexity• UserInteraction• PrivilegesRequired
• Scopemetric• Impactmetrics• Confidentiality• Integrity• Availability
LucaAllodi- VulnerabilityassessmentwithCVSSv3 7
Measuredoverthevulnerablecomponent
Measuredovertheimpactedcomponent
Auth.Authority ofVulnerableComponent=Auth.Authority ofImpactedComponent?
Expl.Metrics:AttackVector
• Thismetricreflectsthecontextinwhichthevulnerabilityexploitationoccurs.• Themoreremoteanattacker(ortheattack)canbefromthetarget,thegreaterthevulnerabilityscore.• Possiblevalues:
1. Network:exploitationisboundtothenetworkstack2. AdjacentNetwork:attackerneedstobeinsamesubnet3. Local:attackisnotboundtonetworkstack,butratherto
I/Oonsystem.Insomecases,theattackermaybeloggedinlocallyinordertoexploitthevulnerability,otherwise,shemayrelyonUserInteractiontoexecuteamaliciousfile.
4. Physical:attackermustbephysicallyoperatingoverthevulnerablecomponent
LucaAllodi- VulnerabilityassessmentwithCVSSv3 8
Expl.Metrics:AttackComplexity• Thismetricdescribestheconditionsbeyondtheattacker’scontrolthatmustexistinordertoexploitthevulnerability.• Possiblevalues:
1. High:Asuccessfulattackdependsonconditionsoutsidetheattacker'scontrol.Thatis,asuccessfulattackcannotbeaccomplished,butrequirestheattackertoinvestinsomemeasurableamountofeffortinpreparationorexecutionagainstthevulnerablecomponent beforeasuccessfulattackcanbeexpected.
2. Low: Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Anattackercanexpectrepeatableexploitsuccessagainstavulnerabletarget
LucaAllodi- VulnerabilityassessmentwithCVSSv3 9
ExamplesforAttackComplexity:High• Forexample,asuccessfulattackmaydependonan
attackerovercominganyofthefollowingconditions:1. Theattackermustconducttarget-specificreconnaissance.For
example,ontargetconfigurationsettings,sequencenumbers,sharedsecrets,etc.
2. Theattackermustpreparethetargetenvironmenttoimproveexploitreliability.Forexample,repeatedexploitation towinaracecondition,orovercomingadvancedexploitmitigationtechniques.
3. Theattackerinjectsherselfintothelogicalnetworkpathbetweenthetargetandtheresourcerequestedbythevictiminordertoreadand/ormodifynetworkcommunications(e.g.maninthemiddleattack).
LucaAllodi- VulnerabilityassessmentwithCVSSv3 10
Expl.Metrics:PrivilegesRequired
• Thismetricdescribesthelevelofprivilegesanattackermustpossessbeforesuccessfullyexploitingthevulnerability.• Possiblevalues:
1. High:Theattackerisauthorizedwith(i.e.requires)privilegesthatprovidesignificant(e.g.administrative)controloverthevulnerablecomponentthatcouldaffectcomponent-widesettingsandfiles.
2. Low:Theattackerisauthorizedwith(i.e.requires)privileges thatprovidebasicusercapabilitiesthatcouldnormallyaffectonlysettingsandfilesownedbyauser.Alternatively,anattackerwithLowprivilegesmayhavetheabilitytocauseanimpactonlytonon-sensitive resources.
3. None:Theattackerisunauthorized prior toattack,andthereforedoesnotrequireanyaccesstosettingsorfilestocarryoutanattack.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 11
Expl.Metrics:UserInteraction
• Thismetriccapturestherequirementforauser,otherthantheattacker,toparticipateinthesuccessfulcompromisethevulnerablecomponent.• Thismetricdetermineswhetherthevulnerabilitycanbeexploitedsolelyatthewilloftheattacker,orwhetheraseparateuser(oruser-initiatedprocess)mustparticipateinsomemanner.• Possiblevalues:
1. Required:Successfulexploitationofthisvulnerabilityrequiresausertotakesomeactionbeforethevulnerabilitycanbeexploited.Forexample,asuccessfulexploitmayonlybepossible duringtheinstallation ofanapplicationbyasystemadministrator.
2. None: Thevulnerablesystemcanbeexploitedwithoutanyinteractionfromanyuser.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 12
Scope(1)
• Scopereferstothecollectionofprivilegesdefinedbyacomputingauthority(e.g.anapplication,anoperatingsystem,orasandboxenvironment)whengrantingaccesstocomputingresources(e.g.files,CPU,memory,etc).Theseprivilegesareassignedbasedonsomemethodofidentificationandauthorization.• Whenthe vulnerabilityofasoftwarecomponentgovernedbyoneauthorizationscopeisabletoaffectresourcesgovernedbyanotherauthorizationscope,aScopechangehasoccurred.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 13
Scope(2)
LucaAllodi- VulnerabilityassessmentwithCVSSv3 14
Scope(3)
• Possiblevalues:• Unchanged:Anexploitedvulnerabilitycanonlyaffectresourcesmanagedbythesameauthority.Inthiscasethevulnerablecomponentandtheimpactedcomponentarethesame.• Changed:Anexploitedvulnerabilitycanaffectresourcesbeyondtheauthorizationprivilegesintendedbythevulnerablecomponent.Inthiscasethevulnerablecomponentandtheimpactedcomponentaredifferent.
LucaAllodi- VulnerabilityassessmentwithCVSSv3 15
Impactmetrics• Measuresthelosseson
• Confidentiality,à impactonconfidentialityofdata• propertythatinformationisnotmadeavailableordisclosedto unauthorized
individuals,entites,orprocesses• Integrity,à impactonintegrityofdata
• the“propertyofaccuracyandcompleteness”ofinformation• Availabilityà impactonavailabilityofthecomponent
• isthe“propertyofbeingaccessibleandusableupondemandbyanunauthorizedentity”
• Eachmetricmeasuresthelossessuffered bytheimpactedcomponent• Possiblevalues:
1. Highà totalloss2. Lowà partialloss3. Noneà noloss
LucaAllodi- VulnerabilityassessmentwithCVSSv3 16
ScoringGuide/Philosophy• AccessVectorà istheattackboundtothenetworkstack?• AttackComplexityà cantheattackercontrolallfactorsrelevanttotheexploitation?
• PrivilegesRequiredà doestheattackerneedbeauthenticated?• UserInteractionà doesthevictimuserneedtointeractwiththeattack?
• Scopeà istheauthorisation authorityunderwhichthevulnerablecomponentisthesameastheimpactedcomponent?
• Impact• Confidentiality, Integrityà Data• Availabilityà Service
• Scoringrule:Whenmorethanoneassessmentispossible,gowiththemoresevereone• e.g.exploitationcanhappenboththoughlocalI/Oandonnetworkstackà gowithnetwork
LucaAllodi- VulnerabilityassessmentwithCVSSv3 17
ScoringExercise(1)• MSWordDenial-of-Serviceattack(CVE-2013-6801)
• MicrosoftWord2003SP2andSP3onWindowsXPSP3allowsremoteattackerstocauseadenialofservice(CPUconsumption)viaamalformed.doc filecontaininganembeddedimage,asdemonstratedbyword2003forkbomb.doc,relatedtoa"forkbomb"issue.
AccessVector Local
AccessComplexity Low
Privileges Required None
UserInteraction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability HighLucaAllodi- VulnerabilityassessmentwithCVSSv3 18
ScoringExercise(2)• CISCOhostcrash(CVE-2011-0355)
• CiscoNexus1000VVirtualEthernetModule(VEM)4.0(4)SV1(1)throughSV1(3b),asusedinVMwareESX4.0and4.1andESXi 4.0and4.1,doesnotproperlyhandledroppedpackets,whichallowsguestOSuserstocauseadenialofservice(ESXorESXihostOScrash)bysendingan802.1QtaggedpacketoveranaccessvEthernet port, akaCiscoBugIDCSCtj17451.
AccessVector Adjacent Network
AccessComplexity Low
Privileges Required None
UserInteraction None
Scope Change
Confidentiality None
Integrity None
Availability High 19
ScoringExercise(3)• CVE-2009-0927• Stack-basedbufferoverflowinAdobeReaderandAdobeAcrobat9before9.1,8before8.1.3,and7before7.1.1allowsremoteattackerstoexecutearbitrarycodeviaacraftedargumenttothegetIconmethodofaCollabobject,adifferentvulnerabilitythanCVE-2009-0658.
AccessVector Network
AccessComplexity Low
Privileges Required None
UserInteraction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High 20
Analternativescoreforthisvuln exists.Ifoneassumesthatthevuln requiressomepdffiletobeopenedbyA.Reader,thenwehave:• AV:L/UI:RInthiscasewewentwiththeonethatgivesthehigherseverity(AV:N,UI:N)
ScoringExercise(4)• Libvirt USBhandling (CVE-2012-2693)
• libvirt,possiblybefore0.9.12,doesnotproperlyassignUSBdevicestovirtualmachineswhenmultipledeviceshavethesamevendorandproductID,whichmightcausethewrongdevicetobeassociatedwithaguestandmightallowlocaluserstoaccessunintendedUSBdevices.
AccessVector Local
AccessComplexity High
Privileges Required Low
UserInteraction None
Scope Change
Confidentiality Low
Integrity Low
Availability Low 21
Nexttime- Scoringexercise• Bringyourlaptopà exerciseongoogleclassroom
• Thescoringexercisewillbewithdifferentvulns fromthose@SecEngineering,+1metric(Scope)
• PeoplethatalreadydidCVSSassessmentswillbeconsideredas“experts”
• ThisisNOTgradedà notpartofyourfinalgrade• ExammayrequiretoscoreavulnerabilityusingCVSSv3andjustifydecision• Wewillhave4groups:A,B,C,D
• Eachstudentwillbeassignedtoagrouprandomly• Eachgroupdiffersonly forthearrangementofthevulndescription
• Allhaveidenticalvulnerabilitiestoscore• 1hourfortheexercise,remainingtimetodiscussscores
LucaAllodi- VulnerabilityassessmentwithCVSSv3 22
top related