Академический Документы
Профессиональный Документы
Культура Документы
Seth Hanford
Chair, CVSS-SIG
CVSS v3 Development
Preliminary work June 2011 Mar 2012
Chair nominated; IPR development & SIG governance work
Attack Vector
Redefined, clarified; now with Physical vector
Authentication
Confidentiality
Integrity
Availability
CVSS v3
Attack Vector
Attack Complexity
User Interaction
Privileges Required
Authorization Scope
Impact Scope
Confidentiality
Integrity
Availability
Vulnerability Chaining
Requires individual vulnerabilities to have their own CVSS scores first
Used to express 1..N vulnerabilities exploited together to achieve the
impact of vulnerability N
Chain has its own CVSS score
Impact Scope
Component
Attacker
User Interaction
Access Vector
Confidentiality
Integrity
Attack Complexity
Privileges Required
Availability
Impact Scope
Component
setuid app
Attacker
User Interaction
Interaction
User
None
Attack Complexity
Complexity
Attack
Low
Access Vector
Access
Vector
Local
Privileges
Privileges Required
Required
Low
Confidentiality
Confidentiality
Complete
Integrity
Integrity
Complete
Availability
Availability
Complete
Impact Scope
Increased
Browser
Web app
Attacker
User Interaction
Interaction
User
Simple
Attack Complexity
Complexity
Attack
Low
Access Vector
Access
Vector
Network
Privileges
Privileges Required
Required
None
Confidentiality
Confidentiality
Partial
Integrity
Integrity
Partial
Availability
Availability
Partial
Impact Scope
Component
Hypervisor
Guest OS
Attacker
User Interaction
Interaction
User
None
Attack Complexity
Complexity
Attack
Medium
Access Vector
Access
Vector
Local
Privileges
Privileges Required
Required
Complete
Confidentiality
Confidentiality
None
Integrity
Integrity
None
Availability
Availability
Complete
Impact Scope
Increased
Host OS
Guest OS
Attacker
User Interaction
Interaction
User
None
Attack Complexity
Complexity
Attack
None
Access Vector
Access
Vector
Local
Privileges
Privileges Required
Required
High
Hypervisor
Confidentiality
Confidentiality
None
Integrity
Integrity
None
Availability
Availability
Complete
Remediation Level
Report Confidence
Exploitability Subscore
Target Distribution
Exploitability Subscore
Mitigated PR
Mitigated UI
Collateral Damage
Mitigated AS
Mitigated IS
Conf Requirement
Integ Requirement
Avail Requirement
Mitigated Conf
Impact Subscore
Mitigated Integ
Mitigated Avail
Mitigated Environmental
All BASE metrics would have an associated Mitigated Environmental
metric.
Mitigation
Listening Service
AV: N
Buffer Overflow
AC: L
Run as non-privileged
account:
MC:P, MI:P, MA:P
Code Execution:
C:C, I:C, A:C
Denial of Service:
MC: N, MI: N, MA: C
Difficult to measure
Do not scale well to large organizations
By all accounts unused
Mitigated Environmental has shifted focus of environmental
Severity Categories
Based on the Unofficial NIST NVD range-based assignments
Low:
Medium:
High:
0 3.9
4.0 6.9
7.0 10.0
None:
Low:
Medium:
High:
Critical:
0.0
0.1 3.9
4.0 6.9
7.0 8.9
9.0 10.0
Vulnerability Chains
CVSS v3 still focused on scoring vulnerabilities individually
Optional capability that removes the restriction for combining chained
effects
Requires individual vulnerabilities to have their own CVSS scores first
Used to express 1..N vulnerabilities in order to achieve the impact of
vulnerability N
Chain has its own CVSS score
Vulnerability Chains
Vuln 1
Vuln 2
Vuln 3
Chain
Access Vector
Attack Complexity
Privileges Required
User Interaction
Authorization Scope
Impact Scope
Confidentiality
Integrity
Availability
Exploitability
Remediation Level
OF
OF
Report Confidence
UR
UR
Further work
Ongoing / concurrent through Nov 30, 2013
Release CVSS v3
Thank you!
24
Network
Attack Complexity
Access
Adjacent
Low
Network
Privileges
Authentication
Required
ExploitabilityMedium
Subscore
None
Local
User Interaction
Physical
Single
High
Low
None
Authorization Scope
Increased
Multiple
Simple
High
Impact Scope
Component
Complete
Complex
Increased
Confidentiality
Decreased
Component
Impact Subscore
Decreased
Integrity
Availability
Privileges Required
Removes v2 Authentication metric
Measures actual attacker privileges vs overloaded local definition
Privileges Required
Metric Value
Description
None
Unprivileged
Low
High
Complete
Vulnerability
V2 Authentication
V3 Privileges
Required
Local,
Authenticated
Attacker
None
Low
High
Complete
Unprivileged,
Authenticated
Attacker
Single
Low
Privileged Attacker
Single
High / Complete
User Interaction
Removes Social Engineering components from v2 Access Complexity
definition; for users other than the attacker
Metric Value
Description
None
Simple
Successful exploitation
requires a user to take
standard / expected actions
(open email, click a link, view
PDF, etc)
Complex
Successful exploitation
requires a user to take nonstandard / abnormal actions
V2 Access
Complexity
V3 User Interaction
Low
None
Attacker delivers
malicious PDF by
mail / web
Medium
Simple
Victim must
perform detailed,
complicated, or
precisely-timed
actions
Medium
Complex
Privileged attacker,
user interaction,
and race condition
Medium (High?)
Simple
(others elsewhere)
Authorization Scope
First of two metrics used to answer the Scope problem
Design agnostic
Authorization Scope
Metric Value
Description
Increased
Authorization from
independent authority, or
whose control includes all
resources of vulnerable
component
Component
DEFAULT; Authorization
granted by component itself
or same authority used to
authorize component
capabilities
Decreased
Impact Scope
Second of two metrics used to answer the Scope problem
Design agnostic
Impact Scope
Metric Value
Description
Increased
Information resources
controlled by an authority that
is independent of the
vulnerable component are
primarily impacted
Component
Decreased
Resources controlled by
component, or subordinate to
component are primarily
impacted
Authorization Scope
Impact Scope
Decreased
Component
Decreased
Component
Decreased
Decreased
Component
Increased
Unprivileged Hypervisor
User -> Guest OS Privileged
Access
Component
Decreased