Understanding CVSS Scores and Attack Scenarios

In this article, we explore the different attack scenarios and CVSS scores for vulnerabilities. We discuss the importance of defining the correct attack scenario and how it affects the CVSSv3 vector. We also examine examples and explanations from the CVSSv3 spec to understand the reasoning behind the scoring. Finally, we address the issue of low CIA ratings and suggest a higher rating for consideration.

Question

CVSS Score Remote or Local Scenario

I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let’s take a malicious Office document as an example. As soon as it is opened it is able to run code within the context of the user. There are two possible scenarios which lead to two different CVSSv3 vectors:

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L -> 6.3

This is the traditional scenario applied by malware which spreads via email over the Internet (AV:N). An user (victim) has to open the file willingly (UI:R) to initiate the code execution.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L -> 5.3

This is the other scneario where a local attacker (AV:L) abuses the vulnerability to gain elevated privileges. No unwanted user interaction (UI:N) is required by the “victim” (because the attacker and the victim are not the same person in this scenario).

Which one is right or better? We tend to use the one with the higher score if it is a realistic scenario. This discussion applies to every vulnerability that might also be used willingly within a local attack scenario (e.g. most browser-based attacks).

Answer

If you go by the spec and examples from first, neither is correct.

Let’s start with examples:

  • CVE-2015-1098 – which is about DoS in iWork via a specifically crafted file – is scored as AV:L and UI:R.

  • CVE-2009-0658 – which is about a buffer overflow in adobe acrobat via a specifically crafted file – is also scored as AV:L and UI:R.

The reason in both cases is that the vulnerability is in the local parser and the victim has to open the file.

Looking at the CVSSv3 spec , we can see why:

Network: A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker’s path is through OSI layer 3 (the network layer).

Local: A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker’s path is via read/write/execute capabilities. […] she may rely on User Interaction to execute a malicious file.

Neither of the attacks work on the OSI layer 3, so they are not "Network", but they do rely on a user executing a malicious file, so user interaction is required.

Note that this is in contrast to CVSSv2, where the CVSSv3 examples list the issues as access vector network (which doesn’t really match the CVSSv2 guide). The CVSSv3 user guide offers some explanation for this:

In CVSS v2.0, Scoring Tip 5 stated: "[…]" This guidance sometimes led to confusion in cases where an attacker would trick a user into downloading a malformed document from a remote web server, exploiting a file parsing vulnerability. In such case, analysts using CVSS v2.0 would treat these vulnerabilities as "network," […]

This guidance has been improved in CVSS v3.0 by clarifying the definitions of the Network and Adjacent values of the Attack Vector metric. Specifically, analysts should only score for Network or Adjacent when a vulnerability is bound to the network stack. Vulnerabilities which require user interaction to download or receive malicious content (which could also be delivered locally, e.g. via USB drives) should be scored as Local.

For example, a document parsing vulnerability, which does not rely on the network in order to be exploited, should typically be scored with the Local value, regardless of the method used to distribute such a malicious document (e.g. it could be a link to a web site, or via a USB stick).

So basically, the CVSSv2 network scoring resulted from confusion and is not seen as correct.

Note that browser-based attacks are seen as completely different than file-based attacks, as the network stack is involved (the link contains a rather lengthy explanation).

From a technical perspective, this scoring makes a lot of sense to me, as it actually looks what the attack vector is. Practically, it may seem a bit odd that two issues which result in the same damage and which may be exploited in very similar scenarios receive so different scores.

You did not ask about it, but your CIA ratings as L seem too low to me. I think a good argument could be made for H, which would give you CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -> 7.8

Leave a Reply

Your email address will not be published. Required fields are marked *