· What are Common Vulnerability Scoring System/CVSS
In application security, the most common term we hear is vulnerability that means weakness in the system that can be exploited and which poses a threat to an infrastructure or organization but there are few parameters that decide how severe a vulnerability is, these parameters combined decides the CVSS of the vulnerability. Greater the CVSS score, severe the vulnerability.
CVSS stands for common vulnerability scoring system where an organization or pen tester can use different parameters to rate the vulnerabilities and decide its severity. CVSS is a numerical representation of vulnerability’s severity also known as “Base score”. Value of the base score varies from 0 to 10. So if any vulnerability has a base score near to 10 it means that vulnerability is critical 0 represents a vulnerability with no risk. Hierarchy is like this:
Based on different vectors, we can calculate CVSS score.
If your, CVSS score lies:
i. Critical: Greater than 9 to less than 10
ii. High: Greater than 7 to less than 9
iii. Medium: Greater than 4 to less than 7
iv. Low: Greater than 0 to less than 4
Let us discuss one by one.
There are different vector that decides the CVSS of a vulnerability let us discuss all the vectors one by one.
· What is an attack vector?
1. Attack Vector/AV:
This represents the context directly by which vulnerability exploitation is possible. It has some different metrics which are defined below
a. Network/N: We can assign that when the vulnerability can be exploited remotely i.e. the vulnerability can be exploited through the public internet.
b. Adjacent/A: In order to exploit this vulnerability it is needed that the attacker should exploit this vulnerability from a different subnet of the organization’s network.
c. Local/L: In order to exploit this vulnerability access to the internal network is required.
d. Physical/P: Attacker needs physical access to the target. This actually decreases the CVSS as the physical access is the greater type of control that is needed to exploit the vulnerability.
it shows whether a vulnerability in one of the products affects the resources beyond its security scope.
a. Unchanged/U: A Vulnerability has been found that is exploited on the resource managed by the same security group.
b. Changed/C: A vulnerability found which affects the resource beyond the security controls managed by the security authority.
Example: Company taking services from third parties and found weak points on those services. So it’s company responsibility either to patch that vulnerability or change the scope.
3. Attack Complexity/AC:
This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.
a. Low/L: It is very easy to perform the exploitation on target.
b. High/H: It is very tough and requires some conditions to meet before the exploitation can be performed.
Confidentiality means restricting the disclosure of sensitive information to authorized users only. Some applications take PII (Personal identifiable information) data from users such as Facebook asks users to provide his email, date of birth and other sensitive information so if this information is disclosed in a breach then it compromises the confidentiality of the data.
a. None/N: No one can see the information other than the user.
b. Low/L: Your information is public but only a small number of people can see your information.
c. High/H: Only the admin of the organization can see your information.
5. Privileges Required (PR):
It defines whether any privileges needed to exploit the vulnerability.
a. None/N: No privileges are required to exploit the vulnerability.
b. Low/L: With lower level rights, attackers can perform the exploit.
c. High/H: To perform the attack, the attacker needed high privileges rights such as admin account rights. So in this case the attack surface is reduced.
If vulnerability is exploited then integrity/ trustworthiness of that resource is affected.
a. None/N: If nothing happens to the exploited data.
b. Low/L: If after some sort of data modification, we got the old data.
c. High/H: If total data is affected then we can lose the integrity of the data.
7. User Interaction/UI:
This defines whether any user interaction is needed in order to exploit the vulnerability.
a. None/N: No user interaction is needed to exploit the vulnerability.
b. Required/R: User interaction is needed to exploit the vulnerability.
If after the exploit we are not able to access the application, it means there is a problem with availability of data. Availability can be affected with other resources such as bandwidth, memory.
a. None/N: All users can access the application.
b. Low/L: Less no of users are not able to access the application.
c. High/H: Server down no one can access the application.
Let us discuss one CVE i.e. CVE-2017–16510. This CVE is related to sql injection vulnerability. Here we will discuss how we can calculate the base score for this vulnerability.
Attack Vector/AV: As in case of SQL injection, it can be exploited remotely so we will use “Network” in this vector.
Scope/S: Since it is only affecting the product or software which is directly under the organization’s control hence the “Scope” will be “unchanged”.
Attack Complexity/AC: As we all know to perform SQL injection is very easy for pen-tester. So marking the “AC” as “Low”.
Confidentiality/C: With SQL injection exploit, we always get access to the confidential data. So this will be marked as “High”.
Privileges Required (PR): in this vulnerability SQL, injection can be performed without any authentication or any privileges. Since there is no need to have some special privileges in order to exploit it, I am marking it as “None”.
Integrity/I: As we get the admin access by SQL injection, so the attacker can change the integrity of the whole data. So on that basis I am marking it as “High”.
User Interaction/UI: To exploit SQL injection vulnerability there is no need for user interaction. so this will be marked as “None”.
Availability/A: Since during the exploitation of SQL injection, since the attacker will send a lot of query to the database it may be possible that server will be unavailable for other users and their request might not get processed. That is a huge impact on availability of data. On that basis, I am marking it as “High”.
Now we will run the CVSS calculator, mark these eight vectors, and see what CVSS base score we get and where it falls.
After selecting all eight vectors, it will automatically provide you base score with mentioned severity. As in the above screen shot, it is mentioned as “9.8” that comes under critical severity.