首页 CVSS常见漏洞评分系统v3.0

CVSS常见漏洞评分系统v3.0

举报
开通vip

CVSS常见漏洞评分系统v3.0CVSSv3.0Specification(v1.7)1/21CommonVulnerabilityScoringSystemv3.0:SpecificationDocumentTheCommonVulnerabilityScoringSystem(CVSS)isanopenframeworkforcommunicatingthecharacteristicsandseverityofsoftwarevulnerabilities.CVSSconsistsofthreemetricgroups:Base,Tempo...

CVSS常见漏洞评分系统v3.0
CVSSv3.0Specification(v1.7)1/21CommonVulnerabilityScoringSystemv3.0:SpecificationDocumentTheCommonVulnerabilityScoringSystem(CVSS)isanopenframeworkforcommunicatingthecharacteristicsandseverityofsoftwarevulnerabilities.CVSSconsistsofthreemetricgroups:Base,Temporal,andEnvironmental.TheBasegrouprepresentstheintrinsicqualitiesofavulnerability,theTemporalgroupreflectsthecharacteristicsofavulnerabilitythatchangeovertime,andtheEnvironmentalgrouprepresentsthecharacteristicsofavulnerabilitythatareuniquetoauser'senvironment.TheBasemetricsproduceascorerangingfrom0to10,whichcanthenbemodifiedbyscoringtheTemporalandEnvironmentalmetrics.ACVSSscoreisalsorepresentedasavectorstring,acompressedtextualrepresentationofthevaluesusedtoderivethescore.ThisdocumentprovidestheofficialspecificationforCVSSv3.0.CVSSisownedandmanagedbyFIRST.Org,Inc.(FIRST),aUS-basednon-profitorganization,whosemissionistohelpcomputersecurityincidentresponseteamsacrosstheworld.FIRSTreservestherighttoupdateCVSSandthisdocumentperiodicallyatitssolediscretion.WhileFIRSTownsallrightandinterestinCVSS,itlicensesittothepublicfreelyforuse,subjecttotheconditionsbelow.MembershipinFIRSTisnotrequiredtouseorimplementCVSS.FIRSTdoes,however,requirethatanyindividualorentityusingCVSSgiveproperattribution,whereapplicable,thatCVSSisownedbyFIRSTandusedbypermission.Further,FIRSTrequiresasaconditionofusethatanyindividualorentitywhichpublishesscoresconformstotheguidelinesdescribedinthisdocumentandprovidesboththescoreandthescoringvectorsootherscanunderstandhowthescorewasderived.CVSSv3.0Specification(v1.7)2/21ContentsContents......................................................................................................................................2Resources&Links......................................................................................................................3Acknowledgements.....................................................................................................................4Introduction................................................................................................................................5Metrics....................................................................................................................................5Scoring....................................................................................................................................6BaseMetrics...............................................................................................................................7ExploitabilityMetrics..............................................................................................................7AttackVector(AV).............................................................................................................7AttackComplexity(AC)......................................................................................................8PrivilegesRequired(PR).....................................................................................................9UserInteraction(UI)...........................................................................................................9Scope(S).................................................................................................................................9ImpactMetrics......................................................................................................................10ConfidentialityImpact(C).................................................................................................10IntegrityImpact(I)............................................................................................................11AvailabilityImpact(A)......................................................................................................11TemporalMetrics......................................................................................................................12ExploitCodeMaturity(E).....................................................................................................12RemediationLevel(RL)........................................................................................................13ReportConfidence(RC)........................................................................................................13EnvironmentalMetrics..............................................................................................................14SecurityRequirements(CR,IR,AR).....................................................................................14ModifiedBaseMetrics..........................................................................................................15QualitativeSeverityRatingScale..............................................................................................16VectorString.............................................................................................................................17CVSSv3.0XMLSchemaDefinition.........................................................................................18CVSSv3.0Equations................................................................................................................18Base......................................................................................................................................18Temporal...............................................................................................................................19Environmental.......................................................................................................................19MetricsLevels.......................................................................................................................19AWordonCVSSv3.0EquationsandScoring.......................................................................21CVSSv3.0Specification(v1.7)3/21Resources&LinksBelowareusefulreferencestoadditionalCVSSv3.0documents.ResourceLocationSpecificationDocumentIncludesmetricdescriptions,formulas,andvectorstring.Availableat,http://www.first.org/cvss/specification-documentUserguideIncludesfurtherdiscussionofCVSSv3.0,ascoringrubric,andaglossary.Availableat,http://www.first.org/cvss/user-guideExampledocumentIncludesexamplesofCVSSv3.0scoringinpractice.Availableat,https://www.first.org/cvss/examplesCVSSv3.0logoLowandhi-resimagesavailableat,http://www.first.org/cvss/identityCVSSv3.0calculatorReferenceimplementationoftheCVSSv3.0equations,availableat,http://www.first.org/cvss/calculator/3.0XMLschemaSchemadefinitionavailableat,https://www.first.org/cvss/cvss-v3.0.xsdCVSSv3.0Specification(v1.7)4/21AcknowledgementsFIRSTsincerelywishestorecognizethecontributionsofthefollowingCVSSSpecialInterestGroup(SIG)members,andallthosewhohaveprovidedvaluablecomments,listedinalphabeticalorder:RenchieAbraham(SAP)LucaAllodi(UniversityofTrento)DivyaArora(Intel)NaziraCarlage(EMC)MatthewColes(EMC)DaveDugal(Juniper)MickEckert(BankofAmerica)SethHanford(Cisco/TIAA-CREF)MaxHeitman(Citi)JeffreyHeller(SandiaNationalLaboratories)ArtManion(CERT/CC)BruceMonroe(Intel)ScottMoore(IBM)DaleRich(DepositoryTrust&ClearingCorporation)SashaRomanosky(CarnegieMellonUniversity)FrankRomeo(Citi)KarenScarfone(ScarfoneCybersecurity)ArjunaShunn(Microsoft)JohnStuppi(Cisco)MasatoTerada(Information-TechnologyPromotionAgency,Japan)GarretWassermann(CERT/CC)ChuckWergin(NIST)DariusWiles(Oracle)ArnoldYoon(Dell)FIRSTwouldalsoliketothankJenniferDailyforhercreativedesignefforts,Deloitte&ToucheLLPfortheirstatisticalassistance,KacyHangca(Neustar)forhertirelessworkfacilitatingourmeetings,andMartinLee(Cisco)forhisanalysisofnearly30,000CVSSv2.0vectorsassignedby3distinctvulnerabilitydatabases.Finally,FIRSTandtheCVSSSIGwouldliketoacknowledgethecontributionsandleadershipofSethHanfordandMaxHeitman,chairsoftheCVSSSIG.CVSSv3.0Specification(v1.7)5/21IntroductionSoftware,hardwareandfirmwarevulnerabilitiesposeacriticalrisktoanyorganizationoperatingacomputernetwork,andcanbedifficulttocategorizeandmitigate.TheCommonVulnerabilityScoringSystem(CVSS)providesawaytocapturetheprincipalcharacteristicsofavulnerability,andproduceanumericalscorereflectingitsseverity,aswellasatextualrepresentationofthatscore.Thenumericalscorecanthenbetranslatedintoaqualitativerepresentation(suchaslow,medium,high,andcritical)tohelporganizationsproperlyassessandprioritizetheirvulnerabilitymanagementprocesses.Inshort,CVSSaffordsthreeimportantbenefits.First,itprovidesstandardizedvulnerabilityscores.WhenanorganizationusesacommonalgorithmforscoringvulnerabilitiesacrossallITplatforms,itcanleverageasinglevulnerabilitymanagementpolicydefiningthemaximumallowabletimetovalidateandremediateagivenvulnerability.Next,itprovidesanopenframework.Usersmaybeconfusedwhenavulnerabilityisassignedanarbitraryscorebyathirdparty.WithCVSS,theindividualcharacteristicsusedtoderiveascorearetransparent.Finally,CVSSenablesprioritizedrisk.Whentheenvironmentalscoreiscomputed,thevulnerabilitybecomescontextualtoeachorganization,andhelpsprovideabetterunderstandingoftheriskposedbythisvulnerabilitytotheorganization.ThisdocumentdescribestheofficialCVSSv3.0specification.MetricsCVSSiscomposedofthreemetricgroups,Base,Temporal,andEnvironmental,eachconsistingofasetofmetrics,asshowninFigure1.Figure1:CVSSv3.0MetricGroupsTheBasemetricgrouprepresentstheintrinsiccharacteristicsofavulnerabilitythatareconstantovertimeandacrossuserenvironments.Itiscomposedoftwosetsofmetrics:theExploitabilitymetricsandtheImpactmetrics.TheExploitabilitymetricsreflecttheeaseandtechnicalmeansbywhichthevulnerabilitycanbeexploited.Thatis,theyrepresentcharacteristicsofthethingthatisvulnerable,whichwerefertoformallyasthevulnerablecomponent.Ontheotherhand,theImpactmetricsreflectthedirectconsequenceofasuccessfulexploit,andrepresenttheconsequencetothethingthatsufferstheimpact,whichwerefertoformallyastheimpactedcomponent.CVSSv3.0Specification(v1.7)6/21Whilethevulnerablecomponentistypicallyasoftwareapplication,module,driver,etc.(orpossiblyevenahardwaredevice),theimpactedcomponentcouldbeasoftwareapplication,ahardwaredeviceoranetworkresource.Thispotentialformeasuringtheimpactofavulnerabilityotherthanthevulnerablecomponent,isakeyfeatureofCVSSv3.0.Thispropertyiscaptured,andfurtherdiscussedbytheScopemetricbelow.TheTemporalmetricgroupreflectsthecharacteristicsofavulnerabilitythatmaychangeovertimebutnotacrossuserenvironments.Forexample,thepresenceofasimple-to-useexploitkitwouldincreasetheCVSSscore,whilethecreationofanofficialpatchwoulddecreaseit.TheEnvironmentalmetricgrouprepresentsthecharacteristicsofavulnerabilitythatarerelevantanduniquetoaparticularuser鈥檚environment.Thesemetricsallowthescoringanalysttoincorporatesecuritycontrolswhichmaymitigateanyconsequences,aswellaspromoteordemotetheimportanceofavulnerablesystemaccordingtoherbusinessrisk.Eachofthesemetricsarediscussedinfurtherdetailbelow.鈥�ScoringWhentheBasemetricsareassignedvaluesbyananalyst,theBaseequationcomputesascorerangingfrom0.0to10.0asillustratedinFigure2.Figure2:CVSSMetricsandEquationsSpecifically,theBaseequationisderivedfromtwosubequations:theExploitabilitysubscoreequation,andtheImpactsubscoreequation.TheExploitabilitysubscoreequationisderivedfromtheBaseExploitabilitymetrics,whiletheImpactsubscoreequationisderivedfromtheBaseImpactmetrics.TheBasescorecanthenberefinedbyscoringtheTemporalandEnvironmentalmetricsinordertomoreaccuratelyreflecttheriskposedbyavulnerabilitytoauser鈥檚environment.However,scoringtheTemporalandEnvironmentalmetricsisnotrequired.Generally,theBaseandTemporalmetricsarespecifiedbyvulnerabilitybulletinanalysts,securityproductvendors,orapplicationvendorsbecausetheytypicallypossessthemostaccurateinformationaboutthecharacteristicsofavulnerability.Ontheotherhand,theEnvironmentalmetricsarespecifiedbyend-userorganizationsbecausetheyarebestabletoassessthepotentialimpactofavulnerabilitywithintheirowncomputingenvironment.ScoringCVSSmetricsalsoproducesavectorstring,atextualrepresentationofthemetricvaluesusedtoscorethevulnerability.Thisvectorstringisaspecificallyformattedtextstringthatcontainseachvalueassignedtoeachmetric,andshouldalwaysbedisplayedwiththevulnerabilityscore.CVSSv3.0Specification(v1.7)7/21Thescoringequationsandvectorstringareexplainedfurtherbelow.Notethatallmetricsshouldbescoredundertheassumptionthattheattackerhasalreadylocatedandidentifiedthevulnerability.Thatis,theanalystneednotconsiderthemeansbywhichthevulnerabilitywasidentified.Inaddition,itislikelythatmanydifferenttypesofindividualswillbescoringvulnerabilities(e.g.softwarevendors,vulnerabilitybulletinanalysts,securityproductvendors,etc.),however,notethatvulnerabilityscoringisintendedtobeagnostictotheindividualandtheirorganization.BaseMetricsExploitabilityMetricsAsmentioned,theExploitabilitymetricsreflectthecharacteristicsofthethingthatisvulnerable,whichwerefertoformallyasthevulnerablecomponent.Therefore,eachoftheExploitabilitymetricslistedbelowshouldbescoredrelativetothevulnerablecomponent,andreflectthepropertiesofthevulnerabilitythatleadtoasuccessfulattack.AttackVector(AV)Thismetricreflectsthecontextbywhichvulnerabilityexploitationispossible.Thismetricvalue(andconsequentlytheBasescore)willbelargerthemoreremote(logically,andphysically)anattackercanbeinordertoexploitthevulnerablecomponent.TheassumptionisthatthenumberofpotentialattackersforavulnerabilitythatcouldbeexploitedfromacrosstheInternetislargerthanthenumberofpotentialattackersthatcouldexploitavulnerabilityrequiringphysicalaccesstoadevice,andthereforewarrantsagreaterscore.ThelistofpossiblevaluesispresentedinTable1.Table1:AttackVectorMetricValueDescriptionNetwork(N)Avulnerabilityexploitablewithnetworkaccessmeansthevulnerablecomponentisboundtothenetworkstackandtheattacker'spathisthroughOSIlayer3(thenetworklayer).Suchavulnerabilityisoftentermed鈥渞emotelyexploitable鈥�andcanbethoughtofasanattackbeingexploitableoneormorenetworkhopsaway(e.g.acrosslayer3boundariesfromrouters).Anexampleofanetworkattackisanattackercausingadenialofservice(DoS)bysendingaspeciallycraftedTCPpacketfromacrossthepublicInternet(e.g.CVE-2004-0230).Adjacent(A)Avulnerabilityexploitablewithadjacentnetworkaccessmeansthevulnerablecomponentisboundtothenetworkstack,howevertheattackislimitedtothesamesharedphysical(e.g.Bluetooth,IEEE802.11),orlogical(e.g.localIPsubnet)network,andcannotbeperformedacrossanOSIlayer3boundary(e.g.arouter).AnexampleofanAdjacentattackwouldbeanARP(IPv4)orneighbordiscovery(IPv6)floodleadingtoadenialofserviceonthelocalLANsegment.SeealsoCVE-2013-6014.Local(L)AvulnerabilityexploitablewithLocalaccessmeansthatthevulnerablecomponentisnotboundtothenetworkstack,andtheattacker鈥檚pathisviaread/write/executecapabilities.Insomecases,theattackermaybeloggedinCVSSv3.0Specification(v1.7)8/21locallyinordertoexploitthevulnerability,otherwise,shemayrelyonUserInteractiontoexecuteamaliciousfile.Physical(P)AvulnerabilityexploitablewithPhysicalaccessrequirestheattackertophysicallytouchormanipulatethevulnerablecomponent.Physicalinteractionmaybebrief(e.g.evilmaidattack1)orpersistent.Anexampleofsuchanattackisacoldbootattackwhichallowsanattackertoaccesstodiskencryptionkeysaftergainingphysicalaccesstothesystem,orperipheralattackssuchasFirewire/USBDirectMemoryAccessattacks.AttackComplexity(AC)Thismetricdescribestheconditionsbeyondtheattacker鈥檚controlthatmustexistinordertoexploitthevulnerability.Asdescribedbelow,suchconditionsmayrequirethecollectionofmoreinformationaboutthetarget,thepresenceofcertainsystemconfigurationsettings,orcomputationalexceptions.Importantly,theassessmentofthismetricexcludesanyrequirementsforuserinteractioninordertoexploitthevulnerability(suchconditionsarecapturedintheUserInteractionmetric).Thismetricvalueislargestfortheleastcomplexattacks.ThelistofpossiblevaluesispresentedinTable2.Table2:AttackComplexityMetricValueDescriptionLow(L)Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Anattackercanexpectrepeatablesuccessagainstthevulnerablecomponent.High(H)Asuccessfulattackdependsonconditionsbeyondtheattacker'scontrol.Thatis,asuccessfulattackcannotbeaccomplishedatwill,butrequirestheattackertoinvestinsomemeasurableamountofeffortinpreparationorexecutionagainstthevulnerablecomponentbeforeasuccessfulattackcanbeexpected.2Forexample,asuccessfulattackmaydependonanattackerovercominganyofthefollowingconditions:飩�Theattackermustconducttarget-specificreconnaissance.Forexample,ontargetconfigurationsettings,sequencenumbers,sharedsecrets,etc.飩�Theattackermustpreparethetargetenvironmenttoimproveexploitreliability.Forexample,repeatedexploitationtowinaracecondition,orovercomingadvancedexploitmitigationtechniques.飩�Theattackermustinjectherselfintothelogicalnetworkpathbetweenthetargetandtheresourcerequestedbythevictiminordertoreadand/ormodifynetworkcommunications(e.g.maninthemiddleattack).1Seehttps://www.schneier.com/blog/archives/2009/10/evil_maid_attac.htmlforadescriptionoftheevilmaidattack.2Notethatwemakenocommentregardingtheamountofeffortrequired.Wesimplyconsiderthatsomeamountofadditionaleffortmustbeexertedinordertoexploitthevulnerability.CVSSv3.0Specification(v1.7)9/21PrivilegesRequired(PR)Thismetricdescribesthelevelofprivilegesanattackermustpossessbeforesuccessfullyexploitingthevulnerability.Thismetricifgreatestifnoprivilegesarerequired.ThelistofpossiblevaluesispresentedinTable3.Table3:PrivilegesRequiredMetricValueDescriptionNone(N)Theattackerisunauthorizedpriortoattack,andthereforedoesnotrequireanyaccesstosettingsorfilestocarryoutanattack.Low(L)Theattackerisauthorizedwith(i.e.requires)privilegesthatprovidebasicusercapabilitiesthatcouldnormallyaffectonlysettingsandfilesownedbyauser.Alternatively,anattackerwithLowprivilegesmayhavetheabilitytocauseanimpactonlytonon-sensitiveresources.High(H)Theattackerisauthorizedwith(i.e.requires)privilegesthatprovidesignificant(e.g.administrative)controloverthevulnerablecomponentthatcouldaffectcomponent-widesettingsandfiles.UserInteraction(UI)Thismetriccapturestherequirementforauser,otherthantheattacker,toparticipateinthesuccessfulcompromiseofthevulnerablecomponent.Thismetricdetermineswhetherthevulnerabilitycanbeexploitedsolelyatthewilloftheattacker,orwhetheraseparateuser(oruser-initiatedprocess)mustparticipateinsomemanner.Thismetricvalueisgreatestwhennouserinteractionisrequired.ThelistofpossiblevaluesispresentedinTable4.Table4:UserInteractionMetricValueDescriptionNone(N)Thevulnerablesystemcanbeexploitedwithoutinteractionfromanyuser.Required(R)Successfulexploitationofthisvulnerabilityrequiresausertotakesomeactionbeforethevulnerabilitycanbeexploited.Forexample,asuccessfulexploitmayonlybepossibleduringtheinstallationofanapplicationbyasystemadministrator.Scope(S)AnimportantpropertycapturedbyCVSSv3.0istheabilityforavulnerabilityinonesoftwarecomponenttoimpactresourcesbeyonditsmeans,orprivileges.ThisconsequenceisrepresentedbythemetricAuthorizationScope,orsimplyScope.Formally,Scopereferstothecollectionofprivilegesdefinedbyacomputingauthority(e.g.anapplication,anoperatingsystem,orasandboxenvironment)whengrantingaccesstocomputingresources(e.g.files,CPU,memory,etc).Theseprivilegesareassignedbasedonsomemethodofidentificationandauthorization.Insomecases,theauthorizationmaybesimpleorlooselycontrolledbaseduponpredefinedrulesorstandards.Forexample,inthecaseofEthernettrafficsenttoanetworkswitch,theswitchacceptstrafficthatarrivesonitsportsandisanauthoritythatcontrolsthetrafficflowtootherswitchports.CVSSv3.0Specification(v1.7)10/21Whenthevulnerabilityofasoftwarecomponentgovernedbyoneauthorizationscopeisabletoaffectresourcesgovernedbyanotherauthorizationscope,aScopechangehasoccurred.Intuitively,onemaythinkofascopechangeasbreakingoutofasandbox,andanexamplewouldbeavulnerabilityinavirtualmachinethatenablesanattackertodeletefilesonthehostOS(perhapsevenitsownVM).Inthisexample,therearetwoseparateauthorizationauthorities:onethatdefinesandenforcesprivilegesforthevirtualmachineanditsusers,andonethatdefinesandenforcesprivilegesforthehostsystemwithinwhichthevirtualmachineruns.Ascopechangewouldnotoccur,forexample,withavulnerabilityinMicrosoftWordthatallowsanattackertocompromiseallsystemf
本文档为【CVSS常见漏洞评分系统v3.0】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑, 图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
下载需要: 免费 已有0 人下载
最新资料
资料动态
专题动态
is_732967
暂无简介~
格式:pdf
大小:581KB
软件:PDF阅读器
页数:0
分类:
上传时间:2017-11-07
浏览量:1368