Does the ability to delete data impact availability in CVSS v2?

Question

NIST SP 800-33 2.0.1 says that "availability" part of the CIA triad protects against intentional or accidental attempts to either:

• perform unauthorized deletion of data or
• otherwise cause a denial of service or data

This makes it pretty clear that the ability to delete data does in fact modify availability from a security standpoint in general. However, the CVSS v2 spec states:

This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

All of the examples provided discuss service availability, not data availability. I know that CVSS v3 clears this up by explicitly stating:

...That is, the Availability metric speaks to the performance and operation of the service itself – not the availability of the data.

When scoring a vulnerability which provides the ability to delete data with CVSS v2, do you score it as impacting availability? Is it safe to assume that this clarification can be back-ported to v2?

Answer 1

This is quite a interesting question and an aspect I struggle with myself. „If Integrity is violated in a way that I can create new users, will it affect the other two properties“, for example.

I think the answer is maybe, even when it is a bit counter-intuitive to have three properties when they are often linked.

In your case there is an example in the CVSS 3.1 User Guide which states the losing confidentiality of a root password does impact integrity and availability of the system (as long as the analyst assumes the credentials can actually be exploited).

In vulnerability 2, a local, low-privileged user can send a trivial, crafted request to the operating system which causes it to disclose the plaintext password of the root (administrator) account. The analyst knows from the Exploitability sub-score metrics and the vulnerability description that the attacker has access to the operating system, and can log in as a local, low privileged attacker. Gaining access to this password represents a direct, serious loss of Confidentiality, Integrity, and Availability because the analyst can reasonably issue commands as the root / administrator account (assume that the attacker could log out from their own account and log back in as root): Base Score: 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The example talks about issuing commands (it is not clear if this is limited to shutdown commands or also data delete commands, maybe this would be the line to draw when judging impact: if you can delete data files then integrity is violated, when you can delete system files then availability is impacted). And yes this violates classical (NIST, GDPR) availability definition, but CVSS seems to be reasonable specific on this point.