26

During a web application test I have discovered a parameter tampering issue that allows a user to delete comments left by other users. They can't modify the content of other users' comments, and they can only view them where this is intentional.

I'm now calculating the CVSS score using this calculator. It's pretty clear that the confidentiality impact is none, but I'm unclear about the others.

So my question is: for the purpose of CVSSv3, is unauthorised deletion an integrity issue, or an availability issue (or both) ?

Anders
  • 64,406
  • 24
  • 178
  • 215
paj28
  • 32,736
  • 8
  • 92
  • 130
  • 19
    I'm not familiar with CVSS in any way, but unauthorised deletion would be an integrity problem to me. Availability issue would rather be a case where the information is made non accessible, but still exists. – M'vy Dec 15 '16 at 13:22
  • 2
    Availability applies to services, not pure data. A change in availability doesn't change any information. So this is an integrity problem. – Arminius Dec 16 '16 at 00:55
  • 3
    In the time it took you to calculate the CVSS score, you could've isolated the problem and prepared a patch. – DepressedDaniel Dec 16 '16 at 01:25
  • 2
    @DepressedDaniel - This is a client app, so it won't be me doing the patch. I guess the effort of asking for **this particular** app is disproportionate - but getting this right now helps all future similar instances. – paj28 Dec 16 '16 at 09:22
  • 2
    Survey says... "Yes" – Joel Coehoorn Dec 16 '16 at 19:13
  • @JoelCoehoorn - Survey says... "Integrity" :-) – paj28 Dec 16 '16 at 19:52

5 Answers5

32

As pointed out in this (unanswered) question, Availability in CVSSv3 is about how well the web service performs, not whether its data is available:

While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email).

To answer your question: only Integrity is relevant here.

Rhymoid
  • 435
  • 3
  • 7
12

I would say it presents a clear Availability issue as the attacker is able to completely remove that specific resource and prevent other users' ability to access.

I would also say there is an Integrity issue too. The calculator defines a low score on integrity as "modification of data is possible" which I would say is certainly the case here.

To answer your question : Both. How you score depends on how important those comments are to your application.

iainpb
  • 4,142
  • 2
  • 16
  • 35
  • 4
    Thanks. I agree with your (and M'vy's) take that it's an integrity issue. I've decide to rate it as "availability impact none" on the basis that access is always available - but perhaps to modified data. I think rating it for both would be "double counting" – paj28 Dec 15 '16 at 14:43
  • To fix "double counting", you could count it as maximum of both ratings. – domen Dec 15 '16 at 16:00
  • @domen If I do just one low I get 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) but both low is 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) – paj28 Dec 15 '16 at 16:05
4

INTEGRITY

After deletion, the resulting dataset will assert that no such comment was ever left. That assertion is in error.

  • The integrity of the dataset is in question. We don't know it's incorrect unless we know that this exploit has been committed against it. It may be difficult to prove depending on what records it keeps. – Billy left SE for Codidact Dec 15 '16 at 21:32
  • 1
    You've set up a hypothetical scenario where the deletion *has* occurred. So your statement, "After deletion...the integrity is in question," is not as accurate as it should be. See my suggested edit. – Wildcard Dec 15 '16 at 21:34
1

It depends on whether your service has extensive backup procedures in place. If your backup procedures take into account bugs and user errors that could result in data loss, and the user submits a request to have this data restored, or you discover the vulnerability and are able to assert that all comments that were improperly deleted are still available in the backups, it could be argued that it is an issue of availability as the data is simply temporarily unavailable, until a DBA restores it. Not much different from, say, making all comments private by accident.

Only when the records are permanently lost it becomes a plain and simple data integrity problem.

Furthermore, there could be issues of confidentiality if an attacker may delete comments that they are otherwise not allowed to see, as some metadata can be inferred from the (prior) existence of the comment, based for example on the sequence number of such comment. You could for instance infer periods of activity or inactivity, the amount of comments an element receives…

sleblanc
  • 115
  • 5
  • Interesting take. I think it has nightly snapshots, so a comment will be backed up if it's existed overnight. However, there is no process for a user to request a restore from backup and the effort would be disproportional. – paj28 Dec 16 '16 at 09:24
1

I'm not familiar with CVSS, but as a sysadmin, I'd take your problem to be an integrity issue - that is, one part of the system is incorrectly able to affect another part of it. In your case, that's user B is able to delete user A's comments.

It's unlikely a sysadmin would be able to resolve this problem without some app changes, but one could imagine a similar problem on (say) a network drive on a work server. User A saves an important document, but user B deletes it (and it never makes it to nightly backups). This would be treated as an integrity issue and we'd find a way to separate the users such that user A can read/write to an area, but B can only read from that area. We wouldn't call it 'availability' because the network drive was working (as advertised) throughout.

This also brings on the question of "as advertised". My network share example has some implicit "terms of service" (I say implicit, because I'm not sure anyone writes them down), as does your web app. Whilst it's unlikely many web apps that allow any user to delete any other user's content would be considered terribly useful, you could argue that it's supposed to be like that, and that you'd need an extra layer of software to separate users content. This is somewhat arguing semantics, but it may help to understand (my perception, at least) of 'availability' versus 'integrity'.

Ralph Bolton
  • 351
  • 2
  • 3