1

I'm having some trouble calculating CVSS v3.0 scores in some findings I've encountered.

In particular, one finding is a simple server information disclosure via default error pages. It is very similar to the following: https://nvd.nist.gov/vuln/detail/CVE-2017-4013

Using the CVSS v3.0 calculator, I have also arrived at the exact same CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and score (5.3, Medium).

Intuitively, this finding shouldn't be a Medium since attackers can't really do much via banner disclosure. I would think it should be a Low or even Informational. IMHO, CVSS v3.0 calculator does not provide enough granularity in the C/I/A impact components to properly account for this.

However, I notice in the link above that there's also an "impact score" and "exploitability score", which are appropriately low in both cases. There's no mention however of how these are derived, not in the link, or the CVSS calculator at first.org. A quick Google search doesn't yield anything either.

May I know how these are calculated, and can they be used to modify the risk ratings?

user1118764
  • 401
  • 5
  • 12
  • One possibility is to consider server version information not "confidential", and set all impacts to "None". This results in a 0.0 score, thus making it informational. – Sjoerd Sep 25 '18 at 08:22

2 Answers2

1

The CVSS calculator on NVD has a button "Show Equations" which, as you would expect, shows the equations for the various values including impact and exploitability.

The issue with the base score in this instance is that when dealing with a loss of confidentiality the equation doesn't take into account the sensitivity of the data that is disclosed. Is it salted and hashed passwords? Unhashed passwords? Or the specific implementation of a web server? It matters when assessing risk, but isn't taken into account by the score.

So, now it depends on why you're calculating the score, are you getting a CVE? are you trying to access risk? Or something else? If you're trying access risk then use the base score as a guide and adjust as you believe appropriate.

To be honest I don't see this as a vulnerability as the banner information in and of itself cannot be directly used to attack the software, though it can be used to more easily find attacks. We use Nessus to scan our products for issues and Nessus reports banners being available as "informational" for that same reason.

Swashbuckler
  • 2,115
  • 8
  • 9
  • I agree that it isn't much of a vulnerability, I would qualitatively put it as Low/Info. I also agree that the calculator doesn't take into account the data sensitivity. I am using the calculator to assess risk in a quantitative way, so that different assessors can come up with the same result, ignoring human judgement – user1118764 Sep 27 '18 at 06:41
0

According to the NVD NIST site, it looks like they are reassessing it. I am looking at another site, CVE Details, and it looks like they gave it a slightly lower score https://www.cvedetails.com/cve/CVE-2017-4013/

According to https://www.cvedetails.com/cvss-score-charts.php the score of around 5 seems to be within the range of most entries with scores of 4-5 and 5-6 capturing 20.40% and 19.20% of total entries. According to that site, the weighted Average CVSS Score is 6.6 and therefore 5-5.3 would make it less than average in terms of scores. Also a score of 4.0 - 6.9 would classify it as Medium (see https://www.first.org/cvss/specification-document). So if the vulnerability is Low it should only reach a score 0.1 - 3.9.

NASAhorse
  • 310
  • 1
  • 7
  • The slightly lower score in the link you provided is calculated based on CVSS v2.0. This score, along with the CVSS v3.0 score, are both presented in the original link I posted. In any case, I agree with the calculation, I just don't agree with the final score, because instinctively, a banner disclosure shouldn't have a higher CVSS score than, say, a stored XSS, which can yield a score of <5.0. – user1118764 Sep 26 '18 at 06:46