20

I've been looking for information about vulnerability classification and it's not completely clear to me.

Reading the CVSS documentation (2.1.1. Access Vector) I observe the following explanation about the N (Network) value for AV (Access Vector):

"A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". An example of a network attack is an RPC buffer overflow."

In my opinion, this means that the vulnerability can be exploited remotely, but possibly also locally ("not required").

Am I right?

bain
  • 231
  • 1
  • 5
vuln newbie
  • 321
  • 2
  • 4
  • Most of the time, but sometimes not. Example: Let's assume there is a bug in NFS, but to exploit you need to bind to a port < 1024. If you are not root, you might not be able to exploit it. If you are root, then there is nothing to exploit. – Johannes Kuhn Aug 29 '19 at 17:00
  • Good question, and important. A network firewall may negate a specific network vulnerability, but only for attacks that would pass that firewall. – MSalters Aug 30 '19 at 15:40

5 Answers5

34

"Local access" means that you need to be on the machine.

"Local network access" means that you need to be on the same network segment. This level of network access allows for specific access to the traffic and exposes different vulnerabilities.

"Remote network access" means that it is exploitable even if you are not on the same network segment. But you also could be.

The classification means the minimum level of access, not the only means of access.

schroeder
  • 123,438
  • 55
  • 284
  • 319
25

this means that the vulnerability can be exploited remotely, but possibly also locally

You are correct. If something is network-exploitable, then under typical circumstances, one can also exploit it locally. If I run a vulnerable service that crashes when you visit "example.com/crash.php", then it will also crash when you visit "localhost/crash.php" on the machine itself.

The network vector is more severe than the local vector, because you do not need local access, but of course if you're on the machine already, you can (typically) do anything that a remote attacker can also do.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • 3
    The network attack may still be appealing if it grants you access to a different user, especially if the new user has higher privileges. – Conor Mancone Aug 28 '19 at 11:21
  • @ConorMancone but if it can be done over the network, you can run that locally too right? The web server doesn't care (or know) from which system user the request originated (if the web server is the vulnerable component, that's just an example of course). – Luc Aug 28 '19 at 12:15
  • 3
    Yes, very much. I wasn't disagreeing with your answer. My point was just that even if you already have local access, you still might attempt a network-level exploit on the machine, if success will give you access to a more privileged user. If for instance you happen to break in as a low privilege user and then find a network-level attack that will give you access to root on the same machine, it would obviously be a big win. I.e. there are some cases where you would attempt a network attack even if you already have local access. – Conor Mancone Aug 28 '19 at 12:23
  • @ConorMancone Ah, now I understand what you meant to say :) – Luc Aug 28 '19 at 12:56
  • 3
    The one exception to this is a vulnerability in the network stack itself: if the exploit requires, for example, a malformed packet coming off the wire putting the network card into an unexpected state, you'll need to find somewhere to bounce that packet off of to perform a local attack. – Mark Aug 28 '19 at 20:10
  • @Mark I never needed this so I never tried, but wouldn't (nearly?) any router bounce the packet back to you if you send it addressed to your own MAC address? Or perhaps the router's MAC but your internal IP? Should be fairly easy to test with scapy. That is assuming that writing a raw packet to the right device would be sent out. – Luc Aug 28 '19 at 21:51
  • @Luc Writing raw packets often requires elevated privilege. If you only have access to an unprivileged account on the local machine, you wouldn't be able to forge that. – Barmar Aug 28 '19 at 22:06
  • @Barmar Ah true, good point. I guess any packet with a local destination would just be caught by the OS instead of sent out for bouncing. – Luc Aug 28 '19 at 22:15
3

I think it would be theoretically possible to have an exploit that works only remotely, but not from the same machine.

For instance, a vulnerability in how packets received are handled by the hardware driver may not be exploitable from the local machine, as it's difficult to bypass loopback mechanisms built into operating systems.

I'm not saying that such attacks actually exists, merely that it's possible to conceive scenarios where a particular attack may be difficult or impossible to perform from the local computer.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
1

What's meant here is that "remotely exploitable" refers to the (intermediate) use of the network stack to exploit a vulnerability on that system and to gain access via network. Probably one is able to exploit that vulnerability locally, but than you wouldn't call it "remote exploitable"

okoester
  • 11
  • 1
-1

Correct in most cases, however there will be some circumstances where this doesn't apply. For example, in a heavily locked down corporate environment where user devices only allow some processes to run, and required tools can't be imported to local machines.

Gethin LW
  • 71
  • 3
  • The question is about the classification of the vector. Of course there will be a million things that might not make it possible in any one instance, but that does not affect the classification of the vector. – schroeder Aug 29 '19 at 08:41
  • I don't think they were asking about how to classify it. – Gethin LW Aug 30 '19 at 09:19
  • The question is quite literally about the classification of the "N" vector. CVSS cannot account for every detail of the environment or implementation details. The N vector describes the type of vector used. There is already an inherent understanding that there might be mitigating factors. – schroeder Aug 30 '19 at 09:39