2

Let's say a website has two vulnerabilities:

  1. Information Disclosure
  2. reflected XSS

Their impact by themselves is limited on the specific site, but when chained together, the impact is raised too high (e.g. transfer money to another account)

What would be the most appropriate way to present those vulnerabilities?

For brainstorming, I would say there are at least three options:

  1. Just have the two vulnerabilities without considering the chained impact
  2. Combine the two vulnerabilities in one with high impact.
  3. Have three vulnerabilities, the original two plus the affected critical functionality when the two are chained

The first option doesn't look appropriate, the third option, listing one extra vulnerability might be redundant. The second option doesn't look too bad, but in the case that two vulnerabilities are important by themselves, it could be more appropriate for both of them to have their own spot.

schroeder
  • 123,438
  • 55
  • 284
  • 319
tturbox
  • 101
  • 1
  • 4

2 Answers2

1

Your #3 is what is explicitly described in the CVSS User Guide:

CVSS is designed to classify and rate individual vulnerabilities. However, it is important to support the needs of the vulnerability analysis community by accommodating situations where multiple vulnerabilities are exploited in the course of a single attack to compromise a host or application. The scoring of multiple vulnerabilities in this manner is termed Vulnerability Chaining. Note that this is not a formal metric, but is included as guidance for analysts when scoring these kinds of attacks.

When scoring a chain of vulnerabilities, it is the responsibility of the analyst to identify which vulnerabilities are combined to form the chained score. The analyst should list the distinct vulnerabilities and their scores, along with the chained score. For example, this may be communicated within a vulnerability disclosure notice posted on a web page.

Swashbuckler
  • 2,115
  • 8
  • 9
  • hmm, ok let's say that by chaining the two vulnerabilities an attacker can: 1. Transfer money to arbitrary accounts 2. Account take over. So if i understood correctly, the suggested method is reporting: 1. reflected xss 2. info disclosure 3. Money transfer to arbitrary accounts 4. Account takeover Doesn't that inflate the report? What is there were 20 critical functionalities affected by just those two vulnerabilities? – tturbox Dec 12 '19 at 19:14
  • Then figure out the impact of each and logically OR them together. Supposed one function has low impact on confidentiality. Another has high impact on availability. Another has high impact on integrity and confidentiality. The logical OR is high impact on confidentiality, integrity and availability. Plug those in and compute the score. As for "inflating" something, remember CVSS measures severity, not risk. I think you may be trying to use CVSS for something which it was not intended. – Swashbuckler Dec 13 '19 at 15:57
  • so you suggest calculating the logical or of their impact and having it applied to each of the vulnerabilities? (if this is the case, then fixing one of the vulnerabilities should cause changing the scoring for the rest, since all the vulns depend on each-other for their impact) – tturbox Dec 14 '19 at 21:25
  • also, even though CVSS in general cannot be used for assessing the risk in general, given a vulnerability, plugging in the appropriate parameters that apply to a specific organization could be pretty accurate about the potential risk – tturbox Dec 14 '19 at 21:28
0

You may be conflating risk and CVSS. Vulnerabilities are scored individually, the chaining of vulnerabilities is an attack or an exploit which is not what CVSS is intended to measure.

If you took option 2 or 3 and the website fixed only one of the vulnerabilities your score would be wrong and would need to be recalculated. If the website had 30 vulnerabilities instead of 2 this would be difficult as you would have to calculate every possible chain.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • wasn't the one downvoting. The first paragraph as already mentioned by @Swashbuckler is not accurate (and cvss is supposed to enclose the risk element). Now on the second paragraph, i guess you are right about option #2, but option #3 doesn't look too bad in your scenario. In case they fixed one of the two root vulnerabilities then all the derived ones should be considered resolved. Fixing any of the derived vulnerabilities shouldn't affect the scores of the rest. – tturbox Dec 12 '19 at 20:02
  • Calculating chains is only applicable for CVSS3 and I guess I just don't trust people to use the same chains that I would use. When you have 10+ vulnerabilities in a product calculating chains would be both cumbersome and not overly useful, but I digress. – wireghoul Dec 12 '19 at 21:15
  • i guess you are right in the sense that the report can't be complete (e.g. assessing every possible vulnerability combination). But i think this is not a reason for saying that no vulnerability chains will be assessed. Especially when some chains make sense of being used together. (e.g. self-stored xss+csrf=~stored xss) – tturbox Dec 12 '19 at 21:26