2

I have drawn an attack graph for a file-sharing application (eg. Dropbox) where a database stores details of virtual machines Eg. memory space left, etc. I've listed some possible attacks:

  1. The attacker can reduce the memory size assigned by some amount (eg. if I'm assigned with 2Gb of memory, the attacker can reduce it to 1Gb by manipulating the database records)
  2. The attacker can reduce the memory size assigned to zero (eg. as in previous case, but there is no memory space left and so I can't upload any files)
  3. The attacker can make repeated attacks and reduce the memory size (eg. as in point 1. where memory size was reduced to 1Gb. The same thing is repeated and memory size is reduced to 0.5Gb)
  4. The attacker can hack a link between the downloader and the file location and get the file

I need to calculate CVSS. How do I match the attacks I've listed to those in CVE?

Luc
  • 31,973
  • 8
  • 71
  • 135
user2281204
  • 23
  • 3
  • It seems you have two separate questions. 1. How do I lookup CVEs? 2. How do i calculate CVSS. – Daisetsu Feb 13 '14 at 22:35
  • Check out first.gov/cvss for full documentation on how CVSS works as well as links to calculators – atk Feb 13 '14 at 22:42

2 Answers2

1

I would go with the CVSS calculator from the NIST which you can find here http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

If the vulnerability can be exploited over a non-adjacent network, and the Access Complexity is Low, and the attacker needs to authenticate multiple times you have

AN:N, AC:L, Au:M

No impact on the Confidentiality and Integrity while a complete impact on the availability gives

C:N, I:N, A:C

will give the following scores

Base-Score: 6.1
Base-Impact: 6.9
Exploitability: 6.4

and an overall score of

6.1

makes it a major vulnerability. You can further calculate the Temporal and Environmental scores on the NIST page.

fr00tyl00p
  • 2,329
  • 1
  • 15
  • 17
0

why do you have to match CVSS score of an attack to the CVEs? The CVSS score for a particular CVE is calculated in generically not keeping any specific application in scope. But if you are calculating CVSS score for your application, then you should consider all the points which are related to that application.

For example, in NVD database for a CVE, the CIA is marked as Low. But your application deals with highly confidential data . Thus the same vulnerability in your application will have C&I vectors as HIGH due to the type of data the it is dealing with.

DentistOfDetroit
  • 13
  • 4