4

The CVSS score for Logjam is (AV:N/AC:M/Au:N/C:N/I:P/A:N).

enter image description here

As noted in that nice dynamic image interpretation, the Impact metric "Confidentiality" is described as "None" (C:N).

But the description at Logjam notes "there is a passive network adversary able to eavesdrop" for Attack 1, and has a video displaying the plaintext of a post to an FBI site. Surely that merits at least a partial confidentiality impact C/P).

And of course if that or the impersonation attacks can be employed against the right user, you can also potentially get full access to information on the server's confidentiality, integrity and availability. But I guess they don't count those follow-on attacks.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
  • I'd love to hear their justification. It seems wrong to me. My first thought was they might have considered that an indirect impact, but that doesn't seem right to me either. I agree that it should be at least partial, if not a complete confidentiality breach. – Xander Jun 30 '15 at 21:27
  • @Xander: [IBM does in fact list this as "C:P"](http://www-01.ibm.com/support/docview.wss?uid=swg21957980). Which makes me wonder who gets to decide on CVSS ratings. – StackzOfZtuff Jul 02 '15 at 09:10
  • 1
    @StackzOfZtuff The vendor of the affected software generally calculates the CVSS as a part of a coordinated release. For instance, at my previous company, I was responsible for scoring vulnerabilities that were found in the product I was the security architect for. I don't know who would have done it in this case though. Possibly the researchers themselves. – Xander Jul 02 '15 at 11:30
  • @StackzOfZtuff Wow - fascinating. And IBM rates it as I:N also (no integrity impact), which may reflect an assessment that it is much harder to get MITM there, IIRC. – nealmcb Jul 02 '15 at 14:18

1 Answers1

3

I can't tell you how NVD came up with their, let's call it baseline rating. But I can tell you that not all vendors have followed that baseline rating.

Ratings survey

I don't understand the baseline either.

FIRST.org gives some CVSS examples on how you're supposed to score vulnerabilities. I'm assuming that for these examples they have been careful to rate correctly.

They are scored using both CVSS v2 and CVSS v3.

And they list two SSL/TLS vulnerabilities. Number 3, which is POODLE. And number 20, which is a ChangeChiperSpec vulnerability. And they both score "C:P (partial)" in CVSS v2.

And going by these examples I would score Logjam as C:P as well. NVD hasn't. I don't know why.

Edit history

For the long and convoluted evolution of this post, see the edit history.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • That is more of a change to the description than a change to the criteria though. Certainly other CVEs that are attacks on the transport layer only have been rated as threats to confidentiality, so this is not a common interpretation of the metric. See: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2859 for example. – Xander Jun 30 '15 at 21:27
  • Yes. The examples that FIRST.org give themselves also use that interpretation. So if that's what they meant all along (and what would be intuitive) then the CVSS v2 definition/description uses some very unfortunate wording. – StackzOfZtuff Jun 30 '15 at 21:50
  • Interesting also that SCIP ranks it as "high" access complexity. That may apply to the Integrity and Availability scores they give, and I suppose that for a time it might apply to the Confidentiality score. But it seems to me that the best scoring is by Polycom, IBM and Redhat: [(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3](https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2015-4000&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:P)) – nealmcb Jul 04 '15 at 14:01
  • Can you consolidate your answer to lead with the variety of ratings, which really helps inform our speculation about why they make these choices? Also, since there are 4 distinct attacks, I suppose they might come up with a rating for each.... Then I'll accept it. Thanks for the very helpful research! – nealmcb Jul 04 '15 at 14:06
  • Done. I've turned it into a more coherent format. – StackzOfZtuff Jul 05 '15 at 14:12