CVSS cheating

I had never touched on this topic before, but it was always interesting for me what causes EMC to mess with CVSS scores in their vulnerability reports, below are some examples based on ESA-2015-131:

EMC score:

Authenticated Content Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks performed on subgroups that exists within the dm_superusers group and other privileged groups. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. The previous fix for CVE-2014-4622 was incomplete.
CVE ID: CVE-2015-4531
CVSS v2 Base Score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

NVD score:

CVSS v2 Base Score: 9.0 HIGH
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0

EMC score:

Authenticated non-privileged Content Server users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This may potentially be exploited by a malicious, authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. The previous fix for CVE-2014-2514 was incomplete.
CVE ID: CVE-2015-4532
CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)

NVD score:

CVSS v2 Base Score: 9.0 HIGH
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0

EMC score:

Authenticated non-privileged Content Server users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This may potentially be exploited to perform unauthorized actions on Content Server. The previous fix for CVE-2014-2513 was incomplete.
CVE ID: CVE-2015-4533
CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:C/I:C/A:P)

NVD score:

CVSS v2 Base Score: 9.0 HIGH
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0

EMC score:

Content Server delegates execution of business logic to an embedded java application server called “Java Method Server” (JMS). JMS fails to properly validate digital signatures, leading to the possibility of arbitrary code execution on the Content Server. An attacker capable of crafting a digital signature for a query string without the method_verb parameter may be able to execute arbitrary code in Content Server in JMS context, depending on Java classes present in the classloader.
CVE ID: CVE-2015-4534
CVSS v2 Base Score: 8.2 (AV:N/AC:M/Au:S/C:P/I:C/A:C)

NVD score:

CVSS v2 Base Score: 9.0 HIGH
Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0

As you can see, EMC typically messes with “Access Complexity” and “* Impact” metrics, though these metrics either have an obvious nature (attacker gains superuser privileges, why was the “Availability Impact” estimated as “partial”?) or have a pretty straightforward clarification:

Access Complexity = Medium
The access conditions are somewhat specialized; the following are examples:

  • The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted.
  • Some information must be gathered before a successful attack can be launched.
  • The affected configuration is non-default, and is not commonly configured (e.g., a vulnerability present when a server performs user account authentication via a specific scheme, but not present for another authentication scheme).
  • The attack requires a small amount of social engineering that might occasionally fool cautious users (e.g., phishing attacks that modify a web browsers status bar to show a false link, having to be on someones buddy list before sending an IM exploit).

2 thoughts on “CVSS cheating

  1. Pingback: D2 4.6 | Documentum in a (nuts)HELL
  2. Pingback: API Tester capabilities :) | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s