BSidesCharm 2023 - Settle the Score: CVSS Fundamentals - Beth Moseng

foreign [Music] and this is my presentation uh settle the score CVSs fundamentals will will be going over just the basics of everything just about CVSs because a lot of times people know that the score exists but how do you get that number well that's that's a big question uh one of these days the clicker will work oh first I've been Pro programming for eight plus years and I've been working uh somewhere within the cyber community learning about all of that for about six years I'm also an avid enjoyer of Magic the Gathering and a flautas in a video game flute choir for that extra little spice and then I my professional experience I have been with Lockheed Martin since 2019 through a bunch of different teams so I was developing on the M few team working a lot with RF from 2019 to 2021 then I was transferred over to their dice team doing a lot of incident response and working in that area from 2021 to 2022 and now I'm currently working with offensive cyber operations where I do a lot of development for the actual cyber community which is pretty cool and then um and then I also have a bachelor's in computer science who graduated as of yesterday and you can see a bunch of smiling faces so very busy weekend for me as you can tell um and so now uh the start of it all uh cve and CVSs you know a bunch of alphabet soup and of course there will be a lot more acronyms to go over as we go on and we'll be rushing through those um so what exactly is a cve well actually it's uh cve's common vulnerabilities and exposures and that is the entire list of all of the uh exposures and typically if someone refers to acve they mean an entry inside of you know the cve but you know semantics everyone knows what you're talking about when you say it um and so what exactly it is is a publicly documented security flaw found in some sort of code base like exploiting a buffer overflow that leads to code execution you know all of that little fun stuff that us hackers get to do it is maintained by miter as you might know from the miter attack framework uh just a fun little company there and it's was established in 1999. all of these are stored in a lot of fun places like National vulnerability database which is maintained by someone in the government and cves are given out by cve numbering authorities and a bunch of different companies are CNAs where you can have one from let's go with Lockheed Oracle all of those places that maintain software and then you they get assigned a nump a number of cve IDs that they can assign throughout the year so if you see a bunch of numbers close together from a certain company it's not because someone found a flaw right next to each other uh in that same company it's just because they have that block of numbers to use and then here's an example of a cve ID number the log j4 attack is the one I'll be using for just kind of the example one going over the intro and log j4 as you know was the one where everyone's Minecraft got hacked including yours your Minecraft um and how it goes is it cve then the year that it was found and then the number assigned for the cve ID now what qualifiers for a cve it needs to be independently fixable so for example if it is something that you need to fix it by fixing about three different other bugs and that's uh then it's not just a cve you need to be able to just fix that one patch and then you're fine it needs to be acknowledged by the fence the vendor or well documented and so either like the person that developed the software needs to say hey this is a problem or someone needs to come out with documentation saying that this goes against the security policy and that it impacts the actual usability and security functionality of the code and then it also needs to be affecting one code basis if a cve affects multiple different products then if CBE affects multiple different products then you would get a cve number for each different product that it affects and then if uh a code base would have to if there is no way for the bug to be fixed without um fixing that one different code base and that code base is using a bunch of different products but the only reason that it is combined like that then it would have a specific CV one cve for that multiple different products but that's a rare case and so what exactly is CVSs now that I've kind of defined and gone over the basics of cve well it stands for common vulnerability scoring system and what exactly it is is it's just kind of a measure of severity of a different exploit or exposure um it was owned and managed by first uh first stands for the Forum of incident response and security teams and it's been open since it's been maintained since 2005 and then over on the left you can see kind of like the difference in ratings between CVSs version 2 and CVSs version three um CVSs version 3 has a lot more difference than just how it's rated uh we'll be going over that a little bit um but as you can see it the higher the number the more severe that it is and then at the bottom of my bullet points you can see a bunch of letters those will make sense later on but I just wanted to show an example of a written out CVSs score and uh so that way then you can actually qualify it or quantify it now how do they relate I know that this talk is about CVSs and you guys are all very intrigued uh in CVSs um but it relates to cves because most cves are assigned to CVSs score and just having a CVSs score without actually knowing the thing that it's attached to is pretty useless like oh hey something got assigned a 10. cool what was that something and so the cve kind of gives you that context for what it is it also shows the it shows the severity of a specific documented cve so people can accurately identify the threat level of different exploits so a brief brief history of version updates uh CVSs version one was created in February of 2005. the first release was found to be pretty buggy so they updated to CVSs version 2 in 2007 and then of course again nothing uh with its first release patch is going to be perfect so users needed too much knowledge of vulnerabilities for CVSs version 2 to be accurate you're never going to know everything that's going on inside of an exploit um and then for CVSs version 3 it needed a bit more clarification but not an entirely new formula change so they came out with tvss version 3.1 in June of 2019 and that's what's pretty widely used today some places are still using CVSs version 2 but typically the scores aren't too far off but there were a lot of differences in some being a bit some being a bit scored too highly in CVSs version 2. um why is this important why is CVSs something that is used in a lot of places well first it's free and open so free and open that I was able to make an entire PowerPoint on this um but also it's not proprietary information I can use this inside of my company someone else can use it inside of their company and it's a way for everyone to be able to accurately communicate the different severity of different flaws like it doesn't matter if I am scoring something between 17 and 203 because we all know that someone out there is going to use arbitrary numbers to score something you are able to have the same number compared between different companies so that way everyone can accurately have a communication like have communications between companies to talk about these kinds of threats so it's extremely important important to have good and open communication between companies um and then stripped directly from their website CVSs was designed to provide open and universally standards severity ratings of software vulnerabilities and it's just great to be able to have an open conversation between companies so what makes up a CVSs score this uh little snippet is directly from their CVSs score calculator from their website you can click the little categories and then when you do that it tells you what score it's going to be and then here you have all of the different metrics that something with CVSs is defined by so you know with the attack Vector it's either going to be Network the adjacent Network local and physical we'll go and be going more into depth about the specific categories later but I just wanted to show a little bit bigger picture so that string of letters that I showed you guys earlier that I'd say be going more into depth this is where you get all of those values where you would say attack Vector n and then the next one you would say attack complexity let's go with l and then here is that uh that string at the bottom with the uh with the Minecraft Tech that is uh just that way you can see where I was getting those letters from and so now I'll be going into depth what the different metrics mean so first with the exploitability metrics you have the attack vector and this is the level of access required to exploit the vulnerability meaning whether you need to be physically at the computer or just across the network or locally there and so it's kind of where you need to be in the context of the exploit then we have the attack complexity it factors out of the attacker's control to exploit the vulnerability a low attack complexity means that all of the factors needed to exploit it would be inside of the attacker so everything they need to do is within their hands and a high complexity means that they kind of need to wait for specific circumstances or those kinds of things um the Privileges required as you can probably guess is just whether or not you need admin privileges or what kinds so none would be you know no privileges required maybe a guest account low would be any common user and then high would probably be admin and then we have the user interaction uh the necessity of a willing or unwitting participant to succeed so either someone clicking on that link that you told them not to click on in the phishing email or someone downloading a file that they really shouldn't have or it can be someone physically at the computer saying oh I hate this company they fired me I'm gonna help this hacker exploit some malware and you have that man inside so none would be no user interaction and then required would be any one of those uh situations and now we have impact metrics and I know for all of you that have either studied for or got your SEC plus the CIA Triad is going to look very familiar to you um but you have the confidentiality impact and so it's the amount of data that the attacker gains access to um uh and then you know none low or high all of those three are the same for these three categories and then you have the Integrity impact it's the ability for the attacker to change the physical data and then you have the availability impact which is the ability to change the accessibility of the data so I guess changing privileges uh probably executable but anything of where you're changing the availability and now we have the scope metric either changed or unchanged the scope is if this exploit can propagate to other components like leading to more exploits being used for example if I'm able to get a certain hack inside of a computer does that open the door for me to be able to use a bunch more or is it kind of a one and done scenario um so all of those metrics before were just for the base score and that's what is next to any sort of cve because it doesn't change these are two other scores that you can have uh or I won't be going over these two too much in depth but it's a temporal and environmental and the temporal score kind of adds to the base score which are metrics that change over time like if an exploit is a lot more severe when you first learn about it or if it over time it becomes maybe more documented and wow it's it's a lot more worse than we thought um and so this is how uh how the score would change over time and then the second one is environmental which is uh factors that change from person to person like maybe your level of antivirus software or your operating system and that kind of thing so it's the severity of the attack based on each person and you can't exactly just slap this score onto every every cve because it changes so often so these two aren't as widely used than the base score and now here we go into a case study where I go a little bit of Dipping my toes into vulnerability exploitation um and showing my thought process while using my knowledge of CVSs and what the scores mean to think yeah I could do that I could totally do that um so my first thought was let's look at the top 10 exploits in 2022 what all happened there was the obvious ones like log4 shell spring four shell and like the Chrome zero a day but everyone has done a talk about that so I wanted to do something that maybe wasn't as widely known uh and on purple sex website was cve 2017 1182 and I saw that the an exploit from 2017 was still extremely widely used in 2022 and that was pretty interesting to me like how is that still viable five years later so I was like yeah sure I'll check this out I have nothing better to do so what exactly is it uh it's a bug in multiple versions of the Microsoft Office Service Pack that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory what what does that mean to some people who don't know what that means well the Microsoft Office Service Pack is handling data in a way that it shouldn't be and that leads to you being able to redirect of what code it should be executing next and injecting your own code inside of that so instead of running the next line you're now running whatever hack I put into it and in my case it was running I think the command line and over on the left you can see the picture just the physical picture because I know that that blob of letters below probably doesn't synergize with everyone so I saw that you needed to be local and well I'm local I have my computer I can execute that the attack complexity was low and the Privileges required were none and both of those appealed to me because that is something that if x would it could be pretty dangerous because you don't need any privileges or extraneous circumstances to do it and it does need user interaction but it's mostly just the user needs to click on the thing that you want them to unwitting or wittingly um the scope is unchanged and that didn't matter to me as much because I was just kind of seeing if I could run this on my computer and then the cool part is that uh it impacted all of the confidentiality integrity and availability on a very high level which appealed to me because if this is a simple attack that I could do and it has this amount of data change and access then that that's pretty that's pretty rad it had through all of these things it had a base score of 7.8 which is pretty high and the reason that it wasn't you know Perfect 10 was because of the scope being unchanged the attack Vector needing to be local and the user interaction needing to be required um so trying to test the exploit after about 30 seconds of searching on the internet with the Google search parameters being just the cve ID I found a GitHub link and as everyone knows github's pretty cool um so um guys I love GitHub um the contents of this repository was not only a readme with extremely well documentation uh there were comments everywhere that I needed it to be um there was an entire exploitation script in Python where you just kind of needed to run it with the commands with the different command line arguments with the extremely well documentation that it gave me it was great um it also had debugging instructions with specific break points where if it didn't work hey here's where you go to look extremely well documented it was great the hacker Community wants you to hack others it's so um so here are the steps taken uh very riveting I downloaded the script I ran the script with the instructions given so just the very few command line arguments it created an executable and then I clicked on that executable very riveting very obviously difficult I'm kidding this was very easy um does it work long story short uh yes but I have Windows Defender and Windows Defender really wants to help me except for when uh I'm trying to create a presentation about exploiting my computer yeah um short story long ish oh I swear that there's more to my presentation uh short story long after realizing that my python version was wrong remember kids python 2 can save lives um I uh quite literally all I needed to run was the exploitation script hey um not hey uh all I needed to run was the exploitation script the way that it was telling me to um with this with saying cmd.exe that's the executable that I wanted it to run with the output file of the name and then I run the output file and then of course you know Windows Defender deletes the script and then gives me the little fun pop-up it's doing its best but that does mean that I was trying to do something that I shouldn't have been which I count that as a personal Victory um so connecting it back uh that was a very simple exploit for me to do I showed you the steps I showed you why I thought that I'd be able to do that um and it worked enough it worked enough um but if my system wasn't patched for it I would have been able to impact the security on my device to a very substantial amount as I've said before it had a very high scores for confidentiality availability and integrity of data which was pretty interesting to me um so here are the takeaways um Windows Defender it's pretty good uh I don't think I have other antivirus software on my system because I already knew Windows Defender does not suck um hackers make it very easy for people to get their hands on potentially dangerous software again 30 seconds of Googling gave me the exploit script that I needed to run that exploit and knowing why something has a high CVSs score can save a lot of Heartache it had very easy steps for me to take through and I thought that I could do it because I read the information that was easily given to me and I used it to the best of my ability and I was able to succeed and give this talk to you all so uh thank you my name is Beth mosang and you can follow me on the Twitter account that I don't use and just made so I would be able to put it on this presentation um uh thank you any questions [Applause] yes the top critiques um is that it probably it's still just as a score there isn't as much documentation of more of the specifics like yes it says user interaction required but does it mean that someone just needs to arbitrarily click it or someone needs to knowingly Do It um essentially it just doesn't have as much details as it probably should have um other critiques probably is that it does change over time like through the different version updates uh between CVS version 2 and CVSs version three like you have to be specific when talking about it of what you're doing um and there's still probably other bugs with the current system that they're still trying to fix just because it isn't a perfect system um nothing's going to be perfect and I'd say that uh the best part is probably just being able to have a baseline Community communication with other people am I good to take more questions or cool um uh Chris um I haven't taken uh as much time on some of the smaller exploits but as I've kind of mentioned before uh that for the smaller for I'd say it's probably the lower that you get in this in score for example of the lower numbers maybe anywhere from one to four it gets less important of what the actual score is just because it's either a lot harder for someone to implement or because there's less data that's being changed in that kind of aspect but even scores with low scores still have an impact or else they wouldn't have a score in general just because they are an exploit so I'd say while understanding uh what the score is for some of the smaller