CVSS 3.1 Scoring Series - Attack Vector

In this part of my CVSS 3.1 Scoring Series, I will explain how the "Base Score - Exploitability - Attack Vector" classifications work.

Classifications

There are four different classifications of Attack Vector:

1. Network (AV:N)
2. Adjacent (AV:A)
3. Local (AV:L)
4. Physical (AV:P)

A Network (AV:N) classification means that a vulnerability can be exploited across a Wide Area Network (WAN). This applies to the public Internet, corporate and remote business sites, or even traffic that must traverse at least one router to reach the target. Therefore, the simplest way to classify this is "can I exploit a vulnerability (directly) across at least one network router?"

An Adjacent (AV:A) classification means that a vulnerability can only be exploited within the same Local Area Network as the target. If I must exploit this inside the same OSI Layer 2 network as the target (same VLAN, same broadcast domain, etc.), then the vulnerable system would get an AV:A scoring.

A Local (AV:L) classification means that a vulnerability can only be exploited with logical local access to the system. For example, you must have a terminal or shell on the local system in order to exploit a vulnerability.

Finally, a Physical (AV:P) classification means you must have direct physical access to the machine or component in order to exploit a vulnerability. Think "pressing a key combo during boot lets you bypass authentication", or a physical USB stick must be plugged into the device to execute malware, etc.

When determining which classification a vulnerable application or system falls into, it is extremely important to note that this is NOT about the physical medium. SSH as a protocol traverses the network, yes, but if SSH is a necessity in order for me to be on the same host as the vulnerable component, it is a *Local* attack vector.

Example

Pop quiz time! So what if to exploit a vulnerability in a company's server from my laptop I had to SSH to a bastion host in a shared co-located server room in a leased datacenter, craft malformed data frames from my server to the company server in the same L2 domain, spawn a reverse shell inside their server, then attack localhost:6336 to exploit a SQL database vulnerability? Which attack vector classification should the database have?

To summarize:
- I move from my laptop on the public Internet to a bastion host (Network)
- I move from the bastion host to a company server in the same LAN (Adjacent)
- I spawn a shell inside the company server and attack the database (Local)

This would result in a CVSS 3.1 Attack Vector classification of Local. Yes, I can do all this in my slippers from the comfort of my home while watching Finding Nemo. Yes, it requires a lateral movement inside the same L2 network. However, I cannot start attacking SQL until I get onto the local server. Since we care about scoring the database specifically (even if the rest of the network seriously needs to be checked for holes), the database would get a vulnerability scoring of AV:L.

Considerations

One major caveat to note here is that if an attack has to originate from within a corporate intranet (and not the public Internet) in order to be successful, it would *still* be of a Network type. Sorry, you don't get points for having a private intranet for this sort of thing.

This kind of makes sense, right? If I can hijack communication from a retail POS system in a remote site to get all the way to customer financial data across the country in a central site, even if that communication travels across a company intranet - you wouldn't call that an Adjacent attack vector. There are many, many hops and L2 networks in between those points, so it still counts as Network.

Hopefully that explains the CVSS 3.1 Attack Vector scoring! If you have any questions, feel free to reach out to me on LinkedIn or via email (chris@sinclairsecurity.com). See you next time!

References

More information on this scoring can be found in the official specification: FIRST CVSS 3.1 Spec