SoftwareVulnerability

Purpose

The SoftwareVulnerability object is representing vulnerability properties of an Application.

Which type of vulnerability is intended to be represented by the SoftwareVulnerability object is defined by the different security properties, or defense settings, of the SoftwareVulnerability object.

The SoftwareVulnerability concept is not limited to published, official, vulnerabilities with exploits (i.e. CVE-vulnerabilities). It is equally suitable for representing software vulnerabilities that do not require an exploit (for instance misconfigurations) and zero-day exploits.

It is also possible, and recommended, to have a SoftwareVulnerability object connected to every Application object and to configure it as an "unknown vulnerability" in order to take potentially lacking information about the Application into account.

Connections

Application/IDPS/RoutingFirewall

When connecting a SoftwareVulnerability to an Application, provided that the Attacker manage to reach the Application, the Attacker will have the opportunity to attempt exploiting the vulnerability. How useful this particular vulnerability will be to the Attacker is dependent on the properties (defense settings) applied to it.

An Application with a SoftwareVulnerability.An Application with a SoftwareVulnerability.

An Application with a SoftwareVulnerability.

SoftwareProduct

When a SoftwareVulnerability is connected to a SoftwareProduct (for instance to represent a vulnerable software release), the vulnerability affects all Application objects connected to the SoftwareProduct.

Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.

Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.

Configuration

The type and impact of a vulnerability, as well as the complexity involved in abusing it, is defined using the defense settings of the SoftwareVulnerability object. This section will describe these settings in more detail.

Vulnerability scanner data

When using a data-driven approach with vulnerability scanner data to generate a model, the vulnerability scanner findings contain CVSS vector information that is used to adjust the defense settings of the vulnerability so that the vulnerability added to the model match what the vulnerability scanner reported.

Attack Vector

The "Attack Vector" of a vulnerability is either "network", "local" or "physical".

Network is for vulnerabilities that can be used via a network connection like for instance EternalBlue or the log4j log4shell vulnerability. Network type vulnerabilities might (depending on the other defense settings of the SoftwareVulnerability) be exploitable via a NetworkExposure or ClientAccess connection to a network or via a ConnectionRule.

Local vulnerabilities require the Attacker to connect to the application locally, within the same operating system. It could be related to a non-network application or the operating system itself. If they are related to the operating system kernel, they and are sometimes referred to as "kernel exploits" which in some cases lead to privilege escalation. Therefore, it is not possible to exploit a local vulnerability on an Application via NetworkExposure or ClientAccess to a Network or via a ConnectionRule.

Physical software vulnerabilities require the Attacker to have gained access to a PhysicalZone where a System is connected which, in turn, has a Physical vulnerability connected to it. These are less common, but there are a few examples like the "Sophos Login Screen Bypass Vulnerability (CVE-2014-2005)" vulnerability.

The above aspects are covered in the NetworkAccessRequired, LocalAccessRequired and PhysicalAccessRequired defense properties respectively.

Required Access

Different vulnerabilities require different level of initial access before they are applicable. The "Access" portion of the CVSS vector is defining this aspect.

The different related defense properties are LowPrivilegesRequired and HighPrivilegesRequired.

For vulnerabilities that require no prior authentication both these parameters should be set to zero/off.

Attack Complexity

Attack Complexity is related to how likely it is for an exploit to be successful depending on if there are different aspects beyond the Attacker's control that need to be fulfilled for the vulnerability to be exploitable.

Attack Complexity is not related to how technically advanced the exploit need to be in order to exploit the vulnerability. If the vulnerability was difficult to discover and a very advanced exploit is needed, and has been developed by the Attacker or has been published, and the exploit work reliably when executed, then the Attack Complexity is considered low.

This property is defined by the HighComplexityExploitRequired parameter.

User Interaction

For vulnerabilities in client applications, like for instance Office applications, mail clients and web browsers, the Attacker is required to convince the victim to make contact with a location in the model where the Attacker already have access (like for instance Internet or an already compromised network zone). This is done via phishing or by waiting for an incoming connection from the client application (in case of a drive-by-attack).

In these cases, the parameter UserInteractionRequired shall be set to on.

Impact

The Impact of a vulnerability, once successfully exploited, also depends on the type of vulnerability. The corresponding pparameters in the SoftwareVulnerability object are ConfidentialityImpactLimitations, IntegrityImpactLimitations and AvailabilityImpactLimitations.

Existence

The Remove parameter is used for attenuating the presence of the vulnerability in question.

Vulnerability context

Remove value

Confirmed vulnerability reported by a vulnerability scanner or found via manual inspection

0

Potential/unknown vulnerability in case of lacking information (a scan or investigation might no be possible or feasible)

0,5

Applying a mitigation to remove/patch the vulnerability to evaluate the security improvement it might bring (by simulating the model again)

1

Unknown Vulnerability

Unknown vulnerabilities are recommended to use when information about the vulnerability status of an application is missing like when a scan or investigation is not possible to carry out (like for instance with SCADA environments or when modeling the impact of remote environments beyond our control).

Also, when using vulnerability scanner data, it is recommended to still keep a SoftwareVulnerability like below but with Remove set to a high value to account for the case of the vulnerability scanner missing vulnerabilities due to lacking database updates or for the case when a vulnerability is discovered after the scan was run.

Defense parameter

Recommended value

AvailabilityImpactLimitations

0,5

ComplexityImpactLimitations

0,5

HighComplexityExploitRequired

0,5

HighPrivilegesRequired

0,5

IntegrityImpactLimitations

0,5

LocalAccessRequired

0 for a network-capable application, 1 for a non-network application

LowPrivilegesRequired

0,5

NetworkAccessRequired

1 for a network-capable application, 0 for a non-network application

PhysicalAccessRequired

0 (in most cases)

Remove

0,5 in case of unknown security status, leave at for instance 0,95 even when scanner data is used

UserInteractionRequired

0 for a service application, 1 for a client application

Properties

AttackSteps

Attack step name

Attack step purpose

Abuse

Successfully abusing the vulnerability, leading to the Impact parameters affecting the connected Application.

Deny

Deny impact on the connected Application.

Exploit

Prerequisite to Abuse.

ExploitTrivially

When AttackComplexity is low or zero, ExploitTrivially lead to Exploit.

ExploitWithEffort

When AttackComplexity is high or one, ExploitWithEffort lead to Exploit.

Impact

The impact on the connected Application caused by successfully exploiting the vulnerability.

Modify

Successfully modifying the connected Application's data and/or source code.

Read

Successfully reading the connected Application's data and/or source code.

Defenses

For a detailed description of the defense parameters, see the Configuration section above.

Defense name

Defense purpose

AvailabilityImpactLimitations

Availability impact on the connected Application.

ConfidentialityImpactLimitations

Confidentiality impact on the connected Application.

HighComplexityExploitRequired

An exploit depending on requirements beyond the attacker's control is considered complex.

HighPrivilegesRequired

Fully authenticated user is required. Set to zero if no authentication is required.

IntegrityImpactLimitations

Integrity impact on the connected Application.

LocalAccessRequired

Local attack vector.

LowPrivilegesRequired

Limited access is required. Set to zero if no authentication is required.

NetworkAccessRequired

Network attack vector.

PhysicalAccessRequired

Physical attack vector.

Remove

Existence parameter for non-confirmed vulnerabilities.

UserInteractionRequired

Client-side attacks require user interaction.