Severity Ratings Mistakes in Technology Design and Coding

Severity Ratings Mistakes in Technology Design and Coding

October 15, 2023youfucktard

Security Vulnerability Severity Ratings

Mistakes are made in the process of designing and coding technology. When those mistakes are exploited by nefarious actors, the result can be devastating.

The Common Vulnerability Scoring System (CVSS) is an open framework for rating the severity of vulnerabilities. It produces a number based on three metrics: Base, Temporal and Environmental.

Critical

These vulnerabilities affect the integrity of an organization’s systems and data. Attackers can use them to gain access to application resources or unintended exposure of data. Examples include XML External Entity Injection, Server Side Request Forgery, and Local File Inclusion/Path Traversal.

Affected systems are vulnerable to attacks that result in sensitive information disclosure and those that could cause a denial of service. The score of these issues varies depending on whether they require additional work on the attacker’s part or privileges to exploit (such as man-in-the-middle or theft of a shared secret key), as well as the scope of information exposed, uniquily identify users, and other factors.

The most dangerous of these vulnerabilities can be exploited without the need for authentication and can be used to gain privileged access or execute code on a host. They are usually rated at CVSS 3.1 between 7.0-8.9. Snyk uses the Base, Temporal and Environmental metrics to evaluate vulnerabilities.

Important

At the Important level, exploitation of a vulnerability would lead to compromise of the confidentiality or integrity of data. It can include flaws that enable attackers to steal session information or conduct a man-in-the-middle attack. These attacks do not require sophisticated technical skills and can be conducted from a remote unauthenticated location.

At this severity rating, the impact on an organization is not as severe as it is with Critical or High vulnerabilities. However, these vulnerabilities should still be fixed as they introduce weakness in your application or systems and may be combined with other issues of higher severity ratings to cause a greater impact.

The base score for this metric takes into account intrinsic characteristics of the flaw that do not change over time, and does not take into account the environment or mitigations your organization has put in place to prevent exploit. It’s important to note that many public vulnerability indices (such as NVD) and scanners use this scoring methodology.

Medium

Medium severity vulnerabilities allow attackers to read or modify limited amounts of data, or can be exploited with other bugs to gain unintended access to systems or resources. Examples include reflected XSS and misconfigured web sessions. These flaws are harmful by themselves, but are less impactful than Critical and High severity issues.

High severity vulnerability ratings assume that exploitation will result in complete system compromise (e.g. arbitrary code execution). Attackers must have at least some level of technical skill or intrinsic knowledge to successfully exploit these flaws. Examples include XML External Entity Injection and LFI. These flaws can be exploited to expose or steal session information, or to impersonate other origins or read cross-origin data.

Half red / half yellow severity levels indicate vulnerabilities that are confirmed in some scan results but not in others due to various factors affecting the vulnerability detection process. Until these vulnerabilities are confirmed, they will be considered potential and not appear in the Results.

Low

In the case of Low severity issues, attackers may still access some information but the impact on an organization is much less severe than a critical or high vulnerability. For example, a bank would likely consider the loss of customer confidential banking information to be a low impact issue.

Low severity bugs typically have significant mitigating factors such as non-reproducible crashes or other exceptions to Chrome’s normal operation that prevent the flaw from being exploited in an attack. They can also have other factors such as unlikely or unusual user interaction that reduces the vulnerability’s risk to the end-user.

Other reasons for variation in scores include the presence of source code protection mechanisms that mitigate a vulnerability, and how software is used within a product. For instance, a vulnerability that allows a malicious browser extension to execute arbitrary code in the context of a Google search might be rated higher by some vendors and NIST than others.

Press further to know more

Leave a Reply Cancel reply

Virgil D. Lyles, a recognized expert in the field of cybersecurity and digital defense, stands as a guardian of our ever-expanding digital realm. His dedication to understanding and addressing security vulnerabilities has not only shaped the landscape of online safety but also empowered countless individuals and organizations to navigate the digital age securely. This biography, aptly titled “Converge with Virgil D. Lyles: Unveiling Security Vulnerabilities,” delves into his remarkable journey, his contributions to the world of cybersecurity, and his unwavering commitment to making the digital world safer for all.