1 - CVSS & CVE - JA Smith

# CVSS - Common Vuln Scoring System (CVSS) is an industry standard for performing calculations as to the severity of vulns - NVD has a calculator for CVSS v3.1 here: [CVSS calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). - CVSS is often used with DREAD, which has five (5) main factors: - Damage potential - Reproducibility - Exploitability - Affected users - Discoverability ![[images/Pasted image 20251028160719.png]] - Example CVSS calculation for the Windows print spooler RCE vuln CVE-2021-34527 ![[images/Pasted image 20251028161031.png]] ![[images/Pasted image 20251028161014.png]] # CVE - Common vulns and exposures (CVEs) usually scored against the CVSS rubric as shown above - CVEs create a publicly available catalog of security issues sponsored by DHS (or CISA) - Each security issue has a unique CVE ID number assigned by the CVE Numbering Authority (CNA) - Creates a standardization for a vulnerability or exposure as a researcher identifies - OVAL (open vuln assessment language) a publicly available information security international standard used to evaluate and detail the system's current state and issues - Goal of OVAL is to have a three-step structure during the assessment process that consists of : - Identifying a system's configs for testing - Evaluating a current system's state - Disclosing the info in a report![[images/Pasted image 20251028161717.png]] - CVE examples: - [CVE-2020-5902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902) is an unauthenticated, remote code execution vulnerability in the BIG-IP Traffic Management User Interface (TMUI). The issue is exploitable when TMUI is available through the BIG-IP management port and leads to a complete system takeover since an attacker could execute code, edit files, and enable or disable services on the remote host. - [CVE-2021-34527](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527), also known as PrintNightmare, is a remote code execution vulnerability within the Windows Print Spooler service. The Windows Print Spooler service can be abused due to the service improperly handling privileges file operations. The issue requires a user to be authenticated but allows complete takeover of a system from remote or local code execution. The issue is extremely dangerous since it allows an attacker to fully control a domain since it exploits servers (including domain controllers) and workstations.