technical impact quick fix - Technical Impact and CVSS Vector for scope = unchanged

[ralvares]

🗣 Description

Fixing the technical impact based on the https://certcc.github.io/SSVC/topics/information_sources/?h=tech#cvss-and-technical-impact

💭 Motivation and context

Based on SSVC documentation -

Technical Impact is directly related to the CVSS impact metric group. The interpretation is different for CVSS version 3 than version 4.

The mapping between CVSS v3 and Technical Impact is as follows:
CVSS Scope Confidentiality (C) Integrity (I) Availability (A) Technical Impact
Unchanged High (H) High (H) any Total
Unchanged High (H) Low (L) or None (N) any Partial
Unchanged Low (L) or None (N) High (H) any Partial
Changed any any any (ambiguous)

I wrote a small code to check the technical impact.

🧪 Python Code

import re

def parse_cvss_vector(cvss_vector):

    if cvss_vector is None:
        return  None

    if "CVSS:3" in cvss_vector or "CVSS:4" in cvss_vector:
        pattern = r'([A-Z]{1,2}):([A-Z]{1,3})'
        matches = re.findall(pattern, cvss_vector)
        metrics = {metric: value for metric, value in matches}
        version = 3 if "CVSS:3" in cvss_vector else 4
    else:
        pattern = r'([A-Za-z]{1,2}):([A-Za-z])'
        matches = re.findall(pattern, cvss_vector)
        metrics = {metric: value for metric, value in matches}
        version = 2
    return metrics, version

def convert_cvss_v2_to_v3(cvss_v2_vector):
    v2_to_v3_mapping = {
        'AV': {'N': 'N', 'A': 'A', 'L': 'L'},
        'AC': {'L': 'L', 'M': 'H', 'H': 'H'},
        'Au': {'N': 'N', 'S': 'L', 'M': 'H'},
        'C': {'N': 'N', 'P': 'L', 'C': 'H'},
        'I': {'N': 'N', 'P': 'L', 'C': 'H'},
        'A': {'N': 'N', 'P': 'L', 'C': 'H'}
    }

    v2_vector_parts = cvss_v2_vector.split('/')
    v3_vector_parts = ['CVSS:3.0']

    for part in v2_vector_parts:
        metric, value = part.split(':')
        if metric in v2_to_v3_mapping:
            v3_value = v2_to_v3_mapping[metric][value]
            v3_vector_parts.append(f'{metric}:{v3_value}')

    # Adding additional required metrics for CVSS v3
    v3_vector_parts.append('S:U')  # Scope (Unchanged)
    v3_vector_parts.append('PR:N')  # Privileges Required (None)
    v3_vector_parts.append('UI:N')  # User Interaction (None)

    return '/'.join(v3_vector_parts)

def map_cvss_to_technical_impact(cvss_vector):

    if cvss_vector is None:
        return  None

    metrics, version = parse_cvss_vector(cvss_vector)

    confidentiality = metrics.get('C', 'N')
    integrity = metrics.get('I', 'N')
    availability = metrics.get('A', 'N')
    scope = metrics.get('S', 'U') if version == 3 else None

    if version == 4:
        if confidentiality == 'H' and integrity == 'H':
            return 'total'
        elif (confidentiality == 'H' and integrity in ('L', 'N')) or (confidentiality in ('L', 'N') and integrity == 'H'):
            return 'partial'
        elif (confidentiality in ('L', 'N') and integrity in ('L', 'N')):
            return 'partial'
        else:
            return 'None'
    elif version == 3:
        if scope == 'U':
            if confidentiality == 'H' and integrity == 'H':
                return 'total'
            elif (confidentiality == 'H' and integrity in ('L', 'N')) or (confidentiality in ('L', 'N') and integrity == 'H'):
                return 'partial'
            elif confidentiality in ('L', 'N') and integrity in ('L', 'N'):
                return 'partial'  # Adjusted logic to consider Low as Partial
            else:
                return 'none'
        elif scope == 'C':
            return 'ambiguous'
    return 'None'

[jwoytek-cisa]

@ralvares Thank you for the report. We are looking into this.

[jwoytek-cisa]

@amanion-cisa this probably needs some discussion internally to determine the right course of action.

[todb-cisa]

We're investigating our SSVC scoring and how it actually relates to these CVSS mappings. Note that in the documentation, this isn't a MUST for the mapping, but it is a MAY. We're currently not automatically injesting CVSS and making that the only input to SSVC scoring... but maybe we should? It certainly would make analysis easier.

Keeping this open for just a bit. Don't worry about the merge conflicts, by the way -- I don't expect we'll be able to land this PR touching 400-plus CVEs since they're all generated on the backend and pushed up. But I'd like to still track this as an issue.

[ralvares]

Thanks for the updates; indeed, 400+ changes are not something that I would also merge! I'm a big SSVC advocate, and the feedback I get is that SSVC is not automatable; maybe, as a starting point, use the mapping. Of course, it can change depending on multiple factors, scope, environmental context, and so on; the same applies to automatable!

I think the documentation that you provide is really GOOD, since people somehow got stuck with the SSVC v1!

I have a goal that is to help the SSVC framework to be more automated as much as possible.

Check this out, just for fun!

https://playground.ssvc.me/

I built this to showcase how to use SSVC to help with container images and repository scans using trivy.

Impact = Human Impact!

log4shell

curl -s "https://api.ssvc.me/v1/vuln?vulnIds=CVE-2021-44228&exploits=true&exposure=open&impact=medium" | jq

PHP (PHP-CGI)

curl -s "https://api.ssvc.me/v1/vuln?vulnIds=CVE-2024-4577&exploits=true&exposure=open&impact=medium" | jq

also, the API :)

There is no documentation so far, but it is soon to be done!