Vulnerability Chaining

Author: martindg

trainingportal/qna.js

@@ -239,6 +239,10 @@ let cvss_4_score_2 = () => {
   return {"digest": getDigest("CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
 }
 
+let cvss_5_chain = () => {
+  return {"digest": getDigest("CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N")};
+}
+
 const DEFS = {
   "crypto_caesar": caesarEnc,
   "crypto_vigenere": vigenereEnc,
@@ -249,7 +253,8 @@ const DEFS = {
   "crypto_pbk": pbkEnc,
   "crypto_analysis": analysisEnc,
   "cvss_3_score_1": cvss_3_score_1,
-  "cvss_4_score_2": cvss_4_score_2
+  "cvss_4_score_2": cvss_4_score_2,
+  "cvss_5_chain": cvss_5_chain
 }
 
 module.exports = {

trainingportal/static/lessons/cvss/cvss_5_chain.md

@@ -0,0 +1,28 @@
+### Vulnerability Chaining
+
+The CVSS framework is designed for assessing an individual vulnerability having known the details on exploitability and impact. However, it is sometimes necessary to look into more complex attacks that leverage multiple vulnerabilities into a chain. While the CVSS is not specifically designed for more complex attacks, it does accommodate for scoring a single attack consisting of a vulnerability chain.
+
+
+Vulnerability chaining is covered in the [CVSS User Guide](https://www.first.org/cvss/v4-0/user-guide#Vulnerability-Chaining).
+
+### Task
+
+Score the following scenario using the CVSS v4.0 calculator [https://www.first.org/cvss/calculator/4-0](https://www.first.org/cvss/calculator/4-0).
+
+### Scenario
+
+This attack scenario consists of the 2 vulnerabilties we saw earlier. Imagine that an attacker is aware and has the ability to execute both of them as necessary to perform an attack.
+
+You can leverage the CVSS vectors of the previous 2 vulnerabilities that we scored.
+
+#### Vulnerability 1
+
+Unauthenticated attacker can list registered users of a SaaS offering (username and userid).
+
+#### Vulnerability 2
+
+A malicious SaaS user with knowledge of another user’s unique 128-bit userid, can read all the information (e.g. details, activity, messages) for that user through an Authorization bypass in the API.
+
+#### Impact
+
+The attacker is now able to read the information for all users.

trainingportal/static/lessons/cvss/cvss_5_chain.sol.md

@@ -0,0 +1,13 @@
+- Attack Vector: Network (N)
+- Attack Complexity: Low (L)
+    - The requirement on knowing the unique userid is still present, however vulnerability 1 allows the attacker to easily obtain these for all users.
+- Attack Requirements: None (N)
+- Privileges Required: Low (L)
+    - The attacker still needs to be authenticated user in order to perform the second part of the attack i.e. obtain sensitive data.
+- User Interaction: None (N)
+- Vulnerable System Confidentiality: High (H)
+- Vulnerable System Integrity: None (N)
+- Vulnerable System Availability: None (N)
+- Subsequent System Confidentiality: None (N)
+- Subsequent System Integrity: None (N)
+- Subsequent System Availability: None (N)

trainingportal/static/lessons/cvss/definitions.json

@@ -76,6 +76,15 @@
                 "type":"quiz",
                 "mission":"Enter the CVSS v4 string (Base Score)",
                 "codeBlockIds":[]
+            },
+            {
+                "id":"cvss_5_chain",
+                "name":"Chaining Vulnerabilities",
+                "description": "cvss_5_chain.md",
+                "solution": "cvss_5_chain.sol.md",
+                "type":"quiz",
+                "mission":"Enter the CVSS v4 string (Base Score)",
+                "codeBlockIds":[]
             }
         ]
     }