Headline
Understanding the Red Hat security impact scale
Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp
Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.
****Is this a CVE?****
First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.
To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to compromise one or more of the three pillars of the CIA triad: Confidentiality, Integrity and Availability.
If the issue doesn’t directly compromise any of these three pillars, the issue is not a CVE. It might be a weakness, but it is not a CVE.
****Is my software affected?****
If one or more items in the CIA triad are compromised and it warrants a CVE ID, the next question is: is my software affected?
To establish the affected-ness of a CVE, we need to first outline some glossary terms:
- Impacted or Vulnerable: The vulnerable code is present in the runtime code and there is real impact to the CIA triad. Therefore, the vulnerability is suspected to be potentially exploitable.
- Exploited or Exploitable: The vulnerability is proven to be exploited or exploitable.
- Mitigated: The vulnerable code is included in the runtime code. Hence, the component is affected, but action can be taken to reduce the impact of a security vulnerability without deploying any fixes.
- Runtime code: The executable software that is actually delivered to customers.
Thus, affected means any software that contains vulnerable runtime code that is shipped to the end user.
We do not state the not-affectedness of every product in our CVE pages because the page would end up becoming very lengthy. However, we do state “Not Affected” in the CVE pages when the component is present in the product, but the specific version shipped on the product is not affected by the CVE. The absence of a product in a CVE page means that it is not shipped on that product and thus, not affected.
****Our impact scale and NIST****
The CVE program doesn’t require a CVSS score for every assigned CVE. In order to overcome this limitation and try to get a sense of the security impact of a CVE, the US Government tasked The National Institute of Standards and Technology (NIST) to run the National Vulnerability Database (NVD), which originally was designed to serve as a reference to the U.S. Government. NIST created an impact scale directly mapped to the calculated CVSS scores:
Score
Severity
0.1-3.9
Low
4.0-6.9
Medium
7.0-8.9
High
8.9-10
Critical
The NVD feed was quickly adopted by the community and security scanners, using NIST’s score and severity as their reference. NIST rates the vulnerability in the component using a generalized (not product specific) approach without evaluating how a component is used in individual products that ship it.
For each vulnerability that potentially affects Red Hat products, our analysts duly and diligently evaluate them, taking into account how the vulnerability is actually exposed and exploitable in what we provide to our customers. The vulnerability can be mitigated by operating system countermeasures, such as SELinux or compiler flags, or how it is exposed on a product. For example, a critical vulnerability in a Red Hat Enterprise Linux (RHEL) component affecting a TCP/IP endpoint that’s only exposed to localhost in Red Hat OpenShift, makes it a strong candidate for a downgrade.
By providing the Red Hat severity ratings, we are adding value for our customers, providing relevant ratings as a reliable tool to help them decide when and how to deploy security updates in their systems, properly establish the affectedness, and improve the availability and reliability of their systems.
However, relying solely on CVSS scores or vendor severity ratings is not a good risk management practice. Customers should always take into account how and where the system is deployed, the criticality of the affected system and its information, and the environment and any other key factors that will help their teams make a good assessment of the actual risk of a CVE in their environment.
****The Red Hat impact scale****
Red Hat uses a four-point impact scale to rank the CVE vulnerabilities: Low, Moderate, Important and Critical. In that order.
What does it take to qualify for each rating? Let’s look at some real-world examples.
Critical
The key to Critical impact is system compromise and malicious code execution without any user interaction. The poster child example for this is the Log4Shell vulnerability: CVE-2021-44228.
This famous vulnerability allowed a specially crafted URL at the vulnerable server to gain access to the remote system. The vulnerability lay on the Logging subsystem, which actually parsed the URL and duly understood that as a JNDI call, instead of blindly logging the entry. All it took was a trivial URL call and a vulnerable system. This is rooted on CWE-917 (Improper neutralization) and CWE-20 (Improper input validation).
Dissecting the Red Hat requirements for a Critical impact:
“This rating is given to flaws that could be easily exploited (Yes) by a remote unauthenticated attacker (Yes) and lead to system compromise (arbitrary code execution) (Yes) without requiring user interaction (Yes). Flaws that require authentication (No), local or physical access to a system (No) or an unlikely configuration (No) are not classified as Critical impact.”
Bingo. Critical it is. If any of the above requirements weren’t true, it would be an Important or even Moderate impact CVE, but still retain a high CVSS score that could match the top of NIST’s scale. We’re talking more about the Integrity pillar. Availability issues, such as denial of service (DoS), don’t qualify for a Critical impact, as it won’t lead to a remote code execution.
Important
Here, the requirements change significantly. There’s a lot of “or”s instead of the “and”s of the Critical. Now, it can affect any of the CIA pillars and encompasses DoS, among others. Let’s look at the key requirements:
“This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources.
These are the types of vulnerabilities that:
- allow local or authenticated users to gain additional privileges
- allow unauthenticated remote users to view resources that should otherwise be protected by authentication or other controls
- allow authenticated remote users to execute arbitrary code
- allow remote users to cause a denial of service”
Focus on the words “easily compromise” at the beginning of the text. We’re talking about a low effort level to break Confidentiality, Integrity or Availability. Confidentiality and Availability breakages can be carried out by unauthenticated remote users. Integrity breakage requires authenticated users.
The example here is the recent "Looney Tunables": CVE-2023-4911. This vulnerability affected glibc, an essential component in Linux operating systems that provides services to numerous and assorted library callbacks.
This vulnerability exploited a buffer overflow (CWE-122) and enabled a malicious attacker with a local system access and privilege to run executables to set a malicious GLIBC_TUNABLES environment variable prior to executing a setuid program, such as mount, exploit the buffer overflow, and elevate its privilege to the level of the setuid program. In that case, root.
Matching this CVE against the Important requirements statement:
“This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability (yes, trivial as a shell) […] vulnerabilities that allow local or authenticated users to gain additional privileges”
Yes, end of parsing. It is trivial, requires a local/authenticated user, and will yield an elevated privilege, breaking the system’s integrity, potentially availability and confidentiality too. Solid match for an Important rating.
Moderate
For Moderate impact, the requirements revolve around “flaws that may be more difficult to exploit”. They “could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations”.
Let’s evaluate CVE-2023-3128, an interesting Grafana issue with a hefty CVSS 9.8 score. In this vulnerability, the attacker can just follow the step-by-step recipe on the internet (qualifies for Critical, easy to exploit), you don’t have to have any footprint on the system (trumps Important, qualifies for Critical), and get a full compromise of the Azure environment of the victim (also on Critical requirements). The CWE type for this vulnerability is CWE-290, an Authentication Bypass by spoofing. Except for the fact that the Azure AD access needed to carry the attack is not supported in our products and is also disabled, making it an “unlikely configuration”. Therefore, this issue was downgraded to Moderate.
Low
These are the ones that require unlikely circumstances, theoretical and unproven security attacks, or minimal consequences.
Now, let’s look at CVE-2023-48232. This CVE affected vim, the famous text editor. This vulnerability is triggered when smooth scrolling is enabled, a window border is present, and also requires specific vim configuration settings, on grounds of CWE-755, an Improper Handling of Exceptional Conditions. The result of the exploit is a crash on vim.
While we have unlikely configurations, all that happened was a crash on vim, which belongs to the “minimal consequences” category.
****Wrap up****
After walking through these four examples, we hope that it clarifies how Red Hat Vulnerability Management assessment works and adds value to the risk management for our customers, instead of blindly assigning impact to scores.
Learn more about Red Hat Product Security
Related news
In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and
Red Hat Security Advisory 2024-3925-03 - An update is now available for Red Hat Ceph Storage 7.1.
Red Hat Security Advisory 2024-0033-03 - An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.
Ubuntu Security Notice 6557-1 - It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. "Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.
Red Hat Security Advisory 2023-5476-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow and privilege escalation vulnerabilities.
Red Hat Security Advisory 2023-5454-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow and privilege escalation vulnerabilities.
Gentoo Linux Security Advisory 202310-3 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.37-r7 are affected.
Ubuntu Security Notice 6409-1 - It was discovered that the GNU C Library incorrectly handled the GLIBC_TUNABLES environment variable. An attacker could possibly use this issue to perform a privilege escalation attack. It was discovered that the GNU C Library incorrectly handled certain DNS responses when the system was configured in no-aaaa mode. A remote attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04.
A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library's ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges. Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader's processing of the GLIBC_TUNABLES
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Red Hat Security Advisory 2023-4030-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3128: A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain com...
Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code. Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization. "A deserialization of untrusted data
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.