Uploaded image for project: 'OASIS Common Security Advisory Framework (CSAF) TC'
  1. OASIS Common Security Advisory Framework (CSAF) TC
  2. CSAF-22

Check of CVSSv3 Vector string length limit (including ND as values per optional components)

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Applied
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Proposal:
      Hide

      Correct the XSD schema rule and prose for VectorV3 string length in the next editor revision from 140(138) down to 133(131) in the next editor revision of WD01

      Show
      Correct the XSD schema rule and prose for VectorV3 string length in the next editor revision from 140(138) down to 133(131) in the next editor revision of WD01

      Description

      From Troy's mail:

      The one thing that jumped out at me that we need to fix is the updated schema for CVSS v3 Vector string. Section 6.112.2.4 – The element contains a limit of 76 characters. This was sufficient to hold a terminated string with maximum length values for a CVSS v2 Vector. CVSS V3 vectors can be significantly longer. 118 characters for a complete Vector string with values for Base, Temporal, and Environmental. If someone chooses, as is allowed by the spec, to use ND (Not Defined) for all the values for the Temporal and Environmental sections then it can be up to 138 characters. Defacto practice though is to assume ND for any value not supplied in the vector string.

      We probably want to increase that limit to 140 characters which leaves 2 bytes for termination or padding if needed. Someone please check my math.

      This went into the editor revision 2017-03-24.

      Analysis resulting in revised proposal:

      I find 117 characters needed (without any end of string marker nor any end of line) for the maximal use case but no "ND" set:

      All set (but no ND):

      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

      above from NVD

      Dito:

      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

      above from FIRST

      Now from spec https://www.first.org/cvss/specification-document 6. Vector table:

      len(CVSS:3.0) = 8
      max(len(Base)) = 8 * len + len(AVACPRUISCIA) + 8 * len( + 8 * 1
      max(len(Temporal)) = 3 * len + len(ERLRC) + 3 * len( + 3 * 1
      max(len(Wnvironmental)) = 11 * len + len(CRIRARMAVMACMPRMUIMSMCMIMA) + 11 * len( + 11 * 1

      max(VectorV3) = 8 + 8 * (1 + 1 + 1) + 12 + 3 * (1 + 1 + 1) + 5 + 11 * (1 + 1 + 1) + 26 = 117

      Good: 117 characters needed (without any end of string marker nor any end of line) for the maximal use case but no "ND" set:

      Now with "ND" (for Not Defined in the temooral and environmental instead of leaving them out):

      len(CVSS:3.0) = 8
      max(len(Base)) = 8 * len + len(AVACPRUISCIA) + 8 * len( + 8 * 1
      max(len(Temporal)) = 3 * len + len(ERLRC) + 3 * len( + 3 * 2
      max(len(Wnvironmental)) = 11 * len + len(CRIRARMAVMACMPRMUIMSMCMIMA) + 11 * len( + 11 * 2

      max(VectorV3ND) = 8 + 8 * (1 + 1 + 1) + 12 + 3 * (1 + 1 + 2) + 5 + 11 * (1 + 1 + 2) + 26 = 131

      sample:
      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:ND/RL:ND/RC:ND/CR:ND/IR:ND/AR:ND/MAV:ND/MAC:ND/MPR:ND/MUI:ND/MS:ND/MC:ND/MI:ND/MA:ND

      So there I find 131 characters needed (without any end of string marker nor any end of line) for the maximal use case with "ND" set

      So I will correct the XSD schema rule and prose in the next editor revision from 140(138) down to 133(131)

      The table (data copied enumerated and denormalized):

      Table 15: Base, Temporal and Environmental Vectors

      ===========================================================================================================
      Metric Group Metric Name NameCode Possible Values Mandatory? Sugg.Seq.No
      ===========================================================================================+===========
      Base Attack Vector AV [N,A,L,P] Yes 1
      Base Attack Complexity AC [L,H] Yes 2
      Base Privileges Required PR [N,L,H] Yes 3
      Base User Interaction UI [N,R] Yes 4
      Base Scope S [U,C] Yes 5
      Base Confidentiality C [H,L,N] Yes 6
      Base Integrity I [H,L,N] Yes 7
      Base Availability A [H,L,N] Yes 8
      ----------------------------------------------------------------------------------+----------
      Temporal Exploit Code Maturity E [X,H,F,P,U] No 9
      Temporal Remediation Level RL [X,U,W,T,O] No 10
      Temporal Report Confidence RC [X,C,R,U] No 11
      ----------------------------------------------------------------------------------+----------
      Environmental Confidentiality Req. CR [X,H,M,L] No 12
      Environmental Integrity Req. IR [X,H,M,L] No 13
      Environmental Availability Req. AR [X,H,M,L] No 14
      Environmental Modified Attack Vector MAV [X,N,A,L,P] No 15
      Environmental Modified Attack Complexity MAC [X,L,H] No 16
      Environmental Modified Privileges Required MPR [X,N,L,H] No 17
      Environmental Modified User Interaction MUI [X,N,R] No 18
      Environmental Modified Scope MS [X,U,C] No 19
      Environmental Modified Confidentiality MC [X,N,L,H] No 20
      Environmental Modified Integrity MI [X,N,L,H] No 21
      Environmental Modified Availability MA [X,N,L,H] No 22
      ===========================================================================================+===========
      ===========================================================================================================

        Attachments

          Activity

            People

            • Assignee:
              sdrees Stefan Hagen
              Reporter:
              trfridle Troy Fridley [X] (Inactive)
            • Watchers:
              1 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: