search

security-breachlock / vuln-vects

A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.
https://security-breachlock.github.io/vuln-vects/
MIT License
10 stars 5 forks source link

Extended CVSS:3.1 score string seems broken #2

Closed Harm-Nullix closed 2 years ago

Harm-Nullix commented 2 years ago

I tried to put an extended CVSS score string I calculated using https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

The basic CVSS strings work perfect, no trouble. The result however suggests that it is possible to put in an expanded string with temporal and environmental values (based on the output):

const CVSSCalculator = require('vuln-vects');

const vectorOne = 'AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H'
console.log(CVSSCalculator.validateCvssVector(vectorOne)); // true
console.debug(CVSSCalculator.parseCvssVector(vectorOne));
/* gives
CvssScore {
  _baseScore: 7.6,
  _impactSubscore: 4.717324107011478,
  _exploitabilitySubscore: 2.2682037840000002,
  _temporalScore: null, // see this
  _environmentalScore: null, // and this
  _modifiedImpactSubscore: null,
  _overallScore: 7.6
}

However, using an extended score seems to break the calculation and throws an error:

const CVSSCalculator = require('vuln-vects');

const vectorOneExpanded = 'AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H/E:P/RL:T/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:X/MUI:R/MS:U/MC:L/MI:N/MA:N'
console.log(CVSSCalculator.validateCvssVector(vectorOneExpanded)); // false
console.debug(CVSSCalculator.parseCvssVector(vectorOneExpanded));
// gives
RangeError: Invalid CVSS v3 impact value: "U"
    at Function.Cvss3VectorParser.parseModifiedImpact (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:285:15)
    at Cvss3VectorParser.generateScoringEngine (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:386:76)
    at Cvss3VectorParser.parse (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:415:21)
    at MultiCvssVectorParser.parse (/node_modules/vuln-vects/dist/multi-cvss-vector-parser.js:33:36)
    at Object.parseCvssVector (/node_modules/vuln-vects/dist/index.js:69:19)
    at Object.<anonymous> (/index.js:22:30)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)

while it should give something like

CvssScore {
  _baseScore: 5.4,
  _impactSubscore: ~2.5,
  _exploitabilitySubscore: ~2.8,
  _temporalScore: ~4.9
  _environmentalScore: ~3.5
  _modifiedImpactSubscore: ~2.1,
  _overallScore: 3.5
}

Run on node 16.13.2.

Am I doing something wrong, a bug or is this a not implemented part yet? It is strange that the error says value "U", while in the whole string, not a single "U" value is found. It only exists in the "UI" and "MUI" keys. If not implemented, outputting the results should not be done; for it is confusing what the function of this calculator is.

Thanks you for looking into this.

Full code:

const CVSSCalculator = require('vuln-vects');

const vectorOne = 'AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H'
console.log(CVSSCalculator.validateCvssVector(vectorOne)); // true
console.debug(CVSSCalculator.parseCvssVector(vectorOne));
/* gives
CvssScore {
  _baseScore: 7.6,
  _impactSubscore: 4.717324107011478,
  _exploitabilitySubscore: 2.2682037840000002,
  _temporalScore: null, // see this
  _environmentalScore: null, // and this
  _modifiedImpactSubscore: null,
  _overallScore: 7.6
}
*/

const vectorOneExpanded = 'AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H/E:P/RL:T/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:X/MUI:R/MS:U/MC:L/MI:N/MA:N'
console.log(CVSSCalculator.validateCvssVector(vectorOneExpanded)); // false
console.debug(CVSSCalculator.parseCvssVector(vectorOneExpanded));
/* gives
RangeError: Invalid CVSS v3 impact value: "U"
    at Function.Cvss3VectorParser.parseModifiedImpact (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:285:15)
    at Cvss3VectorParser.generateScoringEngine (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:386:76)
    at Cvss3VectorParser.parse (/node_modules/vuln-vects/dist/cvss3-vector-parser.js:415:21)
    at MultiCvssVectorParser.parse (/node_modules/vuln-vects/dist/multi-cvss-vector-parser.js:33:36)
    at Object.parseCvssVector (/node_modules/vuln-vects/dist/index.js:69:19)
    at Object.<anonymous> (/index.js:22:30)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
 */

/* should give
CvssScore {
  _baseScore: 5.4,
  _impactSubscore: ~2.5,
  _exploitabilitySubscore: ~2.8,
  _temporalScore: ~4.9
  _environmentalScore: ~3.5
  _modifiedImpactSubscore: ~2.1,
  _overallScore: 3.5
}
 */
saikop99 commented 2 years ago

Hi @HarmNullix ,

Thanks for bringing this to our notice. This issue has been fixed on a separate branch and PR is up here - https://github.com/security-breachlock/vuln-vects/pull/3

Moreover, there is something I'd like to bring into light here.

The NVD Calculator here seems to interpret the vectors differently. The base score that you mentioned in your comment i.e., 5.4 seems to be wrong for the given vector. Here's why - NVD calculator interprets the vectors passed in their URL parameters based on the order in which they are passed rather than the keys and their values.

For example, lets consider the below vectors:

  1. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H/E:P/RL:T/RC:C/MAV:N/MAC:H/MPR:X/MUI:R/MS:U/MC:L/MI:N/MA:N/CR:H/IR:L/AR:L&version=3.1

  2. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H/E:P/RL:T/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:X/MUI:R/MS:U/MC:L/MI:N/MA:N&version=3.1

If the above vectors are carefully observed, they are same but just the position/order of the Modified Environmental Metrics were changed (See the comparison screenshot for clarity). But the NVD calculator gives different scores for them while in ideal case it shouldn't.

vuln-vects library does not work on the order of data passed but on the keys and values of the different metrics to ensure robustness. text-compare

With that said, the score for the mentioned vector would be 3.1 but not 5.4 if I'm not wrong.

Harm-Nullix commented 2 years ago

Hi @saikop99 ,

I think you did a fine observation of a fluke in the vector parsing of another based on a issue in your own. I find that a cool way to approach your issues, doing some background search.

For my example, looking back.. I see that if I copy the string back into the calculator, other results come out. I think your point is valid, but I did some wrong copying of the scores myself too.

Thank you for your support and the PR!

codethatrocks commented 2 years ago

Hi. Just want to ask. are you going ro release a new npm version for the fix? Thank you in advance Rocco

saikop99 commented 2 years ago

@lambdacasserole

lambdacasserole commented 2 years ago

@HarmNullix @codethatrocks @saikop99 @security-breachlock This is fixed in v1.1.0 (now on npm).