oss-sec mailing list archives
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631
From: Solar Designer <solar () openwall com>
Date: Tue, 30 Jan 2024 22:45:00 +0100
Thank you Greg for looking into these issues. It's great that most longterm kernel trees appear already fixed. On Tue, Jan 30, 2024 at 08:34:03AM -0800, Greg KH wrote:
Yeah, that looks really high but who knows how CVSS scores really are calculated :)
Actually, we do - this is transparent. NVD publishes not only the scores, but also all the inputs, and the formula is public and they have a calculator on their website: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Vulnerability scoring is genuinely difficult. I think CVSS is a pretty good attempt at standardizing it, but it cannot capture all the nuance, especially not in the Base Score. For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the vulnerability can be triggered by a local system user at will and without additional privileges. I'd say that deliberately getting the kernel to work on a corrupted filesystem requires at least one of: physical access (AV:P) or privileges on the system (PR:H) or user interaction (UI:R). However, there's no way to encode this in one CVSS vector. Also, in the physical access case, at least the availability impact typically does not apply (would be A:N). Maybe having multiple CVSS vectors per vulnerability (and then taking the average score?) could be a solution, but it'd require that someone very familiar with the affected component and its usage actually spend time thinking of all relevant combinations. Not likely to happen. Alexander
Current thread:
- FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)