Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631

[Solar Designer <solar () openwall com>]

Thank you Greg for looking into these issues.  It's great that most
longterm kernel trees appear already fixed.

On Tue, Jan 30, 2024 at 08:34:03AM -0800, Greg KH wrote:
> Yeah, that looks really high but who knows how CVSS scores really are
> calculated :)

Actually, we do - this is transparent.  NVD publishes not only the
scores, but also all the inputs, and the formula is public and they have
a calculator on their website:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Vulnerability scoring is genuinely difficult.  I think CVSS is a pretty
good attempt at standardizing it, but it cannot capture all the nuance,
especially not in the Base Score.

For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's
CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the
vulnerability can be triggered by a local system user at will and
without additional privileges.  I'd say that deliberately getting the
kernel to work on a corrupted filesystem requires at least one of:
physical access (AV:P) or privileges on the system (PR:H) or user
interaction (UI:R).  However, there's no way to encode this in one CVSS
vector.  Also, in the physical access case, at least the availability
impact typically does not apply (would be A:N).

Maybe having multiple CVSS vectors per vulnerability (and then taking
the average score?) could be a solution, but it'd require that someone
very familiar with the affected component and its usage actually spend
time thinking of all relevant combinations.  Not likely to happen.

Alexander