... | ... | @@ -51,12 +51,12 @@ bconry: exempting things because of our assessment of them being "rarely used" i |
|
|
|
|
|
* N - None - matching allow-query (and friends) is not "privileges", not even for an attack that must be performed over TCP
|
|
|
* L - Low - the attacker has some privileges, but is not an admin. Some DNS specific examples:
|
|
|
* is primary for a zone that the target system is secondary for (covers both RPZ and catz)
|
|
|
* has XFR privileges for one or more zones the target server is authoritative for
|
|
|
* has a key for rndc that allows only read-only operations
|
|
|
* has credentials that BIND can validate using GSSAPI
|
|
|
* knows the secret for any configured key
|
|
|
* H - High - attacker must have admin privileges over the target system
|
|
|
* H - High - attacker must have admin privileges over the target system. Besides the official admins, we also include:
|
|
|
* is primary for a zone that the target system is secondary for (covers both RPZ and catz in addition to normal zones)
|
|
|
|
|
|
### User Interaction (UI)
|
|
|
|
... | ... | @@ -66,6 +66,36 @@ bconry: exempting things because of our assessment of them being "rarely used" i |
|
|
* For daemons there really isn't any user interaction possible, unless one maybe counts running a specific `rndc` command after the attacker does something.
|
|
|
* Other possibilities are the Windows installer and the various other command-line tools such as DiG.
|
|
|
|
|
|
### Scope (S)
|
|
|
|
|
|
* U - Unchanged - only the specified component (typically named) is affected
|
|
|
* C - Changed - the attack gives the attacker the ability to affect things outside of the directly-affected component. The canonical DNS example of this is cache poisoning.
|
|
|
|
|
|
### Confidentiality ((C)
|
|
|
|
|
|
* N - None
|
|
|
* L - Low - attacker is able to obtain data that is not intended to be readily disclosed but is "ordinary" data
|
|
|
* regular zone contents, even for zones that an attacker would not otherwise be able to query
|
|
|
* policy zone contents
|
|
|
* catalog zone contents, except when/if they might contain encryption key data (not just the key name)
|
|
|
* H - High - attacker is able to obtain "high value" data, such as passwords or encryption keys
|
|
|
|
|
|
### Integrity (I)
|
|
|
|
|
|
* N - None
|
|
|
* L - Low - attacker is able to modify data, but not control what data is modified and/or what it is modified to
|
|
|
* H - High - attacker is able to modify data. Note that this will almost always imply Scope:Changed as well.
|
|
|
* zone update ACL bypass
|
|
|
* cache poisoning
|
|
|
|
|
|
### Availability (A)
|
|
|
|
|
|
* N - None
|
|
|
* L - Low - Any impairment in which "the attacker does not have the ability to completely deny service to legitimate users"
|
|
|
* H - High - the attacker is able to completely deny service to legitimate users
|
|
|
* explicitly includes cases where the impairment lasts only as long as the attacker is able to deliver the attack
|
|
|
* explicitly includes cases where the attacker is able to eventually cause complete loss of service (the example given is a small memory leak that will lead to memory exhaustion with continued exploitation)
|
|
|
|
|
|
### Exploit Code Maturity (E)
|
|
|
|
|
|
* X - Not Defined
|
... | ... | |