1

I am using CVSS to do the vulnerability assessment for my project.

As per documentation here is the definition of local and adjacent

Adjacent (A) The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE‑2013‑6014).

Local (L) The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).

I want to list the assets which will be exploited by local and adjacent threat agents for below components.

  1. Client EXE - Which will be installed on devices
  2. Cloud system - EXE communicates with a cloud system

Questions:

  1. Does EXE fall under both local and adjacent?
  2. The VM deployed in cloud system can be accessed by SSH. does it also belongs to local?
  3. accessing resource remotely by SSH is local or network threat agent?

Architecture

enter image description here

Improve this question
1
  • 1
    FYI: you don't usually need to define your terms if there is an existing tag for the term. But I see that the tag is empty. You could submit a tag edit to include the definition you have.
    – schroeder
    Commented Sep 1, 2020 at 14:33

1 Answer 1

Reset to default
1
  1. You cannot assign an Attack Vector (AV) to a component, only to a specific vulnerability to that component.
  2. If the vulnerability can be exploited by using an SSH connection from a local network, set the AV to adjacent
  3. Depends on where the connection of the attacker is coming from. If it' coming from the internet, use Network. If you need to be already in some LAN, use adjacent.

The CVSS user guide gives you some nice flowchart telling you how to decide which values to use in your CVSS vector

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .