[GHSA-94jh-j374-9r3j] Correcting Attack Complexity to Reflect Remote Exploitation

[vulnerability-analyst]

Summary

This Pull Request proposes correcting the Attack Complexity rating for CVE-2023-26031 / GHSA-94jh-j374-9r3j to align with the CVSS v4 specification. Currently rated as Attack Complexity = Low, this assignment does not accurately reflect the conditions necessary for successful exploitation—particularly in remote scenarios, which lead to Attack Complexity = High.

Rationale

Below is the detailed rationale for updating the rating to Attack Complexity = High:

The vulnerability under discussion requires an attacker to possess target-specific login credentials to authenticate with the YARN cluster in remote exploitation scenarios according to the description excerpts:

If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.

If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.

This requirement aligns with the CVSS v4 definition of Attack Complexity = High, which states:

The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret, the attacker must perform additional attacks or break otherwise secure measures.

In this case, obtaining valid login credentials constitutes an example of such a target-specific secret, as it requires additional steps beyond typical reconnaissance methods. These credentials are essential to initiating the attack and introduce significant barriers, increasing the complexity of the exploit.

[shelbyc]

👋 Hi @vulnerability-analyst, thanks for reaching out with feedback about GHSA-94jh-j374-9r3j! I agree that it makes sense to tweak the CVSS v4 value. I have a question for you , though: Does it make more sense to set attack complexity to high or set attack requirements to present?

The CVSS v4 definition of attack requirements reads:

The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack.

The CVSS v4 definition of attack complexity reads:

Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place.

The quote that you provided leads me to believe that the attack does not require circumventing security measures, and therefore setting attack requirements to present might be more appropriate:

If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.

If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.

I think the YARN cluster accepting work from authenticated users is a good case for setting privileges required to low, which is already true in the CVSS v4 and CVSS v3 scores present in the advisory. However, accepting work from remote authenticated users and users submitting jobs being executed in a physical host doesn't indicate bypassing security measures.

For what it's worth, setting attack complexity to high has the same effect on the numerical CVSS v4 score as setting attack requirements to present:

• CVSS v4 of 7.7 when AC:H and AT:N: https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
• CVSS v4 of 7.7 when AC:L and AT:P: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

[anonymous-nlp-student]

Thank you for your detailed response @shelbyc! I agree it is better to update the AT field. My friend @anonymous-nlp-student has created a new PR that incorporates your suggestion! You are free to close this PR.

[shelbyc]

@vulnerability-analyst and @anonymous-nlp-student Thank you both for your input! Since you both provided good and actionable information about the need to adjust either attack complexity or attack requirements to better align with the CVSS 3.1 score, I'll make sure you both get credit.

[advisory-database]

Hi @vulnerability-analyst! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!