Classroom Glossary Public page

Lab 8: CVSS Scoring

924 words

~3 hr. Score the SB6141 CSRF formally under CVSS v3.1. Produce the vector string + numeric score + per-metric justification. Defend against an adversarial peer review.

Goal: ship ~/adv-101/lab-8/cvss-scoring.md with: the CVSS v3.1 vector, the computed numeric score (from the FIRST.org calculator), one paragraph of per-metric justification per Base metric, and a 200-word adversarial-review response section that addresses two specific challenges.

Estimated time: ~3 hr.

Prerequisites: Week 8 lecture. Lab 2 (CSRF reproduction transcript; you cite specific behaviors).

Authorization line: Lab 8 is paper-only (no hardware contact). Notebook line:

Lab 8 session, 2026-MM-DD HH:MM. CVSS v3.1 scoring exercise; no hardware contact;
references Lab 2 reproduction transcript.

Setup

mkdir -p ~/adv-101/lab-8
cd ~/adv-101/lab-8

Open the FIRST.org calculator in your browser:

https://www.first.org/cvss/calculator/3.1

Have ready:

  • Lab 1 annotation (your CVE-record reading)
  • Lab 2 reproduction transcript (specific behaviors observed)
  • The FIRST.org CVSS v3.1 Specification document (open in another tab)

Part A: Score at the calculator (~30 min)

Walk through the 8 Base metrics at the calculator. For each, make a deliberate choice. The recommended choices for the SB6141 CSRF (factory-reset action specifically):

Metric Suggested value Why
Attack Vector (AV) N (Network) CSRF triggers via HTTP from any browser the victim uses
Attack Complexity (AC) L (Low) Works any time the modem is operational; no special conditions
Privileges Required (PR) N (None) Modem has no authentication
User Interaction (UI) R (Required) Victim must load the attacker's page in a browser
Scope (S) U (Unchanged) Impact is confined to the modem; no escape to other systems
Confidentiality (C) L (Low) OR N (None) Defensible either way; pick and defend
Integrity (I) H (High) Configuration replaced with defaults; full integrity loss
Availability (A) H (High) OR L (Low) Defensible either way; pick and defend

Click each radio button at the calculator. Observe the vector string and computed score update.

Expected vector (with C=L, A=H): CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H -> roughly 8.3 (High).

Expected vector (with C=N, A=L): CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L -> roughly 6.5 (Medium).

The choice of C and A is your scoring discretion; pick and defend.

Capture the calculator's output. Take a screenshot or paste the calculator-page URL with your chosen values embedded.

Part B: Write the per-metric justification (~75 min)

For each Base metric, write one paragraph that:

  1. Names the spec definition (cite the FIRST.org Specification Document section).
  2. Names the SB6141 behavior that matches the definition (cite your Lab 2 transcript or the CVE record).
  3. States the chosen value.

Template per metric:

### Attack Vector: N (Network)

**Spec definition:** Per CVSS v3.1 Specification §2.1.1, Attack Vector = Network applies
when "the vulnerable component is bound to the network stack and the set of possible
attackers extends beyond the other options listed... such a vulnerability is often
termed 'remotely exploitable.'"

**SB6141 behavior:** The CSRF triggers via a standard HTTP request. The request can be
issued by any browser the victim uses, on any network from which the browser can reach
the modem (typically the local LAN, where the modem is the default route's gateway).
The Lab 2 reproduction transcript shows the request issued from a laptop on the lab
network; the same request issued from any other LAN-resident device would behave
identically.

**Choice:** **N** (Network). The vulnerability is reachable via the network stack;
the attacker is not constrained to physical or local-account access.

Write one paragraph per metric (AV, AC, PR, UI, S, C, I, A). Total ~8 paragraphs.

For the C and A metrics specifically, include your reasoning for the close-call choice. Example for C:

### Confidentiality: L (Low)

**Spec definition:** Per CVSS v3.1 Specification §2.4.1, Confidentiality Impact = Low
applies when "there is some loss of confidentiality. Access to some restricted
information is obtained, but the attacker does not have control over what information
is obtained, or the amount or kind of loss is constrained."

**SB6141 behavior:** The factory-reset action itself does not directly leak data; the
modem's admin interface, before the reset, contained the operator's configuration (Wi-Fi
SSID; custom DNS settings; firewall rules). The reset does not expose this data to the
attacker; it erases it. There is no exfiltration; there is no confidentiality leak in
the direct CSRF action.

**Choice consideration:** A strict reading says C:N (no direct confidentiality impact;
the action's effect is integrity loss, not confidentiality leak). A broader reading says
C:L (the operator's existence as a configured user is revealed by the modem's
configuration-existence-before-reset; an attacker observing the reset can infer the
modem was in use; low-confidentiality impact). The cohort default is L (the broader
reading) for consistency across student work; alternative scoring with C:N is defensible
and the disagreement is documented in the adversarial-review section below.

**Choice:** **L** (Low), with the cohort-default rationale.

Part C: Adversarial-review response section (~30 min)

Pair with a cohort peer (or generate two adversarial challenges yourself; the cohort-peer route is preferred). Each of you produces two challenges to the other's scoring. Respond to each challenge in writing.

Format:

## Adversarial-review responses

### Challenge 1: "Availability should be L, not H"

**Challenger's argument:** The SB6141 outage during factory-reset is ~60 seconds. CVSS A:H
is for "total loss of availability"; a 60-second outage is bounded and brief.

**Response:** Per CVSS v3.1 Specification §2.4.3, Availability Impact = High applies when
"there is total loss of availability, resulting in the attacker being able to fully deny
access to resources in the impacted component." During the ~60s reset window, the modem
is COMPLETELY unavailable; this is a total loss FOR THAT WINDOW. The fact that
availability returns is the "transient" nature of the impact, not the magnitude. CVSS
v3.1 does not have a "Transient" or "Bounded-Duration" modifier; the High applies when
the impact during the affected window is total. I retain A:H.

**Alternative defense:** A reviewer who weights the bounded duration heavily could
defensibly score A:L. The cohort default is H; I retain H for consistency.

### Challenge 2: "Privileges Required should be L, not N, because the attacker must be on the network"

**Challenger's argument:** The CSRF requires the victim's browser to be in a network
position to reach the modem. This is a network-level "privilege" the attacker must wield
indirectly.

**Response:** This conflates Privileges Required with Attack Vector. PR specifically means
"the level of privileges an attacker must possess BEFORE successfully exploiting the
vulnerability"; per the spec, this is privilege on the VULNERABLE COMPONENT, not network
position. The attacker has no account on the modem; PR = N. The network-position
requirement is captured in AV = N (the attacker can reach the modem from the network)
and UI = R (the victim must take action). The challenger's framing would double-count
network position. I retain PR:N.

The adversarial-review section is the most important part of the lab; it demonstrates the discipline of defending each metric individually rather than the gestalt score.

Part D: Assemble the artifact (~30 min)

Combine into cvss-scoring.md:

# CVSS v3.1 Scoring: SB6141 CSRF (CERT/CC VU#419568)

## Vector

`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H`

## Score

8.3 (High)

Computed via the FIRST.org Calculator (https://www.first.org/cvss/calculator/3.1)

## Per-metric justification

### Attack Vector: N (Network)
(... paragraph per Part B template ...)

### Attack Complexity: L (Low)
(... paragraph ...)

### Privileges Required: N (None)
(... paragraph ...)

### User Interaction: R (Required)
(... paragraph ...)

### Scope: U (Unchanged)
(... paragraph ...)

### Confidentiality: L (Low)
(... paragraph with close-call reasoning ...)

### Integrity: H (High)
(... paragraph ...)

### Availability: H (High)
(... paragraph with close-call reasoning ...)

## Adversarial-review responses

(... 2 challenge-response pairs from Part C ...)

## Comparison with NVD

NVD's score for VU#419568 (if present): N/A or <score from NVD if available>.
My divergences from NVD's scoring: <list>.

## Closing reflection

(~150 words)

The scoring exercise surfaces three things: (a) the precision the CVSS spec requires;
(b) the discretion the spec leaves to the scorer (particularly C and A in this CVE);
(c) the value of writing the per-metric reasoning down, both for credibility and for
my own clarity. The score I produced (8.3) is in the cohort-expected range; small
variations from peer scores reflect honest interpretive differences, not error.

The single most useful insight from this lab: the score is not the report. The score
is one section of the report; the per-metric justification is the supporting evidence.
A bare 8.3 means little; a vector + justification + adversarial-review response is the
defensible package.

---

*Lab 8 artifact for ADV-101 Week 8. Author: <your name>. Date: 2026-MM-DD.*

Part E: Commit + portfolio (~15 min)

cd ~/adv-101/lab-8
git add cvss-scoring.md
git commit -m "Lab 8: CVSS v3.1 score for SB6141 CSRF; vector + per-metric justification + adversarial-review responses"

cd ~/adv-101
cat >> lab-portfolio.md <<EOF

### Lab 8 session, 2026-MM-DD HH:MM

**Target:** none (paper-only scoring exercise)
**Action:** CVSS v3.1 scoring of VU#419568; produced vector + per-metric justification +
adversarial-review responses
**Authorization basis:** paper-only; no hardware contact
**Session duration:** ~3h
**Artifacts produced:** lab-8/cvss-scoring.md
**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H (8.3 High)
**Incidents:** none
EOF
git add lab-portfolio.md
git commit -m "Portfolio: Lab 8 session entry"

Expected output / artifact

~/adv-101/lab-8/cvss-scoring.md containing:

  • The CVSS vector string
  • The numeric score
  • One paragraph of justification per Base metric (8 paragraphs)
  • The adversarial-review responses (2+ challenge-response pairs)
  • Comparison with NVD score (if available)
  • Closing reflection (~150 words)

What's the failure mode?

  1. Score-inflation from researcher pride. "It's a remote unauthenticated thing; must be 9+!" Defense: cite the spec per metric; the spec's metric definitions constrain.
  2. Score-deflation from vendor sympathy. "It's an EOL device; nobody's at risk." Irrelevant; CVSS Base is the vulnerability's intrinsic severity, not the operator's residual risk.
  3. Skipping the per-metric justification. A bare score is not defensible; the justification IS the artifact.
  4. Treating the adversarial-review as a hostile exercise. The peer's challenges are an opportunity to test your reasoning; respond with reasoning, not defensiveness.

Common pitfalls

  • Confusing CVSS Base with NVD's published score. NVD often scores the same CVE; for VU#419568 specifically, NVD may not have it scored (the CVE is from before NVD's universal coverage). Your independent score is what matters for the lab; comparison with NVD when available is a check.
  • Picking C:H reflexively. "Configuration loss must be confidentiality!" No, that's integrity. Confidentiality is about exposure of data; integrity is about modification of data. The factory-reset's effect is integrity (data MODIFIED to defaults), not confidentiality (data EXPOSED to unauthorized observer).
  • CVSS v4.0 confusion. v4.0 exists; the academy still uses v3.1 because NVD still uses v3.1. Forward-stretch: try the v4.0 calculator at https://www.first.org/cvss/calculator/4.0 and compare your vectors; not graded for Lab 8.

What would a reviewer ask?

  1. "Defend your AC:L choice. Why not AC:H?"
  2. "If I argue C:N is the correct choice, walk me through your counter-argument."
  3. "Your A:H assumes the bounded outage is still total. Is there a CVSS revision that captures bounded-duration impact better?"

Stretch (optional)

  1. Score the SB6141 reboot action separately. The CVE record names multiple destructive endpoints (factory-reset; reboot; others). Score the reboot action (less destructive than factory-reset) under CVSS v3.1; produce a separate vector.
  2. Score under CVSS v4.0. The calculator at https://www.first.org/cvss/calculator/4.0; compare with your v3.1 score; document divergences.
  3. Score Cable Haunt (CVE-2019-19494) for comparison. Cable Haunt is structurally different (buffer overflow vs CSRF). Produce its CVSS vector; compare with the SB6141 CSRF; what does the difference tell you about scoring different bug classes?
  4. Score a recent SB6141-class CVE. Search the CVE database for other consumer-router or cable-modem CVEs from 2024-2026; score one; compare with NVD's score.

Lab 8 v0.1.