Security/VMT-Metrics

Introduction
The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments

As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.

The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.

Public vs Private Cloud
One of the difficulties we face when trying to determine the impact of a vulnerability in OpenStack is understanding how it affects different deployment types. An argument can be made that authenticated users on a private cloud could be more trusted than in a public cloud. However, in designing this threat metric we assert that you cannot confidently trust all employees using a private cloud any more than you can trust users of a public cloud - an assertion somewhat validated by the regular identification of malicious insiders as one of the biggest threats to any organisation.

DREAD
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome:

Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 10

Damage Potential

 * If the vulnerability is exploited, how much damage will be caused?
 * 0 = Nothing
 * 3 = Individual user data is compromised, affected or availability denied
 * 5 = All individual tenant data is compromised, affected or availability denied
 * 7 = All tenant data is compromised, affected or availability denied
 * 7 = Availability of a specific cloud controller components/service is denied
 * 8 = Availability of all cloud controller components is denied
 * 9 = Underlying cloud management and infrastructure data is compromised or affected
 * 10 = Complete system or data destruction, failure or compromise

Reproducibility

 * How reliably can the vulnerability be exploited?
 * 0 = Very hard or impossible, even for administrators. The vulnerability is unstable and statistically unlikey to be reliably exploited
 * 5 = One or two steps required, tooling / scripting readily available
 * 10 = Unauthenticated users can trivially and reliably exploit using only a web browser

Exploitability
Note: In this context, authentication refers to OpenStack users. Users on compute nodes, interacting with virtualised applications are considered to be non-authenticated. A hypervisor breakout would be considered a non-authenticated attack.
 * How difficult is the vulnerability to exploit?
 * 0 = N/A We assert that every vulnerability is exploitable, given time and effort. All scores should be 1-10
 * 1 = Even with direct knowledge of the vulnerability we do not see a viable path for exploitation
 * 2 = Advanced techniques required, custom tooling. Only exploitable by authenticated users
 * 5 = Exploit is available/understood, usable with only moderate skill by authenticated users
 * 7 = Exploit is available/understood, usable by non-authenticated users
 * 10 = Trivial - just a web browser

Affected Users

 * How many users will be affected?
 * 0 = None
 * 5 = Specific to a given project
 * 10 = All users impacted

Discoverability

 * How easy is it to discover the threat, to learn of the vulnerability (By convention this is set to 10 even for privately reported vulnerabilities)
 * 0 = Very hard to impossible to detect even given access to source code and privilege access to running systems
 * 5 = Can figure it out by guessing or by monitoring network traces
 * 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine
 * 10 = The information is visible in the web browser address bar or in a form

Calibration
Here we take a number of recent OpenStack Security Advisories and attempt to apply the above metrics. Scoring will always be subjective but the hope is we can use these previous vulnerabilities to first tune the scoring for each category and use them later to validate scores for new vulnerabilities.

OSSA 2014-038

 * Title: List instances by IP results in DoS of nova-network
 * Link: https://bugs.launchpad.net/ossa/+bug/1358583
 * Importance Assigned: Medium

Summary
In a relatively small cloud of approximately 500 Compute Instances,

Dread Score

 * Damage Potential:
 * Reproducibility:
 * Exploitability:
 * Affected Users:
 * Discoverability: 10