Calculating CVSS scores for vulnerabilities in multi-tenant applications
Introduction
Multi-tenant vs single-tenant software architectures
Software multitenancy is a software architecture in which a single instance of software runs on a server and serves multiple tenants. Systems designed in such manner are "shared" (rather than "dedicated" or "isolated"). A tenant is a group of users who share a common access with specific privileges to the software instance. With a multitenant architecture, a software application is designed to provide every tenant a dedicated share of the instance - including its data, configuration, user management, tenant individual functionality and non-functional properties. Multitenancy contrasts with single-tenant architectures, where separate software instances operate on behalf of different tenants. [Wikipedia]
CVSS3 exploitability and impact metrics
As per the CVSS 3.1 spec:
Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Each of the Exploitability metrics should be scored relative to the vulnerable component, and reflect the properties of the vulnerability that lead to a successful attack.
If a scope change has not occurred, the Impact metrics should reflect the Confidentiality, Integrity, and Availability impacts to the vulnerable component. However, if a scope change has occurred, then the Impact metrics should reflect the Confidentiality, Integrity, and Availability impacts to either the vulnerable component, or the impacted component, whichever suffers the most severe outcome. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.
An example
Let's take a look at SearchBlox CSRF vulnerability. SearchBlox is a single-tenant software, meaning that each tenant must install the software on his own server, as indicated in the vendor's website.
This is FIRST's official CVSS calculation of the above vulnerability:
CVSS v3.1 Base Score: 8.8
| Metric | Value | Comments |
|---|---|---|
| Attack Vector | Network | A victim must access a vulnerable system via the network. |
| Attack Complexity | Low | Sending a link to the victim does not require significant reconnaissance. |
| Privileges Required | None | The attacker does not need any permissions to perform this attack, the attacker lets the victim perform the action on the attacker’s behalf. |
| User Interaction | Required | The victim must click a specially crafted link provided by the attacker. |
| Scope | Unchanged | The vulnerable component is SearchBlox. The impacted component is also SearchBlox as the actions only affect the SearchBlox configuration. |
| Confidentiality | High | The attacker can obtain permissions to view all confidential data contained in SearchBlox. |
| Integrity | High | User accounts can be modified at will as well as SearchBlox configuration. |
| Availability | High | SearchBlox configuration may be modified such as to disable services. |
This calculation makes a lot of sense to me. Confidentiality, Integrity and Availability represent the impact that an attacker can achieve on a particular instance of the vulnerable software. I agree that it should be High in all cases (Confidentiality, Integrity and Availability), since the CSRF can be triggered on a user with administrative privileges, leading to the full compromise of the SearchBlox instance. As this attack requires the victim to navigate to a malicious URL in order to trigger the CSRF, I also agree with User Interaction - Required. In conclusion, I fully agree with FIRST's CVSS calculation of this vulnerability.
The questions
Let's suppose that SearchBlox decides to migrate to a cloud-based platform, where each of the SearchBlox's customers (tenants) can manage their organization's information and settings, without having to host the software application on their own servers. As explained earlier, this is known as a multi-tenant software architecture. Suppose that the CSRF vulnerability is also present in the new multi-tenant application, and it can be exploited in the exact same way (the CSRF can be triggered on a user with administrative privileges, leading to the full compromise of the user's organization).
- Should both vulnerabilities have the same CVSS score?
From my point of view, both vulnerabilities should have the same CVSS score, since both vulnerabilities are essentially the same. The only difference is the underlying software architecture (single-tenant vs multi-tenant) where the vulnerability takes place.
- How should we calculate the CVSS score in this new scenario?
CVSS3 (and CVSS4) specs do not give any specific guideline when scoring vulnerabilities in multi-tenant software architectures, even though multi-tenant architectures are very common nowadays. Since in multi-tenant architectures there is only a single instance of the software, it might be reasonable to think that the vulnerable component is the server running the multi-tenant software. However, I think that this definition of vulnerable component for multi-tenant architectures is problematic, because it leads to -apparently- contradictory scores. For example, if we re-calculate the CVSS score of the CSRF vulnerability after migrating from single-tenant to a multi-tenant architecture, we will get a much lower CVSS score:
CVSS v3.1 Base Score: 6.3
| Metric | Value | Comments |
|---|---|---|
| Attack Vector | Network | A victim must access a vulnerable system via the network. |
| Attack Complexity | Low | Sending a link to the victim does not require significant reconnaissance. |
| Privileges Required | None | The attacker does not need any permissions to perform this attack, the attacker lets the victim perform the action on the attacker’s behalf. |
| User Interaction | Required | The victim must click a specially crafted link provided by the attacker. |
| Scope | Unchanged | The vulnerable component is SearchBlox. The impacted component is also SearchBlox as the actions only affect the SearchBlox configuration. |
| Confidentiality | Low | The attacker can view all confidential information of a single organization/tenant. |
| Integrity | Low | The attacker can modify all information and settings of a single organization/tenant. |
| Availability | Low | Loss of availability is limited to a single organization/tenant. |
Since the vulnerable component is now a huge multi-tenant application containing the data of thousands of tenants, the relative impact of the CSRF attack has decreased substantially compared to the single-tenant version. This results in a much lower CVSS score. As I said earlier, this seems contradictory to me, since both vulnerabilities should have the same score regardless of the underlying architecture (single-tenant or multi-tenant).
