Security Severity Ratings/Merge: Difference between revisions

The following items are keywords for the severity of an issue.

sec-critical

Run attacker code with local user privilege or install malicious software, requiring no user interaction beyond normal browsing.

Examples:

• Overflows resulting in native code execution
• JavaScript injection into browser chrome
• Launching of arbitrary local application with provided arguments
• Filetype spoofing where executables can masquerade as benign content types
• Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue
• Any crash where random memory or NULL is executed (the top of the stack is not a function)
• Any crash where random memory is accessed
• Any bug where random memory is written to is critical
• Any bug where random memory is read from and then used in a subsequent memory or jump operation (offset, array, etc) is critical
• Exploitable vulnerabilities which can lead to the widespread compromise of many users.
  • XSS (Stored)
  • CSRF
  • Code Injection
  • Authentication Flaws (which lead to account compromise)
  • Session Management Flaws (which lead to account compromise)

sec-high

Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions. Indefinite DoS of the user's system, requiring OS reinstallation or extensive cleanup. Exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.

Examples:

• Cross-site Scripting (XSS)
• Theft of arbitrary files from local system
• Spoofing of full URL bar or bypass of SSL integrity checks
• Memory read that results in data being written into an inert container (ie string or image) that is subsequently accessible to content
• XSS (Reflected)
• Failure to use TLS where needed to ensure confidential/security

sec-moderate

Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). Indefinite application Denial of Service (DoS) via corruption of state, requiring application re-installation or temporary DoS of the user's system, requiring reboot.Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. The lack of standard defense in depth techniques and security controls.

Examples:

• Disclosure of OS username
• Disclosure of browser cache salt
• Disclosure of entire browsing history
• Detection of arbitrary local files
• Launching of arbitrary local application without arguments
• Local storage of passwords in unencrypted form
• Persistent DoS attacks that prevent the user from starting Firefox or another application in the future
• Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc)
• Error Handling Issues

sec-low

Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best practice security controls

Examples:

• Detection of previous visit to a specific site
• Identification of users by profiling browsing behavior.
• Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages
• Lack of proper input validation (not resulting in XSS or injection)
• Content spoofing (non-html)

sec-other

Bugs that may not be exploitable security issues but are kept confidential to protect sensitive information. Bugs that contain sensitive information about the bug submitter or another user Bugs that are related to security issues currently unfixed in Mozilla products or other products

Examples:

• Flaws we need to track that are not in our code base

Mitigating Circumstances

If there are mitigating circumstances that severely reduce the effectiveness of the exploit, then the exploit could be reduced by one level of severity. Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or unusual software configuration.

As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated.

Blocker

Anything which is easily exploitable or reproducible and/or we are seeing active attempts to exploit. Anything which has a high impact to Mozilla should also be considered. This priority flag should communicate that other work is blocked

by this issue and it should be resolved immediatly. Examples:

• SQL injection or Injection Flaws and Remote File Inclusion (RFI)
• Anything which has been publicized as a 0day which falls into the 'Critical' category.
• Flaws being activly used in the wild (chemspill?).

Critical

Vulnerabilities which are exploitable and/or hard to reproduce. We are also not seeing these being actively exploited or have another means to protect against a vulnerability.

Examples:

• XSS
• CSRF and Authentication or token handling issues

Major: Vulnerabilities which have a slightly less degree of impact compared to Critical.

Examples:

• Content Spoofing
• Information Disclosure or Error Handling

Normal

Internal vulnerability with a low likelihood of being remotely exploitable.