CVSS Score Remote or Local Scenario
I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let’s take a malicious Office document as an example. As soon as it is opened it is able to run code within the context of the user. There are two possible scenarios which lead to two different CVSSv3 vectors:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L -> 6.3
This is the traditional scenario applied by malware which spreads via email over the Internet (AV:N). An user (victim) has to open the file willingly (UI:R) to initiate the code execution.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L -> 5.3
This is the other scneario where a local attacker (AV:L) abuses the vulnerability to gain elevated privileges. No unwanted user interaction (UI:N) is required by the “victim” (because the attacker and the victim are not the same person in this scenario).
Which one is right or better? We tend to use the one with the higher score if it is a realistic scenario. This discussion applies to every vulnerability that might also be used willingly within a local attack scenario (e.g. most browser-based attacks).