Dossier-Attacks

          
STRIDE threat categorySESAME Target/AssetDescription (Threat to asset)CountermeasureExampleDomain of AttackSeverityCAPEC IDSVulnerabilities (CVE)
Spoofing CESCM PortalStolen tenant identityAuthentication Password policySocial EngineeringMedium145: Checksum Spoofing1999-0077: Predictable TCP sequence numbers allow spoofing.
CESCM PortalObtaining users informationAuthentication Password Policy /2FASupply ChainMedium148: Content Spoofing1999-0077: Predictable TCP sequence numbers allow spoofing.
SLA Monitoring ApplicationRequesting un-subscribe services Access ControlAccess policySupply ChainMedium148: Content Spoofing1999-0074: Listening TCP ports are sequentially allocated, allowing spoofing attacks.
NFVO Coordinator Stolen tenant identityAuthentication Access policySocial EngineeringMedium151: Identity Spoofing 1999-0667: The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.
CESCM PortalStolen tenant identityAuthentication Multi-factor AuthenticationSocial EngineeringMedium151: Identity Spoofing 1999-0667: The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.--OAuth makes no attempt to verify the authenticity of the authorization server. A hostile party could take advantage of this by intercepting the client's requests and returning misleading or otherwise incorrect responses. This could be achieved using DNS or Address Resolution Protocol (ARP) spoofing.
NFVO Coordinator associate data or activities with a person's identity and the adversary must be able to modify this identity without detection.Data Confidentiality IPSec and TLS mechanismsSocial EngineeringHigh195: Principal Spoof1999-0077: Predictable TCP sequence numbers allow spoofing.
Northbound InterfacePretend to be controller to report incorrect statisticsData Integrity Messages signed by a trusted partyCommunicationsMedium218: Spoofing of UDDI/ebXML Messages2015-1611:OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data,related to fake LLDP injection/ 2013-2153: The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue.
CESCM Portalcontrol a user's interface to present them with a decoy action as well as the actual malicious actionTrainingAvoid interacting with suspicious sites or clicking suspicious links.Social EngineeringVery High173: Action Spoofing1999-011: RIP v1 is susceptible to spoofing
SLA Monitoring Applicationweaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructedAccess Controlmulti-factor authentication / data validationSocial EngineeringMedium473: Signature Spoof2015-1611:OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data,related to fake LLDP injection/ 2013-2153: The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue.
Northbound Interfaceintercept communication / handling requests from untrusted applicationsApplication Antivirusno handling of requests from untrusted applicationsSupply ChainMedium502: Intent Spoof2015-1611 / 2015-1612: openflowlugin:topology spoofing via LLDP- 2015-1610: l2switch:topology spoofing via hosttracker
TamperingCESCM PortalCookie StealingData Confidentiality Encryption Supply ChainHigh31: Accessing,Intercepting and Modifying HTTP Cookies2015-1993: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
NFVO Coordinator un-authorise change on databaseData Confidentiality Encryption / FirewallSupply ChainHigh242: Code Injection2013-1892: Remote Code Injection Vulnerability
NFVO Coordinator manipulation of parameters exchanged between client and serverData Integrity Integrity checking / vulnerability scanning / effective input field filetringSupply ChainHigh242: Code Injection2013-1892: Remote Code Injection Vulnerability
Westbound/Southbound InterfaceIntercept communicationData Confidentiality Encrypted TrafficCommunicationsVery High94: Man in the Middle Attack2014-0224: An Attacker using crafted handshake can decrypt and modify traffic from the attacked client and server
Northbound InterfaceIntercept communicationData Confidentiality Encrypted TrafficCommunicationsVery High94: Man in the Middle Attack2015-1611: openflowplugin:topology spoofing via LLDP
VIMOS as the target tampered/infectedData Confidentiality Auditing and LoggingSupply ChainHigh542: Targeted Malware2007-6227: QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to ovewrite the TranslationBlock buffer,and probably have unspecified other impacts related to an overflow via certain Windows executable programs as demostrated by qemu-dos.com
Northbound Interfaceinject traffic into target's network connectionData Integrity Tamper Resistance / Encryption /SanitizingCommunicationsHigh 594: Traffic Injection, Stack-based buffer overflow allows remote attackers to execute arbitary code via a long URI in a GET request
Repudiation NFVO Coordinator insufficient auditing / weak protection for audit dataNon-Repudiation Integrity monitoring for configuration filesCommunicationsMedium270: Modification of Registry Run Key1999-0114: Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.
NFVO Coordinator insufficient auditing / weak protection for audit dataNon-Repudiation TLS mechanismCommunicationsLow217:Exploiting Incorrectly Configured SSL2011-3389:
Northbound Interfaceinsufficient auditing / weak protection for audit dataData Integrity Integrity monitoring for configuration filesCommunicationsVery High75: Manipulating Writeable Configuration Files1999-0019: Delete or create a file via rpc.statd, due to invalid information
Information DisclosureVIMMonitoring informationData Confidentiality Cryptographic techniques that render a data-stream unreadableCommunicationsMedium158: Sniffing Network Traffic2015-2808:The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the Bar

VIMProgramming BugData Confidentiality Patch version of software / Perform role checks before allowing access to the operations that could potentially reveal sensitive data.SoftwareMedium37:Retrieve Embedded Sensitive data / 204: Lifting Sensitive Data Embedded in Cache2016-9845:QEMU built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue.
NFVO Coordinator Query System for InformationData Confidentiality Anti-FuzzingCommunicationsMedium261: Fuzzing for Garnaring other Adjacent User/Sesitive data2016-6494: The client in MongoDB uses world-readable permissions on .dbshell history files,which might allow local users to obtain sensitive information by reading these files
CESCM PortalObserving message exchange Data Confidentiality install software that encrypts keyboard typing / virtual Keyboard /monitor logsSoftwareHigh568: Capture Credentials via Keylogger1999-0062: The chpass command in OpenBSD allows a local user to gain root access through file descriptor leakage
CESCM PortalSteal CredentialsData Confidentiality End to End EncryptionSoftwareHigh21: Exploitation of Trusted Credentials1999-0013: Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.
NFVO Coordinator Access to the NFVOCommunication SecurityData Flow ControlCommunicationsMedium269: Deprecated
NFVO Coordinator Storage Media exposureData Confidentiality EncryptionSoftwareVery High37:Retrieve Embedded Sensitive data2016-6494: The client in MongoDB uses world-readable permissions on .dbshell history files,which might allow local users to obtain sensitive information by reading these files
Northbound InterfaceAccess to the NFVOCommunication SecurityData Flow ControlCommunicationsLow191: Read Sensitive Strings within an Executable1999-0154: IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. 1999-0129: Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.
Denial of ServiceNFVO Coordinator virtual packet switching functionAvailability Detecting malicious activity /Preventing an intentional system disruption(slow down,crash hang)Physical SecurityMedium166: Force System to reset Values 1999-0060: Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.
SFC Components usage of OAM channel for DoS attacksAvailability Throttle OAM messages on the receiveing side/Localize and disconnect attacker/ Separate services (one client mis-behavior should not affet other client MAC services)Physical SecurityHigh571: Block Logging to Central Repository 1999-001: TCP/IP implementations allows remote attackers to cause a denial of service. / 1999-0010: Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.
Local CatalogCPU consumption via crafted data packetsAvailability configure virtual servers to reject requests when the frequency of requests exceedsa specified limitSoftwareHigh66: SQL Injection2001-0509:Vulnerabilities in RPC servers in Microsoft Exchange Server 2000 and earlier,Microsoft SQL Server 2000 and earlier,Windows NT 4.0, and Windows 2000 allow remote attackers to cause a denial of service via malformed inputs / 1999-0431: Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack causing a denial of service
VIMoutdated version of software usedAvailability software updateSoftwareHigh343: Denial of Service2008-2382: The protocol_client_msg function in vnc.c in the VNC server in QEMU 0.9.1 and KVM kvm-79 and earlier allows remote attackers to cause a denial of service(infinite loop) via a certain message
VIMShutdown of hypervisor leading to backdoor additionAccess Controlsoftware updateSoftwareHigh343: Denial of Service2008-2382: The protocol_client_msg function in vnc.c in the VNC server in QEMU 0.9.1 and KVM kvm-79 and earlier allows remote attackers to cause a denial of service(infinite loop) via a certain message
Northbound Interfaceoutdated version of software usedAvailability software version updateSoftwareHigh343: Denial of Service2017-1000357: OpenDaylight, Denial of Service attack when the switch rejects to receive packets from the controller
NFVO Coordinator outdated Linux kernel -> SDN / NFVO-> router level with Linux OSAvailability Obfuscation TechniquesSoftwareVery High100: Buffer Overflow1999-0002: Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems
Westbound/Southbound Interfaceoutdated version of software usedAvailability software version updateSoftwareHigh343: Denial of Service2017-1000357: OpenDaylight, Denial of Service attack when the switch rejects to receive packets from the controller
Light DCoutdated Linux kernel -> SDN / NFVO-> router level with Linux OSAvailability Obfuscation TechniquesSoftwareVery High100: Buffer Overflow1999-0002: Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems
Elevation of Privilege NFVO Coordinator Access to the NFVO with root privilegesAccess ControlStrong usernames and passwords / Privilege RestrictionsSoftwareMedium122: Privilege Abuse, 1:Accessing Functionality not Properly Constrained by ACLs1999-0012: Some Microsoft Windows web servers allow remote attackers to bypass access restrictions for files with long file names.
NFVO Coordinator Access to the NFVO with root privilegesAccess ControlStrong usernames and passwords / Privilege RestrictionsSoftwareVery High233: Privilege Escalation1999-0022: Local user gains root privileges
NFVO Coordinator access with root privilegesAccess ControlPrivilege restrictionsSoftwareHigh58: Restful Privilege Elevation2017-6919: Web application allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
Northbound Interfaceaccess with root privilegesAccess ControlPrivilege restrictionsSoftwareHigh58: Restful Privilege Elevation2017-6919: Web application allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
VIMreal time monitoring of the proccesses of the applicationAccess ControlPrivilege restrictionsSoftwareHigh233: Privilege Escalation2011-4127:privilege escalation from qemu / KVM guests
VIMOutdated softwareAccess ControlUpdate software with appropriate known patchesSoftwareHigh233: Privilege Escalation2016-9602: Privilege Escalation Vulnerability
VIMCompromise of Hypervisor /hop over to another VM to acquire informationAccess Controlimage filters scanning for malware SoftwareVery High 69: Target Programs with Elevated Privileges1999-0048: When given corrupt DNS information, can be used to execute arbitrary commands with root privileges.