Finally!!! Update UEVU threat with correct risk formula and mitigations (385529ab) · Commits · STAN4CRA / EN 304 626 Operating Systems

EN-304-626.md

+17 −13

Original line number	Diff line number	Diff line
		@@ -1989,25 +1989,29 @@ MI-SDTR: Secure data transfer to another product

		Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

		* Likelihood: NUSR CUSR PHYS UEIN LOSS HWMD SWMD DVCS TNET FNET CONF ADMN SUPP

		* Impact: SNDS SNDT SENF

		\| Risk factors \| Likelihood \| Security profiles \|
		\|-----------------------------------\|------------\|------------------------\|
		\| max(PHY, SFT, NET) = 0 or COM = 0 \| Low \| WD-1, VI-1 \|
		\| all others \| Medium \| WD-2, WD-3, WD-4, WL-1 \|
		\| max(PHY, SFT, NET) = 2 & COM = 2 \| High \| WL-2, WL-3, VI-2 \|
		\|---------------------------------------------\|------------\|----------------------------------------------\|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 0 \| Low \| LR, IoT-1 \|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 1 \| Medium \| IoT-2, IoT-3, WE-1 \|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 2 \| High \| RO-1, OT-1, MOB-1, PC-\, LA-\, PS-1, SE-\* \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-----------------------------\|--------\|------------------------------------\|
		\| max(SYS, SDS, SDT, FUN) = 0 \| Low \| none \|
		\| max(SYS, SDS, SDT, FUN) = 1 \| Medium \| WD-1, WD-3, WL-1, VI-1 \|
		\| max(SYS, SDS, SDT, FUN) = 2 \| High \| WD-2, WD-4, WL-2, WL-3, WL-4, VI-2 \|
		\|---------------------------------\|--------\|----------------------------------------------------------------------\|
		\| max(PPII, SNDS, SNDT, SENF) = 0 \| Low \| LR, IoT-1 \|
		\| max(PPII, SNDS, SNDT, SENF) = 1 \| Medium \| IoT-2, IoT-3 \|
		\| max(PPII, SNDS, SNDT, SENF) = 2 \| High \| WE-2, RO-1, IoT-3, WE-1, PC-\, LA-1, PS-1, OT-1, MOB-1, LA-2, SE-\ \|

		Requirements that mitigate this threat: SSDD, LMII, DMIN, LMAS, LOGG
		Requirements that mitigate this threat: SSDD, MIME, LMII, LMAS, DMIN, LOGG

		Mitigations for Likelihood:

		* Medium to Low: SCFS, SSCA, ADEF, DPAH, PDDI-\*
		* Medium to Low: SSCA, SCFS, MMAC, ADEF, PDDI-\*

		* High to Low: SCFS, SSCA, (FZ95 or BTIN or IMSL), MSAF-\, MZRO-\, ADEF, DPAH, PDDI-\*, JSTY
		* High to Low: SSCA, MMAC, (FZ95 or BTIN or IMSL), SCFS, (PMSC or TRMD), ASLR, MSAF-\, MZRO-\, MRWX-\, NKAM, PLLC, MRCO, ADEF, PDDI-\, DJST, JSTY

		Mitigations for Impact:

Original line number	Diff line number	Diff line
		@@ -1989,25 +1989,29 @@ MI-SDTR: Secure data transfer to another product

		Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

		* Likelihood: NUSR CUSR PHYS UEIN LOSS HWMD SWMD DVCS TNET FNET CONF ADMN SUPP

		* Impact: SNDS SNDT SENF

		\| Risk factors \| Likelihood \| Security profiles \|
		\|-----------------------------------\|------------\|------------------------\|
		\| max(PHY, SFT, NET) = 0 or COM = 0 \| Low \| WD-1, VI-1 \|
		\| all others \| Medium \| WD-2, WD-3, WD-4, WL-1 \|
		\| max(PHY, SFT, NET) = 2 & COM = 2 \| High \| WL-2, WL-3, VI-2 \|
		\|---------------------------------------------\|------------\|----------------------------------------------\|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 0 \| Low \| LR, IoT-1 \|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 1 \| Medium \| IoT-2, IoT-3, WE-1 \|
		\| max(NUSR, CUSR, PHYS, TNET, FNET, UEIN) = 2 \| High \| RO-1, OT-1, MOB-1, PC-\, LA-\, PS-1, SE-\* \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-----------------------------\|--------\|------------------------------------\|
		\| max(SYS, SDS, SDT, FUN) = 0 \| Low \| none \|
		\| max(SYS, SDS, SDT, FUN) = 1 \| Medium \| WD-1, WD-3, WL-1, VI-1 \|
		\| max(SYS, SDS, SDT, FUN) = 2 \| High \| WD-2, WD-4, WL-2, WL-3, WL-4, VI-2 \|
		\|---------------------------------\|--------\|----------------------------------------------------------------------\|
		\| max(PPII, SNDS, SNDT, SENF) = 0 \| Low \| LR, IoT-1 \|
		\| max(PPII, SNDS, SNDT, SENF) = 1 \| Medium \| IoT-2, IoT-3 \|
		\| max(PPII, SNDS, SNDT, SENF) = 2 \| High \| WE-2, RO-1, IoT-3, WE-1, PC-\, LA-1, PS-1, OT-1, MOB-1, LA-2, SE-\ \|

		Requirements that mitigate this threat: SSDD, LMII, DMIN, LMAS, LOGG
		Requirements that mitigate this threat: SSDD, MIME, LMII, LMAS, DMIN, LOGG

		Mitigations for Likelihood:

		* Medium to Low: SCFS, SSCA, ADEF, DPAH, PDDI-\*
		* Medium to Low: SSCA, SCFS, MMAC, ADEF, PDDI-\*

		* High to Low: SCFS, SSCA, (FZ95 or BTIN or IMSL), MSAF-\, MZRO-\, ADEF, DPAH, PDDI-\*, JSTY
		* High to Low: SSCA, MMAC, (FZ95 or BTIN or IMSL), SCFS, (PMSC or TRMD), ASLR, MSAF-\, MZRO-\, MRWX-\, NKAM, PLLC, MRCO, ADEF, PDDI-\, DJST, JSTY

		Mitigations for Impact:

Admin message