Update KEVU threat risk factor and mitigations (9557f217) · Commits · STAN4CRA / EN 304 626 Operating Systems

EN-304-626.md

+11 −11

Original line number	Diff line number	Diff line
		@@ -1950,18 +1950,18 @@ Mitigations for Impact:
		Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|----------------------------------------------\|------------\|------------------------------\|
		\| max(PHY, SFT, NET) = 0 or COM = 0 or ADM = 0 \| Low \| WD-1 \|
		\| all others \| Medium \| WD-2, WD-3, WD-4, WL-1, VI-1 \|
		\| max(PHY, SFT, NET) = 2 & COM = 2 & ADM = 2 \| High \| WL-2, WL-3, VI-2 \|
		\|----------------------\|------------\|---------------------------------------------------------\|
		\| ADMN = 0 or SUPP = 0 \| Low \| LR, IoT-1 \|
		\| all others \| Medium \| IoT-2, IoT-3, WE-1, RO-1, OT-1, PC-2, LA-2, PS-1, SE-\* \|
		\| ADMN = 2 & SUPP = 2 \| High \| MOB-1, PC-1, LA-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|---------------------------\|--------\|------------------------------------\|
		\| max(SNDS, SNDT, SENF) = 0 \| Low \| none \|
		\| max(SNDS, SNDT, SENF) = 1 \| Medium \| WD-1, WD-3, WL-1, VI-1 \|
		\| max(SNDS, SNDT, SENF) = 2 \| High \| WD-2, WD-4, WL-2, WL-3, WL-4, VI-2 \|
		\|---------------------------------\|--------\|----------------------------------------------------------------------\|
		\| max(PPII, SNDS, SNDT, SENF) = 0 \| Low \| LR, IoT-1 \|
		\| max(PPII, SNDS, SNDT, SENF) = 1 \| Medium \| IoT-2, IoT-3 \|
		\| max(PPII, SNDS, SNDT, SENF) = 2 \| High \| WE-2, RO-1, IoT-3, WE-1, PC-\, LA-1, PS-1, OT-1, MOB-1, LA-2, SE-\ \|

		Requirements that mitigate this threat: NKEV, SSDD, LMII, SCUD, DMIN, LMAS, LOGG, VULH
		Requirements that mitigate this threat: NKEV, SSDD, MIME, LMII, SCUD, LMAS, DMIN, LOGG, VULH

		All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to:

Original line number	Diff line number	Diff line
		@@ -1950,18 +1950,18 @@ Mitigations for Impact:
		Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|----------------------------------------------\|------------\|------------------------------\|
		\| max(PHY, SFT, NET) = 0 or COM = 0 or ADM = 0 \| Low \| WD-1 \|
		\| all others \| Medium \| WD-2, WD-3, WD-4, WL-1, VI-1 \|
		\| max(PHY, SFT, NET) = 2 & COM = 2 & ADM = 2 \| High \| WL-2, WL-3, VI-2 \|
		\|----------------------\|------------\|---------------------------------------------------------\|
		\| ADMN = 0 or SUPP = 0 \| Low \| LR, IoT-1 \|
		\| all others \| Medium \| IoT-2, IoT-3, WE-1, RO-1, OT-1, PC-2, LA-2, PS-1, SE-\* \|
		\| ADMN = 2 & SUPP = 2 \| High \| MOB-1, PC-1, LA-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|---------------------------\|--------\|------------------------------------\|
		\| max(SNDS, SNDT, SENF) = 0 \| Low \| none \|
		\| max(SNDS, SNDT, SENF) = 1 \| Medium \| WD-1, WD-3, WL-1, VI-1 \|
		\| max(SNDS, SNDT, SENF) = 2 \| High \| WD-2, WD-4, WL-2, WL-3, WL-4, VI-2 \|
		\|---------------------------------\|--------\|----------------------------------------------------------------------\|
		\| max(PPII, SNDS, SNDT, SENF) = 0 \| Low \| LR, IoT-1 \|
		\| max(PPII, SNDS, SNDT, SENF) = 1 \| Medium \| IoT-2, IoT-3 \|
		\| max(PPII, SNDS, SNDT, SENF) = 2 \| High \| WE-2, RO-1, IoT-3, WE-1, PC-\, LA-1, PS-1, OT-1, MOB-1, LA-2, SE-\ \|

		Requirements that mitigate this threat: NKEV, SSDD, LMII, SCUD, DMIN, LMAS, LOGG, VULH
		Requirements that mitigate this threat: NKEV, SSDD, MIME, LMII, SCUD, LMAS, DMIN, LOGG, VULH

		All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to: