[Dailydave] smaller errors eroding situational awareness.
Christian Heinrich
christian.heinrich at cmlh.id.au
Tue Aug 20 19:03:57 EDT 2013
Dave,
On Sat, Aug 17, 2013 at 4:38 AM, Dave Aitel <dave at immunityinc.com> wrote:
> This is also true on the assessment side - small errors can add up to cloud your situational awareness. For example, in the below referenced Twitter stream you can see a penetration tester scanning a network using a vulnerability assessment tool, which then marks a potential ColdFusion bug as "medium". Part of this is because the National Vulnerability Database marked it as having a CVSS score of 7.5, despite it being a remote, unauthenticated, SYSTEM-level vulnerability.
CVSSv2 (and I would assume the upcoming release of CVSSv3 too) state
that the [CVSS] Score is the calculation of the all the Base, Temporal
and Environmental Metrics since ultimately its intention is to
priorities the implementation of a patch and/or workaround.
Therefore the Base Metric Score is not the overall CVSS Score. Also
NVD defines both the Temporal and Environmental Metrics as "undefined"
i.e. http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2010-2861&vector=(AV%3AN/AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP)
which does not conform to CVSSv2. Of note too is that Environmental
Metrics are scored by the end user only.
The above issue isn't limited to NVD either e.g.
http://www.osvdb.org/show/osvdb/67047 (yes I am aware that OSVDB is
directly referencing NVD in this specific example)
CVE-2010-2861 is listed as "remote, unauthenticated, SYSTEM-level
vulnerability" on NVD too i.e. "(AV:N/AC:L/Au:N ..." and therefore
their implementation of http://nvd.nist.gov/cvss.cfm?vectorinfov2 is
correct too.
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
More information about the Dailydave
mailing list