Home page logo

basics logo Security Basics mailing list archives

Re: Vulnebrability level definition
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 12 Feb 2003 16:13:01 -0500 (EST)

"R. DuFresne" <dufresne () sysinfo com> said:

there is prolly alot of confusion with various rating methods in place
depending upon whence one seeks such info, nessus I think uses params
much like you state here, I think mitre.org uses something a tad

If you're referring to CVE, then we do not use any particular risk
value.  CVE descriptions will often include information like
remote/local exploitation and the effects (code execution, DoS, etc.)
Many CVE consumers do ask us to include such a value, which
demonstrates the desire for this type of information, but
unfortunately it's outside CVE's scope as a naming standard.

I think there's a general need for some consistent "risk level" that
can be used by everyone for the "typical" enterprise.  The same
vulnerability can get varying risk levels across different
vulnerability databases.  Also, different enterprises will assign
different priorities to the same vulnerability based on things like
their own policies, threat environment, risk aversion, etc.
(Hopefully I don't cause a terminological discussion by throwing out
words like those! :-) And there will be disagreements about subtle or
complex issues, like many web browser vulnerabilities.  Still, it
would be nice to have something for the typical enterprise that
reflects generally accepted principles like "unauthenticated root
access over the network is really, really, really bad."

while SAN' weekly vulnerability assessments look to rate much as you
do here.  I kinda like the SANS rating methid and would suggest that
might work as a template for you to go by.

If you're referring to the weekly "SANS Critical Vulnerability
Analysis" reports, I like it too.  They use a 4-point scale that
distinguishes between "CRITICAL" vulnerabilities and "HIGH" risk
vulnerabilities, where "critical" issues may be subject to easy
exploitation in widespread software with root/admin level privileges.

I've tried tackling the risk level problem.  I thought that a 5-point
scale might be nice, but could not cleanly separate the "middle"
items, then independently developed something similar to the SANS
levels, for whatever that's worth.

Per Niila Albinsson <per () same net> said:

I do believe there would also be a need for classification of a
vulnerability could be exploited remotely or/and locally.

One difficulty here is that there's not just "over the network" and
"on the machine."  There are other factors like the amount of
authentication required and the scope of access provided to the
application/system/network - e.g. do admin privileges on a bulletin
board CGI program translate into any damage beyond the scope of the
board, e.g. the system itself?  How do you handle bugs in file formats
where the files could be transferred "remotely" or "locally?"  Should
there be a distinction between "access to system via its software" and
physical access, e.g. to the raw disk?

So, even simple terms like "remote" and "local" will have widely
varying definitions.  For exapmle, just recently I observed a security
bulletin that talked about "local access" for an issue that could only
be exploited by sending packets to the internal interface of a router.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]