Home page logo

dailydave logo Dailydave mailing list archives

Re: smaller errors eroding situational awareness.
From: "Christey, Steven M." <coley () mitre org>
Date: Fri, 16 Aug 2013 22:59:51 +0000

CVSS and, IMNSHO, the industry as a whole are not yet prepared to accurately score "vulnerability chains" that involve 
multiple lower-severity vulnerabilities that can be combined in a way that makes a more severe attack possible.   
Schneier's original attack tree vision is coming true, but we don't know what to do with it.  CVSS version 2 
documentation explicitly instructs people to score a vulnerability in isolation, and that recommendation is partially 
my fault (in my defense, it was about a decade ago, and at the time I did not realize that as in the "circle of life" 
of The Lion King movie, there is also the Circle of Technical Impacts which implies that everything *could* lead to a 
10.0, which is not particularly helpful for risk assessment.  I leave it up to Dave to make this all about Buffy.)

Jericho and I touched on this challenge a little bit when we said that "Vulns are gonna get weirder" in our Black Hat 
presentation on why vulnerability statistics suck (slide 79), plus there is the general theme of CVSS's limitations for 
risk assessment by various presenters in the past year or two.  Unfortunately, the number of people who complain about 
CVSSv2 is exponentially smaller than the number of people who are actively contributing to the development of CVSSv3 
which is ongoing, but I digress into uncomfortable observations.

i.e.: combinations of multiple "issues," independent of their severity when evaluated in isolation, will likely become 
more prominent over the years (look at Pwn2Own as an example).

To whoever solves or attempts to solve this problem: you probably won't get any love in terms of press attention, but 
from the defense perspective, it's kind of critical in the coming years/decades to figure out how to assign a single 
risk score to vulnerability/attack chains, or otherwise combine them in a way that allows decision-makers to... 
ummmm... make well-informed decisions.

- Steve Christey (CVSSv2 apologist 4eva)

-----Original Message-----
From: dailydave-bounces () lists immunityinc com [mailto:dailydave-
bounces () lists immunityinc com] On Behalf Of Dave Aitel
Sent: Friday, August 16, 2013 2:38 PM
To: dailydave () lists immunityinc com
Subject: [Dailydave] smaller errors eroding situational awareness.

Related Twitter threads here:

One thing you should pay attention to, as someone who works in IT security is
how the various assumptions change over time. It used to be that managing
your network security was how well you used a few simple product types.
Essentially we had network sniffers and network scanners of various sorts,
along with the signature-based AVs. Most enterprises remember having tons
of network sniffer monkeys looking at logs and sniffer alerts and then trying to
use that to generate some level of activity. But that turns out to be
mindbogglingly expensive, and ineffective as we have all learned the hard

This then changed into how well you integrate and analyze information from
these tools. The SIEM was born. The downside being that sorting through
massive amounts of noise to find tiny signals is by definition expensive, no
matter how good your tool is.

This is also true on the assessment side - small errors can add up to cloud your
situational awareness. For example, in the below referenced Twitter stream
you can see a penetration tester scanning a network using a vulnerability
assessment tool, which then marks a potential ColdFusion bug as "medium".
Part of this is because the National Vulnerability Database marked it as having
a CVSS score of 7.5, despite it being a remote, unauthenticated, SYSTEM-level

That said, if all you had was the Vulnerability Assessment data, you would
probably relegate fixing this weakness to "when I get around to it", which
would explain all the nicely vulnerable ColdFusion boxes on the Interwebs.

So my conclusion here is that despite all thoughts to the contrary, CVSS, the
NVD, and hence vulnerability risk rankings, do, in fact matter.


As a post-script, Nessus has updated their score on this particular vulnerability.
I emailed the NVD about it too.

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]