Home page logo

dailydave logo Dailydave mailing list archives

Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 09:03:57 +1000


On Sat, Aug 17, 2013 at 4:38 AM, Dave Aitel <dave () immunityinc com> wrote:
This is also true on the assessment side - small errors can add up to cloud your situational awareness. For example, 
in the below referenced Twitter stream you can see a penetration tester scanning a network using a vulnerability 
assessment tool, which then marks a potential ColdFusion bug as "medium". Part of this is because the National 
Vulnerability Database marked it as having a CVSS score of 7.5, despite it being a remote, unauthenticated, 
SYSTEM-level vulnerability.

CVSSv2 (and I would assume the upcoming release of CVSSv3 too) state
that the [CVSS] Score is the calculation of the all the Base, Temporal
and Environmental Metrics since ultimately its intention is to
priorities the implementation of a patch and/or workaround.

Therefore the Base Metric Score is not the overall CVSS Score.  Also
NVD defines both the Temporal and Environmental Metrics as "undefined"
i.e.  http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2010-2861&vector=(AV%3AN/AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP)
which does not conform to CVSSv2.  Of note too is that Environmental
Metrics are scored by the end user only.

The above issue isn't limited to NVD either e.g.
http://www.osvdb.org/show/osvdb/67047 (yes I am aware that OSVDB is
directly referencing NVD in this specific example)

CVE-2010-2861 is listed as "remote, unauthenticated, SYSTEM-level
vulnerability" on NVD too i.e. "(AV:N/AC:L/Au:N ..." and therefore
their implementation of http://nvd.nist.gov/cvss.cfm?vectorinfov2 is
correct too.

Christian Heinrich

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]