mailing list archives
Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 09:03:57 +1000
On Sat, Aug 17, 2013 at 4:38 AM, Dave Aitel <dave () immunityinc com> wrote:
This is also true on the assessment side - small errors can add up to cloud your situational awareness. For example,
in the below referenced Twitter stream you can see a penetration tester scanning a network using a vulnerability
assessment tool, which then marks a potential ColdFusion bug as "medium". Part of this is because the National
Vulnerability Database marked it as having a CVSS score of 7.5, despite it being a remote, unauthenticated,
CVSSv2 (and I would assume the upcoming release of CVSSv3 too) state
that the [CVSS] Score is the calculation of the all the Base, Temporal
and Environmental Metrics since ultimately its intention is to
priorities the implementation of a patch and/or workaround.
Therefore the Base Metric Score is not the overall CVSS Score. Also
NVD defines both the Temporal and Environmental Metrics as "undefined"
which does not conform to CVSSv2. Of note too is that Environmental
Metrics are scored by the end user only.
The above issue isn't limited to NVD either e.g.
http://www.osvdb.org/show/osvdb/67047 (yes I am aware that OSVDB is
directly referencing NVD in this specific example)
CVE-2010-2861 is listed as "remote, unauthenticated, SYSTEM-level
vulnerability" on NVD too i.e. "(AV:N/AC:L/Au:N ..." and therefore
their implementation of http://nvd.nist.gov/cvss.cfm?vectorinfov2 is
Dailydave mailing list
Dailydave () lists immunityinc com