Re: Vuln scoring system anyone?

[security curmudgeon <jericho () attrition org>]

: I didn't try to be too narrow with my interpretation of Access 
: Complexity, I think it's a great term.  One of my personal beefs is that 
: some people neglect to differentiate between the level of access 
: required to exploit the vulnerability.  If authentication is required, 
: is admin/root privileges required to exploit it?  To exploit the vuln 

but wait.. it doesn't get that detailed. your PDF modeled after their 
criteria just said "is authentication required". it doesn't say "is root 
required" or "administrative privs". it doesn't ask if i need admin privs 
on a phpBB installation vs admin privs on a cisco router. it doesn't 
distinguish between 'authentication' of a free WWWboard account or 
anything else. this is the first step to the system not adequately 
describing the risk of a vulnerability.

: As with any scoring system there is potential for
: misuse and errors.  I created the calculator do
: illustrate how CVSS works and to do what-if scenarios.

: Buffer Overflow:
: Access Vector Remote
: Access Complexity     Low
: Authentication        Not Required
: Confidentiality Impact        None
: Integrity Impact      Complete
: Availability Impact   Complete
: Impact Bias   Integrity
: Base Score 7.5

as i mentioned in another mail to you, how do you classify a remote 
overflow? if you use the standard CIA measure, it is fairly clear that 
'Integrity' would be checked, but C and A? if i use the overflow to cat 
/etc/passwd instead of spawn a shell, 'Confidentiality' should be flagged. 
if i use the overflow to rm -rf the drive, 'Availability' should be 
flagged. the intent of the attacker affects that seemingly, or you need to 
flag CIA on all remote overflows that let you do anything more than crash 
a service, right?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave