Re: smaller errors eroding situational awareness.

[Christian Heinrich <christian.heinrich () cmlh id au>]

Dave,

On Sat, Aug 17, 2013 at 4:38 AM, Dave Aitel <dave () immunityinc com> wrote:
> This is also true on the assessment side - small errors can add up to cloud your situational awareness. For example, 
> in the below referenced Twitter stream you can see a penetration tester scanning a network using a vulnerability 
> assessment tool, which then marks a potential ColdFusion bug as "medium". Part of this is because the National 
> Vulnerability Database marked it as having a CVSS score of 7.5, despite it being a remote, unauthenticated, 
> SYSTEM-level vulnerability.

CVSSv2 (and I would assume the upcoming release of CVSSv3 too) state
that the [CVSS] Score is the calculation of the all the Base, Temporal
and Environmental Metrics since ultimately its intention is to
priorities the implementation of a patch and/or workaround.

Therefore the Base Metric Score is not the overall CVSS Score.  Also
NVD defines both the Temporal and Environmental Metrics as "undefined"
i.e.  http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2010-2861&vector=(AV%3AN/AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP)
which does not conform to CVSSv2.  Of note too is that Environmental
Metrics are scored by the end user only.

The above issue isn't limited to NVD either e.g.
http://www.osvdb.org/show/osvdb/67047 (yes I am aware that OSVDB is
directly referencing NVD in this specific example)

CVE-2010-2861 is listed as "remote, unauthenticated, SYSTEM-level
vulnerability" on NVD too i.e. "(AV:N/AC:L/Au:N ..." and therefore
their implementation of http://nvd.nist.gov/cvss.cfm?vectorinfov2 is
correct too.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave