CVSS

Common Vulnerability Scoring System

Christian Heinrich

ASIA RMSIGJuly 2007

cmlh

Currently Security Researcher– Defeating Network Intrusion Detection/Prevention and Forensics– Presented at RUXCON 2K5 and RUXCON 2K6

Former Security Manager– News Limited– DSD Gateway Certified Service Provider– Federal Government Endorsed Business

Public Profile on LinkedIn - http://www.linkedin.com/in/ChristianHeinrich

http://www.linkedin.com/in/ChristianHeinrich

Agenda

1. History from the VDF to CVSS v2

2. CVSS v2 from the End User’s Perspective

3. Caveats, Politics and other Traps :)

Vulnerability Disclosure Framework

National Infrastructure Advisory Council (NIAC)

Vulnerability Disclosure Working Group (VDWG) – 13 Jan 2004

Findings with Existing Methodologies from Microsoft, CERT, etc

– Specific to Vendor x Product y not Vendor z Product y

– No consideration to

• Environment of End User

• Time Line of Vulnerability

CVSS to CVSS v2

12 October 2004 - Vulnerability Scoring Working Sub Group of VDWG

February 2005 - Presented at RSA by Mike Schiffman (Cisco)

11 May 2005

- NAIC Appointed Forum of Incident Response and Security Teams (FIRST)

- FIRST formed Special Interest Group (CVSS-SIG)

20 June 2007 – CVSS v2

CVSS v2

Base Metrics

Intrinsic to any given vulnerability that do not change over or in different environments

1. Access from Local Console or Remote Network via Bluetooth -> Internet

2. “Technical” Likelihood

3. Authentication

“Technical” Impact to 4. Confidentiality, 5. Integrity and 6. Availability

Temporal Metrics

Characteristics of the vulnerability which evolve over the lifetime of the vulnerability

1. Maturity of the Exploit i.e. Proof of Concept, Worm, etc?

2. Is a Patch and/or Workaround, Available?

3. Confidence in the Report?

Environmental Metrics

Contain those characteristics of vulnerability which are tied to a specific implementation of the end user

1. Potential Collateral Damage to Critical Infrastructure?

2. Total number of Targets?

“Business” Impact to 3. Confidentiality, 4. Integrity and 5. Availability

Scoring

Calculators published via the “Scores and Calculators” Page at http://www.first.org/cvss

Presentation of Base Metrics

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

Presentation of Temporal Metrics

E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND]

Presentation of Environmental Metrics

CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND]

Presentation of Base Metrics Example:

AV:L/AC:M/Au:N/C:N/I:P/A:C

http://www.first.org/cvss

Caveats, Politics and other Traps :)

Base Metrics

Vendor’s “subjective” interpretation of Base Metrics“Independent” NIST National Vulnerability Database (NVD)

Vendor publishes Base Score but withholds Base MetricsDerive Possible Base Metrics from Base Score with Fuzzer

Attack Vector – Metric with Highest Numerical Value, not most common

Some attacks e.g. XSS only considers Web Server, not Browser

Authentication – Can be “reduced” due to certain implementations e.g. Token, S/KEY

Considerations towards End User’s Environment

– Probability of Deriving Authentication Credential

– Range of Wireless Network? What if High Gain Antenna? What if Faraday Cage?


Temporal Metrics

“Will this affect my network range?”- No feed, real-time or otherwise, is provided

Doesn’t Consider reduction in time due to “Binary Diff” and/or “Fuzzing”

Environmental Metrics

Target Distribution - Map “Connectivity” with Active and Passive Discovery

Doesn’t Consider:

- Cost to Implement Patch and/or Workaround

- Technical Knowledge Required for Attack Complexity


Scoring

Developing “Fuzzer” to Derive All Scores by Calculating All Numerical Values

Rounding to “Reduce” Score.

Substitution – Different Metric Yet Same Score

Derive Possible Metrics from Score

Based on CVSS v1 Fuzzer

Expect an Announcement from Jeff Jones (Microsoft)

Come to the Security Interchange meeting later this year


Lack of Representation:

– No invitation to End Users and little from Security Researchers (e.g. Schiffman)

– No lesson learnt by CERT

The Horse has Bolted – First Impressions Last:

– Optional Scores

– Resistance from Initial Supporters such as Microsoft

– CVE still in process of reclassifying vulnerabilities to updated schema

Advocate to Vendor as it provides YOU with Advantages in removing Subjectivity from:

– Priorities Remediation regardless of Vendor and/or Product and/or Technology

– Objective Vulnerability Distribution Studies

Thanks

John Greaves

David Palmer & Westpac

Chris Wood & Patchlink

David Reinhold

John Dale

John Frisken