From: Steven M. Christey (coley@linus.mitre.org)
Date: Wed Feb 12 2003 - 16:13:01 EST
"R. DuFresne" <dufresne@sysinfo.com> said:
>there is prolly alot of confusion with various rating methods in place
>depending upon whence one seeks such info, nessus I think uses params
>much like you state here, I think mitre.org uses something a tad
>different
If you're referring to CVE, then we do not use any particular risk
value. CVE descriptions will often include information like
remote/local exploitation and the effects (code execution, DoS, etc.)
Many CVE consumers do ask us to include such a value, which
demonstrates the desire for this type of information, but
unfortunately it's outside CVE's scope as a naming standard.
I think there's a general need for some consistent "risk level" that
can be used by everyone for the "typical" enterprise. The same
vulnerability can get varying risk levels across different
vulnerability databases. Also, different enterprises will assign
different priorities to the same vulnerability based on things like
their own policies, threat environment, risk aversion, etc.
(Hopefully I don't cause a terminological discussion by throwing out
words like those! :-) And there will be disagreements about subtle or
complex issues, like many web browser vulnerabilities. Still, it
would be nice to have something for the typical enterprise that
reflects generally accepted principles like "unauthenticated root
access over the network is really, really, really bad."
>while SAN' weekly vulnerability assessments look to rate much as you
>do here. I kinda like the SANS rating methid and would suggest that
>might work as a template for you to go by.
If you're referring to the weekly "SANS Critical Vulnerability
Analysis" reports, I like it too. They use a 4-point scale that
distinguishes between "CRITICAL" vulnerabilities and "HIGH" risk
vulnerabilities, where "critical" issues may be subject to easy
exploitation in widespread software with root/admin level privileges.
I've tried tackling the risk level problem. I thought that a 5-point
scale might be nice, but could not cleanly separate the "middle"
items, then independently developed something similar to the SANS
levels, for whatever that's worth.
Per Niila Albinsson <per@same.net> said:
>I do believe there would also be a need for classification of a
>vulnerability could be exploited remotely or/and locally.
One difficulty here is that there's not just "over the network" and
"on the machine." There are other factors like the amount of
authentication required and the scope of access provided to the
application/system/network - e.g. do admin privileges on a bulletin
board CGI program translate into any damage beyond the scope of the
board, e.g. the system itself? How do you handle bugs in file formats
where the files could be transferred "remotely" or "locally?" Should
there be a distinction between "access to system via its software" and
physical access, e.g. to the raw disk?
So, even simple terms like "remote" and "local" will have widely
varying definitions. For exapmle, just recently I observed a security
bulletin that talked about "local access" for an issue that could only
be exploited by sending packets to the internal interface of a router.
- Steve
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT