Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Tue, 1 Mar 2005 07:49:40 -0800 (PST)

Ok, well now that I've read the report, I can
comment on it:
1. It turns out "access complexity" means "race
conditions or client 
side vulns"


I didn't try to be too narrow with my interpretation
of Access Complexity, I think it's a great term.  One
of my personal beefs is that some people neglect to
differentiate between the level of access required to
exploit the vulnerability.  If authentication is
required, is admin/root privileges required to exploit
it?  To exploit the vuln does it require user
interaction?  Maybe this is what you mean by "race
condition or client side vuln"?

2. "Report Confidence" as "uncorroborated as
"Multiple non-official 
sources; possibly including independant security
companies or research 
organizations. Then as "Confirmed" as "Vendor has
reported/confirmed a 
problem within it's own product." This is basically


I think that may be a more intuitive distintion.  I
don't think it's reversed since it is intended that
the vendor confirm it.

Personally, I would refer to "Impact Bias" as "Impact
Priority".

As with any scoring system there is potential for
misuse and errors.  I created the calculator do
illustrate how CVSS works and to do what-if scenarios.

DoS Vuln:
Access Vector   Remote
Access Complexity       Low
Authentication  Not Required
Confidentiality Impact  None
Integrity Impact        None
Availability Impact     Complete
Impact Bias     Availability
Base Score 5

Buffer Overflow:
Access Vector   Remote
Access Complexity       Low
Authentication  Not Required
Confidentiality Impact  None
Integrity Impact        Complete
Availability Impact     Complete
Impact Bias     Integrity
Base Score 7.5

Does that describe the scenario you mean?  In this
case base score can vary by 2.5.

Regards,
Brian Erdelyi



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
  - Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)

(Thread continues...)