Vulnerability	
  Scoring	
  
                                     Making	
  sense	
  of	
  it	
  all	
  
Evert	
  Smith	
 ...
#index	
  
•    Ramblings	
  
•    Intro	
  –	
  days	
  of	
  yore	
  
•    CVSS	
  –	
  the	
  beginning	
  
•    CVSS	
...
#Caveat 	
  	
  
PresentaGon	
  is	
  a	
  result	
  of:	
  
  	
  -­‐	
  general	
  curiosity	
  
  	
  -­‐	
  thirst	
  ...
#Bio	
  
#amygdala	
  

       • 	
  Fear	
  overrules	
  reason	
  

       • Amygdala	
  vs	
  Neocortex	
  	
  

       • 	
  “A...
#DaysofYore	
  
1995	
  
   •  Windows	
  3.1	
  Workgroup	
  /	
  95	
  /	
  NT4.0	
  
   •  Solaris	
  2.3/2.4	
  
   • ...
#DaysofYore	
  
-­‐    SATAN	
  
-­‐    COPS	
  
-­‐    ESM	
  Omniguard	
  (Axent	
  Technologies)	
  
-­‐    Nessus	
  
...
#DaysofYore	
  
•  NIST	
  –	
  1901	
  

•  CERT	
  –	
  DARPA	
  1988	
  afer	
  the	
  Morris	
  worm	
  

•  	
  CVE	
...
#Didyouknow?	
  
NVD	
  contains:	
  
39396 	
  CVE	
  VulnerabiliGes	
  
129 	
  Checklists	
  
183 	
  US-­‐CERT	
  Aler...
./NessusPlugin	
  
MS08-­‐067:	
  	
  
	
  	
  	
  Microsof	
  Windows	
  Server	
  Service	
  Crafed	
  RPC	
  
Request	
...
#VendorScoringSystems	
  
Microso<	
  Model	
  

Low	
  –	
  exploitaGon	
  difficult	
  
Moderate–	
  miGgaGng	
  in	
  pla...
#Vulnerability	
  
•  CondiGons	
  ==	
  fail	
  ++	
  

    – DoS	
  
    – Non-­‐repudiaGon	
  
    – ImpersonaGon	
  
 ...
./CVSS	
  the	
  beginning	
  
ExisGng	
  scoring	
  systems	
  in	
  2003	
  were:	
  
   – Different	
  
   – Non-­‐commo...
#IniGalPlan	
  
IniGal	
  plan	
  was	
  to	
  create	
  a	
  system	
  which	
  
was:	
  
   – Open	
  
   – Comprehensiv...
#CVSSthebeginning	
  
•  Started	
  July	
  2003	
  -­‐	
  Completed	
  in	
  January	
  2004	
  –	
  
   released	
  Janu...
#ParGcipants	
  
CVSS	
  was	
  a	
  joint	
  effort	
  
  •  	
  	
  	
  	
  CERT/CC	
  	
  
  •  	
  	
  	
  	
  Cisco	
 ...
#CurrentCustodian	
  

•  The	
  Forum	
  of	
  Incident	
  Response	
  and	
  Security	
  Teams	
  
   (FIRST)	
  sponsor...
#Adopters	
  
#WhatItsNot	
  
                                            Does	
  colour	
  
                                           ...
#CVSS	
  –	
  this	
  is	
  it	
  
#Metrics	
  
      •  Base	
  Metric	
  Group	
  
          – Access	
  Vector	
  
          – Access	
  Complexity	
  
  ...
Access	
  Vector	
                   Access	
  Vector	
                          Value	
  
                               ...
#Doh	
  
#Sowehavenumbers?	
  
How	
  should	
  the	
  numbers	
  drive	
  us?	
  

0-­‐3	
  =	
  No	
  impact,	
  wait	
  for	
  S...
#Say	
  Nuts	
  
#conFicker	
  
Official	
  BulleGn:	
  
A	
  remote	
  code	
  execuGon	
  vulnerability	
  exists	
  in	
  
the	
  Server	
...
#conFicker	
  
The	
  payload:	
  
#Payload	
  for	
  Windows	
  2003[SP2]	
  target	
  
payload_2='x41x00x5cx00'	
  
payl...
#conFicker	
  
MiGgaGon	
  (Server	
  Service	
  Vulnerability)	
  
-­‐  To	
  protect	
  against	
  external	
  –	
  impl...
#conFickerCVSS	
  
CriGcal	
  /	
  CVSS	
  Base	
  Score	
  :	
  10.0	
  
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)	
  
         ...
./NessusPlugin	
  -­‐	
  revisit	
  
MS08-­‐067:	
  	
  
CriGcal	
  /	
  CVSS	
  Base	
  Score	
  :	
  10.0	
  

(CVSS2#AV...
#Ponders	
  
Does	
  it	
  tally?	
  

CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)	
  =	
  6	
  

CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)	...
#BUT	
  
And when they've given you their all
Some stagger and fall after all it's not
easy,
banging your heart against so...
Vulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
Upcoming SlideShare
Loading in …5
×

Vulnerability Management Scoring Systems

2,330 views

Published on

Evert Smith
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology
  • Be the first to comment

Vulnerability Management Scoring Systems

  1. 1. Vulnerability  Scoring   Making  sense  of  it  all   Evert  Smith  -­‐  ZaCon09  –  21  November  2009  
  2. 2. #index   •  Ramblings   •  Intro  –  days  of  yore   •  CVSS  –  the  beginning   •  CVSS  –  the  metrics   •  CalculaGon  Insight   •  Vulnerability  InvesGgaGon  
  3. 3. #Caveat     PresentaGon  is  a  result  of:    -­‐  general  curiosity    -­‐  thirst  for  anything  historic   This  is  not:    -­‐  an  aKempt  to  find  fault  or  suggest   recommendaGons  
  4. 4. #Bio  
  5. 5. #amygdala   •   Fear  overrules  reason   • Amygdala  vs  Neocortex     •   “Afraid  of  the  dark”    
  6. 6. #DaysofYore   1995   •  Windows  3.1  Workgroup  /  95  /  NT4.0   •  Solaris  2.3/2.4   •  Linux  Kernel:  1.1,  1.2   •  Banyan  Vines   •  BugTrac  just  began  
  7. 7. #DaysofYore   -­‐  SATAN   -­‐  COPS   -­‐  ESM  Omniguard  (Axent  Technologies)   -­‐  Nessus   -­‐  CyberCop  (NA  -­‐>  McAfee:  circa  2000)   -­‐  NETRECON  (Axent  Technologies  -­‐>  Symantec:  circa  2000)   -­‐  ISS   -­‐  Qualys  
  8. 8. #DaysofYore   •  NIST  –  1901   •  CERT  –  DARPA  1988  afer  the  Morris  worm   •   CVE  –  MITRE  corporaGon  (DHS,  NCSD)  1999   •  NVD  -­‐  is  synchronized  with,  and  based  on  the  CVE  list   Everyt hing Ameri can I •  CSD  –  NIST  (2002)   see
  9. 9. #Didyouknow?   NVD  contains:   39396  CVE  VulnerabiliGes   129  Checklists   183  US-­‐CERT  Alerts   2348    US-­‐CERT  Vuln  Notes   2517  OVAL  Queries   Last  updated:    11/20/09   CVE  PublicaGon  rate:   12  vulnerabili-es  /  day  
  10. 10. ./NessusPlugin   MS08-­‐067:          Microsof  Windows  Server  Service  Crafed  RPC   Request  Handling  Unspecified  Remote  Code   ExecuGon  (958644)   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  11. 11. #VendorScoringSystems   Microso<  Model   Low  –  exploitaGon  difficult   Moderate–  miGgaGng  in  place   Important  –  CIA  compromised   Cri-cal  –  worm  type  exploits  
  12. 12. #Vulnerability   •  CondiGons  ==  fail  ++   – DoS   – Non-­‐repudiaGon   – ImpersonaGon   – Data  destrucGon   – ExploiGng  an  encrypGon  system  
  13. 13. ./CVSS  the  beginning   ExisGng  scoring  systems  in  2003  were:   – Different   – Non-­‐common  metrics   – Internet  centric   – No  change  over  Gme   – No  space  for  operaGonal  environments  
  14. 14. #IniGalPlan   IniGal  plan  was  to  create  a  system  which   was:   – Open   – Comprehensive   – Interoperable   – Flexible   – Simple  
  15. 15. #CVSSthebeginning   •  Started  July  2003  -­‐  Completed  in  January  2004  –   released  January  2005  on  DHS  website   •  ObjecGves:   •  Understand  the  severity  of  vulnerabiliGes   •  Method  to  prioriGze  remediaGon  efforts   •  Develop  overall  scoring  method  
  16. 16. #ParGcipants   CVSS  was  a  joint  effort   •         CERT/CC     •         Cisco   •         DHS/MITRE   •         eBay   •         IBM  Internet  Security  Systems   •         Microsof   •         Qualys   •         Symantec  
  17. 17. #CurrentCustodian   •  The  Forum  of  Incident  Response  and  Security  Teams   (FIRST)  sponsors  and  supports  the  Common   Vulnerability  Scoring  System-­‐Special  Interest  Group   (CVSS-­‐SIG.   •  The  team  –  36  people  from  Cisco,  Unisys,  MITRE,   Lumeta,  IBM,  BB&T,  nCircle,  RedSeal,  CERT/CC,  NIST,   Skybox,  Tenable.,  Qualys  
  18. 18. #Adopters  
  19. 19. #WhatItsNot   Does  colour   really  make  us   safe?   •  CVSS  is  not  a  threat  scoring  system  (DHS   colour  warning  system),     •  a  vulnerability  database  or     •  a  real-­‐Gme  aKack  scoring  system.  
  20. 20. #CVSS  –  this  is  it  
  21. 21. #Metrics   •  Base  Metric  Group   – Access  Vector   – Access  Complexity   – AuthenGcaGon   – ConfidenGality  Impact   – Integrity  Impact   – Availability  Impact   The  metric  which  shows  the  intrinsic  nature  of  the  vulnerability  
  22. 22. Access  Vector   Access  Vector   Value   Access  Complexity   LOW   Local   Complexity   Access   AuthenGcaGon   NOT-­‐REQUIRED   Adjacent   High   Authen-ca-on   Network     Medium   ConfidenGality  Impact   NONE   MulGple   Confiden-ality  Impact   Integrity  Impact   NONE   Low     Single   Availability  Impact   COMPLETE   None   Impact   Integrity   None     ParGal   Impact  Bias   AVAILABILITY   None   Availability  Impact   BASE  SCORE       5.0   Complete     ParGal   None   Exploitability   HIGH   Complete     ParGal   RemediaGon  Level   OFFICIAL-­‐FIX   Complete     Report  Confidence   CONFIRMED   TEMPORAL  SCORE   4.4   Collateral  Damage  PotenGal   NONE   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C   Target  DistribuGon   HIGH   ENVIRONMENTAL  SCORE   4.4  
  23. 23. #Doh  
  24. 24. #Sowehavenumbers?   How  should  the  numbers  drive  us?   0-­‐3  =  No  impact,  wait  for  SP   4-­‐5  =  Next  patch  cycle   6-­‐7  =  Next  14  days   7-­‐10  =  ASAP  –  this  week  
  25. 25. #Say  Nuts  
  26. 26. #conFicker   Official  BulleGn:   A  remote  code  execuGon  vulnerability  exists  in   the  Server  service  on  Windows  systems.  The   vulnerability  is  due  to  the  service  not  properly   handling  specially  crafed  RPC  requests.  An   aKacker  who  successfully  exploited  this   vulnerability  could  take  complete  control  of  an   affected  system.  
  27. 27. #conFicker   The  payload:   #Payload  for  Windows  2003[SP2]  target   payload_2='x41x00x5cx00'   payload_2+='x2ex00x2ex00x5cx00x2ex00'   payload_2+='x2ex00x5cx00x0ax32xbbx77'   payload_2+='x8bxc4x66x05x60x04x8bx00'   payload_2+='x50xffxd6xffxe0x42x84xae'   payload_2+='xbbx77xffxffxffxffx01x00'   payload_2+='x01x00x01x00x01x00x43x43'   payload_2+='x43x43x37x48xbbx77xf5xff'   payload_2+='xffxffxd1x29xbcx77xf4x75'   payload_2+='xbdx77x44x44x44x44x9exf5'   payload_2+='xbbx77x54x13xbfx77x37xc6'   payload_2+='xbax77xf9x75xbdx77x00x00'  
  28. 28. #conFicker   MiGgaGon  (Server  Service  Vulnerability)   -­‐  To  protect  against  external  –  implement   firewall  rules  to  block  RPC  traffic   -­‐  On  Vista  –  the  aKack  only  works  if  the  a`acker   is  authen-cated     -­‐  Disable  Server  and  Computer  Browser  service  
  29. 29. #conFickerCVSS   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)   Code   Ra-ng   New   AV   N   N   AC   L   L   AU   N   R   C   C   C   I   C   C   A   C   C   BASE  SCORE   10   6  
  30. 30. ./NessusPlugin  -­‐  revisit   MS08-­‐067:     CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  10   (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)  =  10   CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C)  =  4.8   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   hKp://nvd.nist.gov/cvss.cfm?calculator  
  31. 31. #Ponders   Does  it  tally?   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  3.3   Add  ImpactBias  =  Weight  Availability   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  5  
  32. 32. #BUT   And when they've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall

×