Download as PDF, PPTX
![#conFicker
The
payload:
#Payload
for
Windows
2003[SP2]
target
payload_2='x41x00x5cx00'
payload_2+='x2ex00x2ex00x5cx00x2ex00'
payload_2+='x2ex00x5cx00x0ax32xbbx77'
payload_2+='x8bxc4x66x05x60x04x8bx00'
payload_2+='x50xffxd6xffxe0x42x84xae'
payload_2+='xbbx77xffxffxffxffx01x00'
payload_2+='x01x00x01x00x01x00x43x43'
payload_2+='x43x43x37x48xbbx77xf5xff'
payload_2+='xffxffxd1x29xbcx77xf4x75'
payload_2+='xbdx77x44x44x44x44x9exf5'
payload_2+='xbbx77x54x13xbfx77x37xc6'
payload_2+='xbax77xf9x75xbdx77x00x00'](https://image.slidesharecdn.com/2009zaconevertsmith-091124014344-phpapp02/85/Vulnerability-Management-Scoring-Systems-29-320.jpg)
Uploaded bySecurity B-Sides
Vulnerability Management Scoring Systems
The document discusses the history and development of vulnerability scoring systems. It provides background on early vulnerability scanners and scoring models from the 1990s. It then describes the creation of the Common Vulnerability Scoring System (CVSS) in 2003 by DHS, MITRE and other organizations to provide an open, standardized scoring method. The document outlines the initial goals for CVSS and lists the participating organizations. It also summarizes some of the key metrics used in CVSS scoring, including access vector, access complexity, authentication requirements, and impact categories.
More Related Content
Similar to Vulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
- 1. Vulnerability Scoring Making sense of it all Evert Smith -‐ ZaCon09 – 21 November 2009
- 2. #index • Ramblings • Intro – days of yore • CVSS – the beginning • CVSS – the metrics • CalculaGon Insight • Vulnerability InvesGgaGon
- 3. #Caveat PresentaGon is a result of: -‐ general curiosity -‐ thirst for anything historic This is not: -‐ an aKempt to find fault or suggest recommendaGons
- 4.
- 5. #amygdala • Fear overrules reason • Amygdala vs Neocortex • “Afraid of the dark”
- 7. #DaysofYore 1995 • Windows 3.1 Workgroup / 95 / NT4.0 • Solaris 2.3/2.4 • Linux Kernel: 1.1, 1.2 • Banyan Vines • BugTrac just began
- 8. #DaysofYore -‐ SATAN -‐ COPS -‐ ESM Omniguard (Axent Technologies) -‐ Nessus -‐ CyberCop (NA -‐> McAfee: circa 2000) -‐ NETRECON (Axent Technologies -‐> Symantec: circa 2000) -‐ ISS -‐ Qualys
- 9. #DaysofYore • NIST – 1901 • CERT – DARPA 1988 afer the Morris worm • CVE – MITRE corporaGon (DHS, NCSD) 1999 • NVD -‐ is synchronized with, and based on the CVE list Everyt hing Ameri can I • CSD – NIST (2002) see
- 10. #Didyouknow? NVD contains: 39396 CVE VulnerabiliGes 129 Checklists 183 US-‐CERT Alerts 2348 US-‐CERT Vuln Notes 2517 OVAL Queries Last updated: 11/20/09 CVE PublicaGon rate: 12 vulnerabili-es / day
- 11. ./NessusPlugin MS08-‐067: Microsof Windows Server Service Crafed RPC Request Handling Unspecified Remote Code ExecuGon (958644) CriGcal / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
- 12. #VendorScoringSystems Microso< Model Low – exploitaGon difficult Moderate– miGgaGng in place Important – CIA compromised Cri-cal – worm type exploits
- 14. #Vulnerability • CondiGons == fail ++ – DoS – Non-‐repudiaGon – ImpersonaGon – Data destrucGon – ExploiGng an encrypGon system
- 15. ./CVSS the beginning ExisGng scoring systems in 2003 were: – Different – Non-‐common metrics – Internet centric – No change over Gme – No space for operaGonal environments
- 16. #IniGalPlan IniGal plan was to create a system which was: – Open – Comprehensive – Interoperable – Flexible – Simple
- 17. #CVSSthebeginning • Started July 2003 -‐ Completed in January 2004 – released January 2005 on DHS website • ObjecGves: • Understand the severity of vulnerabiliGes • Method to prioriGze remediaGon efforts • Develop overall scoring method
- 18. #ParGcipants CVSS was a joint effort • CERT/CC • Cisco • DHS/MITRE • eBay • IBM Internet Security Systems • Microsof • Qualys • Symantec
- 19. #CurrentCustodian • The Forum of Incident Response and Security Teams (FIRST) sponsors and supports the Common Vulnerability Scoring System-‐Special Interest Group (CVSS-‐SIG. • The team – 36 people from Cisco, Unisys, MITRE, Lumeta, IBM, BB&T, nCircle, RedSeal, CERT/CC, NIST, Skybox, Tenable., Qualys
- 20.
- 21. #WhatItsNot Does colour really make us safe? • CVSS is not a threat scoring system (DHS colour warning system), • a vulnerability database or • a real-‐Gme aKack scoring system.
- 22. #CVSS – this is it
- 23. #Metrics • Base Metric Group – Access Vector – Access Complexity – AuthenGcaGon – ConfidenGality Impact – Integrity Impact – Availability Impact The metric which shows the intrinsic nature of the vulnerability
- 24. Access Vector Access Vector Value Access Complexity LOW Local Complexity Access AuthenGcaGon NOT-‐REQUIRED Adjacent High Authen-ca-on Network Medium ConfidenGality Impact NONE MulGple Confiden-ality Impact Integrity Impact NONE Low Single Availability Impact COMPLETE None Impact Integrity None ParGal Impact Bias AVAILABILITY None Availability Impact BASE SCORE 5.0 Complete ParGal None Exploitability HIGH Complete ParGal RemediaGon Level OFFICIAL-‐FIX Complete Report Confidence CONFIRMED TEMPORAL SCORE 4.4 Collateral Damage PotenGal NONE CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Target DistribuGon HIGH ENVIRONMENTAL SCORE 4.4
- 25.
- 26. #Sowehavenumbers? How should the numbers drive us? 0-‐3 = No impact, wait for SP 4-‐5 = Next patch cycle 6-‐7 = Next 14 days 7-‐10 = ASAP – this week
- 27.
- 28. #conFicker Official BulleGn: A remote code execuGon vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafed RPC requests. An aKacker who successfully exploited this vulnerability could take complete control of an affected system.
- 29. #conFicker The payload: #Payload for Windows 2003[SP2] target payload_2='x41x00x5cx00' payload_2+='x2ex00x2ex00x5cx00x2ex00' payload_2+='x2ex00x5cx00x0ax32xbbx77' payload_2+='x8bxc4x66x05x60x04x8bx00' payload_2+='x50xffxd6xffxe0x42x84xae' payload_2+='xbbx77xffxffxffxffx01x00' payload_2+='x01x00x01x00x01x00x43x43' payload_2+='x43x43x37x48xbbx77xf5xff' payload_2+='xffxffxd1x29xbcx77xf4x75' payload_2+='xbdx77x44x44x44x44x9exf5' payload_2+='xbbx77x54x13xbfx77x37xc6' payload_2+='xbax77xf9x75xbdx77x00x00'
- 30. #conFicker MiGgaGon (Server Service Vulnerability) -‐ To protect against external – implement firewall rules to block RPC traffic -‐ On Vista – the aKack only works if the a`acker is authen-cated -‐ Disable Server and Computer Browser service
- 31. #conFickerCVSS CriGcal / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) Code Ra-ng New AV N N AC L L AU N R C C C I C C A C C BASE SCORE 10 6
- 32. ./NessusPlugin -‐ revisit MS08-‐067: CriGcal / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 10 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) = 10 CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C) = 6 CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C) = 4.8 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6 hKp://nvd.nist.gov/cvss.cfm?calculator
- 33. #Ponders Does it tally? CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6 CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 3.3 Add ImpactBias = Weight Availability CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 5
- 34. #BUT And whenthey've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall