nCircle.com >> 360 Security

« Artistry | Main | SCADAGard SIG To Be Established »

CVSS Rant (part III)

So, I've finally spent some real time reading the NIAC CVSS report and I genuinely believe that they made a mistake with the temporal metric.

What's worse is that they should know that they made a mistake. From the report itself:

"As a vulnerability ages, certain intrinsic characteristics will change with time. In many cases, when first discovered, a set of vulnerable systems will be at or close to its peak, while the availability of exploit and remedial information will be at its lowest point. As time progresses, patch information will become more available and more systems will be fixed as more exploits occur, driving the need for the fix. Eventually, the set of vulnerable systems will reach its low point as remedial information reaches its high point."

In other words, the vulnerability is most wide-spread at day 0, and is most severe for a given system at day n (where n >> 0).

This suggests to me that there are two useful metrics for talking about the vulnerability's severity:


  • When talking about the vulnerability's Global Severity (i.e. impact to all systems), the vulnerability is most severe in its early days.

  • When talking about the vulnerability's Local Severity (i.e. impact on a single host), the vulnerability grows continuously more severe as time goes forward.

The CVSS team realized that. Unfortunately, the products using CVSS are going to be rating Local Severity more often than Global Severity - Qualys, Symantec, etc.

This leaves them in a problem spot, because the way that CVSS handles the temporal metric suggests that it is concerned only with Global Severity - it starts at its highest point, and reduces the severity over time. From the paper again: "the temporal metrics serve only to reduce the base score by a maximum of 25%."

Unfortunately, the product space and the authors of the paper aren't taking this into account. It's going to end up doing a great dis-service to the security of the products and their customers. They'll spend their time patching the least-likely to be exploited vulnerabilities while the oldest, most exploitable vulnerabilities will continuously have their scores reduced.

It's an attacker's dream. They won't find any 0-days, but Unicode, Sadmind and the Slammer vuln are going to be less likely to be patched based on the recommendation of tools using this new scoring system.

It seems like a small issue on the surface, but it's going to cause huge repercussions over the long term and ultimately make us all less secure than we should be.

Posted on March 15, 2005 6:02 AM |

Search


About

This page contains a single entry from the blog posted on March 15, 2005 6:02 AM.

The previous post in this blog was Artistry.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]