CVSSv2 is the Common Vulnerability Scoring System organized by FIRST (http://www.first.org/cvss/cvss-guide.html)

** NOTE: all discussion below is about CVSS Version 2, not Version 1 **

CVSS scores are calculated from CVSS Vectors.
CVSS vectors consist of 3 parts;
- Base Vector
- Temporal Vector
- Environmental Vector

FIRST provides links to CVSS calculators so that you can dynamically rate an unscored vulnerability.
There are at least 2 working CVSS calculators available;
- NIST/NVD
- Information-Technology Promotion Agency, Japan
The NVD link unfortunately goes to their CVSSv1 calculator ... this is where the trouble starts ...

FIRST (the authority on the subject) lists the following Temporal Vector Metrics;
- Exploitability
- Remediation Level
- Report Confidence

A Temporal Vector looks like this;
E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND]

Exploitability has the following possible values;
- Unproven (U)
- Proof-of-Concept (POC)
- Functional (F)
- High (H)
- Not Defined (ND)

This is where things really get messy - These are the Vector Definitions as found in 4 specifications:
- E:[U,POC,F,H,ND] (according to FIRST Spec)
- E:[U,P,F,H,ND] (according to NVD)
- E:[U,P,F,H] (according to FIRST Historical)
- E:[U,POC,F,H,ND] (according to ITPA-J)

** NOTE: These are directly from the specifications **

FIRST's Official Spec lists;
- E:[U,POC,F,H,ND]
- With Values: Unproven (U), Proof-of-Concept (POC), Functional (F), High (H), Not Defined (ND)

NVD's Vectors Definition lists;
- E:[U,P,F,H,ND]
- With Values: U = Unproven, P = Proof-of-concept, F = Functional, W = Widespread, ND = Not Defined

FIRST's Historical Section lists;
- E:[U,P,F,H]
- With Values: U = Unproven, P = Proof-of-concept, F = Functional, W = Widespread

ITPA-J's calculator lists;
- E:[U,POC,F,H,ND]
- With Values: Undefined (ND), Unproven, Proof-of-concept, Functional, Widespread

NVD's calculator will only accept H for High, not W for Widespread. It will accept P for Proof-of-concept as well as POC (this permits incorrect data).

NVD CVSSv2 Calculator Tests
[E:W BROKEN]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:W/RL:O/RC:C)
[E:H FIXED]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C)
[E:POC CORRECT]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:O/RC:C)
[E:P ACCEPTABLE according to NVD]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:P/RL:O/RC:C)

ITPA-J's calculator calls H Widespread and maps W and P to Undefined.

ITPA-J CVSSv2 Calculator Tests
[E:H MISLABELED - shows up as Widespread]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:W MAPPED to Undefined]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:W/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:P MAPPED to Undefined]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:POC CORRECT]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en

Well now you can see where people might have gotten confused ...

I vote we all just use FIRST's Official Spec
- E:[U,POC,F,H,ND]
- With Values: Unproven (U), Proof-of-Concept (POC), Functional (F), High (H), Not Defined (ND)

---

REFS

FIRST Official CVSSv2
http://www.first.org/cvss/cvss-guide.html#i2.2.1

FIRST Historical CVSSv2
http://www.first.org/cvss/history.html#c7

NVD CVSSv2 Calculator
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

NVD CVSSv2 Broken Metrics
http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2

ITPA-J's CVSSv2 Slightly Broken Calculator
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi

A: When the vulnerable component is a third party addon.

It seems that quite a few people are talking about a Stack Overflow that appeared on milw0rm over the weekend. ISC posted on it, SecurityFocus has added it as a vulnerability and assigned an Bugtraq ID to it and Donna's SecurityFlash has picked it up.

Shortly after the ISC post went up, I sent an email to them via their contact form, letting them know that this wasn't a vulnerability in Windows Media Player 6.4. They have finally updated their content to reflect this, but others still haven't... so consider this an update to all those other sites.

This vulnerability affects the 3ivx codec pack and specifically 3ivx.dll. Windows Media Player 6.4, which is found on all versions of Windows up to, and including, Windows Server 2003 doesn't support natively support mp4 files, which is the file format generated by the PoC.

According to the individual that discovered the vulnerability, the latest release (5.0.1) is vulnerable to this flaw.

Today we see 7 patches, which fix 11 flaws.

---

MS07-063
SMBv2 Signing Vulnerability - CVE-2007-5351

Executive Summary:
This important security update resolves a privately reported vulnerability in Server Message Block Version 2 (SMBv2). The vulnerability could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2.

---

MS07-064
Microsoft DirectX Code Execution Vulnerability Parsing SAMI Files - CVE-2007-3901
Microsoft DirectX Code Execution Vulnerability Parsing WAV and AVI Files - CVE-2007-3895

Executive Summary:
This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

---

MS07-065
Message Queuing Service Remote Code Execution Vulnerability - CVE-2007-3039

Executive Summary:
This important security update resolves a privately reported vulnerability in Message Queuing Service (MSMQ) that could allow remote code execution in implementations on Microsoft Windows 2000 Server, or elevation of privilege in implementations on Microsoft Windows 2000 Professional and Windows XP. An attacker must have valid logon credentials to exploit this vulnerability. An attacker could then install programs; view, change, or delete data; or create new accounts.

---

MS07-066
Windows Kernel Vulnerability - CVE-2007-5350

Executive Summary:
This important security update resolves a privately reported vulnerability in the Windows kernel. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

---

MS07-067
Macrovision Driver Vulnerability - CVE-2007-5587

Executive Summary:
This important security update resolves one publicly disclosed vulnerability. A local elevation of privilege vulnerability exists in the way that the Macrovision driver incorrectly handles configuration parameters. An attacker who successfully exploited this vulnerability could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

---

MS07-068
Windows Media Format Remote Code Execution Vulnerability Parsing ASF - CVE-2007-0064

Executive Summary:
This critical security update resolves a privately reported vulnerability in Windows Media File Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

---

MS07-069
Uninitialized Memory Corruption Vulnerability - CVE-2007-3902
Uninitialized Memory Corruption Vulnerability - CVE-2007-3903
Uninitialized Memory Corruption Vulnerability - CVE-2007-5344
DHTML Object Memory Corruption Vulnerability - CVE-2007-5347

Executive Summary:
This critical security update resolves four privately reported vulnerabilities. The most serious security impact could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

As 2007 nears its end, so does my internship with the Vulnerability Engineering and Research Team (VERT) at nCircle. I cannot believe how much I have learned since starting last May. Operating systems I had never heard of, advanced Apache and IIS webserver administration, random protocols (SMB, FTP, HTTP, SSH), Reverse Engineering... it seems like everything but the kitchen sink.

Every other day, a new "high priority" vulnerability was reported that kicked VERT into high gear, sending the team into a dizzying rush to write detection for it. What amazes me is how they can juggle these last-minute high-priority rushes while keeping standard coverage projects going on the side. The VERT members managed to juggle both of these and each were still able to find time to pull me aside and train me in everything from Python to Reverse Engineering.

Unlike my past internships, I was very pleased to be able to have the opportunity to accomplish a wide variety of tasks at nCircle instead of sticking with one task throughout the term. I spent 4 months on the testing (QA) side of VERT, and 4 months on the dev side, giving me the opportunity to doublecheck vulnerability detection rules, and then write my own. I was worried that joining a team like VERT would make them hesitant at using me as a resource due to my comparative lack of knowledge, but thankfully that wasn't the case. I was given work just as challenging as the work I saw them doing, and although it may have taken me a little longer to complete since it was my first time doing it, they were patient enough to wait for me to get it done on my own without butting in and doing it for me. This provided me with a challenging environment (which I love!) giving me a chance to learn... and a chance to get tripped up by their constant quizzes: "Are you SURE it works like that? I already know the answer, but I won't tell you. Figure it out for yourself!"

After working in such a fast-paced environment, I'm not sure how I will be able to transition back to a classroom setting to complete my final 8 months in my Information Systems Security degree. One thing I do know is, the knowledge I've acquired while working on VERT for the last eight months has added more value to my degree than any other classroom semester to date.

Thanks VERT, thanks nCircle, have a great Holiday and see you next year!

--Michael Perklin (aka Steve the Intern)