Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Vulnerability Management Scoring Systems
1. Vulnerability
Scoring
Making
sense
of
it
all
Evert
Smith
-‐
ZaCon09
–
21
November
2009
2. #index
• Ramblings
• Intro
–
days
of
yore
• CVSS
–
the
beginning
• CVSS
–
the
metrics
• CalculaGon
Insight
• Vulnerability
InvesGgaGon
3. #Caveat
PresentaGon
is
a
result
of:
-‐
general
curiosity
-‐
thirst
for
anything
historic
This
is
not:
-‐
an
aKempt
to
find
fault
or
suggest
recommendaGons
5. #amygdala
•
Fear
overrules
reason
• Amygdala
vs
Neocortex
•
“Afraid
of
the
dark”
6.
7. #DaysofYore
1995
• Windows
3.1
Workgroup
/
95
/
NT4.0
• Solaris
2.3/2.4
• Linux
Kernel:
1.1,
1.2
• Banyan
Vines
• BugTrac
just
began
8. #DaysofYore
-‐ SATAN
-‐ COPS
-‐ ESM
Omniguard
(Axent
Technologies)
-‐ Nessus
-‐ CyberCop
(NA
-‐>
McAfee:
circa
2000)
-‐ NETRECON
(Axent
Technologies
-‐>
Symantec:
circa
2000)
-‐ ISS
-‐ Qualys
9. #DaysofYore
• NIST
–
1901
• CERT
–
DARPA
1988
afer
the
Morris
worm
•
CVE
–
MITRE
corporaGon
(DHS,
NCSD)
1999
• NVD
-‐
is
synchronized
with,
and
based
on
the
CVE
list
Everyt
hing
Ameri
can I
• CSD
–
NIST
(2002)
see
11. ./NessusPlugin
MS08-‐067:
Microsof
Windows
Server
Service
Crafed
RPC
Request
Handling
Unspecified
Remote
Code
ExecuGon
(958644)
CriGcal
/
CVSS
Base
Score
:
10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
12. #VendorScoringSystems
Microso<
Model
Low
–
exploitaGon
difficult
Moderate–
miGgaGng
in
place
Important
–
CIA
compromised
Cri-cal
–
worm
type
exploits
13.
14. #Vulnerability
• CondiGons
==
fail
++
– DoS
– Non-‐repudiaGon
– ImpersonaGon
– Data
destrucGon
– ExploiGng
an
encrypGon
system
15. ./CVSS
the
beginning
ExisGng
scoring
systems
in
2003
were:
– Different
– Non-‐common
metrics
– Internet
centric
– No
change
over
Gme
– No
space
for
operaGonal
environments
16. #IniGalPlan
IniGal
plan
was
to
create
a
system
which
was:
– Open
– Comprehensive
– Interoperable
– Flexible
– Simple
17. #CVSSthebeginning
• Started
July
2003
-‐
Completed
in
January
2004
–
released
January
2005
on
DHS
website
• ObjecGves:
• Understand
the
severity
of
vulnerabiliGes
• Method
to
prioriGze
remediaGon
efforts
• Develop
overall
scoring
method
18. #ParGcipants
CVSS
was
a
joint
effort
•
CERT/CC
•
Cisco
•
DHS/MITRE
•
eBay
•
IBM
Internet
Security
Systems
•
Microsof
•
Qualys
•
Symantec
19. #CurrentCustodian
• The
Forum
of
Incident
Response
and
Security
Teams
(FIRST)
sponsors
and
supports
the
Common
Vulnerability
Scoring
System-‐Special
Interest
Group
(CVSS-‐SIG.
• The
team
–
36
people
from
Cisco,
Unisys,
MITRE,
Lumeta,
IBM,
BB&T,
nCircle,
RedSeal,
CERT/CC,
NIST,
Skybox,
Tenable.,
Qualys
21. #WhatItsNot
Does
colour
really
make
us
safe?
• CVSS
is
not
a
threat
scoring
system
(DHS
colour
warning
system),
• a
vulnerability
database
or
• a
real-‐Gme
aKack
scoring
system.
23. #Metrics
• Base
Metric
Group
– Access
Vector
– Access
Complexity
– AuthenGcaGon
– ConfidenGality
Impact
– Integrity
Impact
– Availability
Impact
The
metric
which
shows
the
intrinsic
nature
of
the
vulnerability
24. Access
Vector
Access
Vector
Value
Access
Complexity
LOW
Local
Complexity
Access
AuthenGcaGon
NOT-‐REQUIRED
Adjacent
High
Authen-ca-on
Network
Medium
ConfidenGality
Impact
NONE
MulGple
Confiden-ality
Impact
Integrity
Impact
NONE
Low
Single
Availability
Impact
COMPLETE
None
Impact
Integrity
None
ParGal
Impact
Bias
AVAILABILITY
None
Availability
Impact
BASE
SCORE
5.0
Complete
ParGal
None
Exploitability
HIGH
Complete
ParGal
RemediaGon
Level
OFFICIAL-‐FIX
Complete
Report
Confidence
CONFIRMED
TEMPORAL
SCORE
4.4
Collateral
Damage
PotenGal
NONE
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Target
DistribuGon
HIGH
ENVIRONMENTAL
SCORE
4.4
26. #Sowehavenumbers?
How
should
the
numbers
drive
us?
0-‐3
=
No
impact,
wait
for
SP
4-‐5
=
Next
patch
cycle
6-‐7
=
Next
14
days
7-‐10
=
ASAP
–
this
week
28. #conFicker
Official
BulleGn:
A
remote
code
execuGon
vulnerability
exists
in
the
Server
service
on
Windows
systems.
The
vulnerability
is
due
to
the
service
not
properly
handling
specially
crafed
RPC
requests.
An
aKacker
who
successfully
exploited
this
vulnerability
could
take
complete
control
of
an
affected
system.
29. #conFicker
The
payload:
#Payload
for
Windows
2003[SP2]
target
payload_2='x41x00x5cx00'
payload_2+='x2ex00x2ex00x5cx00x2ex00'
payload_2+='x2ex00x5cx00x0ax32xbbx77'
payload_2+='x8bxc4x66x05x60x04x8bx00'
payload_2+='x50xffxd6xffxe0x42x84xae'
payload_2+='xbbx77xffxffxffxffx01x00'
payload_2+='x01x00x01x00x01x00x43x43'
payload_2+='x43x43x37x48xbbx77xf5xff'
payload_2+='xffxffxd1x29xbcx77xf4x75'
payload_2+='xbdx77x44x44x44x44x9exf5'
payload_2+='xbbx77x54x13xbfx77x37xc6'
payload_2+='xbax77xf9x75xbdx77x00x00'
30. #conFicker
MiGgaGon
(Server
Service
Vulnerability)
-‐ To
protect
against
external
–
implement
firewall
rules
to
block
RPC
traffic
-‐ On
Vista
–
the
aKack
only
works
if
the
a`acker
is
authen-cated
-‐ Disable
Server
and
Computer
Browser
service
31. #conFickerCVSS
CriGcal
/
CVSS
Base
Score
:
10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Code
Ra-ng
New
AV
N
N
AC
L
L
AU
N
R
C
C
C
I
C
C
A
C
C
BASE
SCORE
10
6