On any given day, my inbox is a flurry of activity that would make a January snow squall in Canada feel like a light breeze with the occasional flake. Like a snowflake, each email is unique but many share common themes. One of these themes is my favourite discussion topic: vulnerability scoring.
I was inspired to further discuss this issue after the POODLE vulnerability (CVE-2014-3566), which has a CVSSv2 score of 4.3 (for more on my thoughts on CVSSv2 scoring, see my past blog post, Does Anybody Really Care About Vulnerability Scoring).
CVSSv2 leaves a lot open to interpretation and while NVD has become the scoring standard for CVSSv2 scores, the analysts scoring issues often appear to disagree on scoring vectors. The vector for this vulnerability is AV:N/AC:M/Au:N/C:P/I:N/A:N.
That is to say…
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
If you were to dig through NVD, you’ll find many discrepancies with scoring. The two that stand out are Access Vector and Access Complexity, since this is where many of the discrepancies occur.
Access Vector has three possible options, at the simplest level:
- Local (L) – Requires local access to a system.
- Network Adjacent (A) – Requires the same subnet or segment.
- Network (N) – Requires remote (network) access.
Meanwhile, Access Complexity can be ranked high-low:
- High (H) – Specialized Conditions
- Medium (M) – Some Specialized Conditions
- Low (L) – No Specialized Conditions
When reading the original Poodle whitepaper, it strikes me that the Access Complexity is High, changing the vector to AV:N/AC:H/Au:N/C:P/I:N/A:N, which lowers the CVSSv2 score to a 2.6.This is the same score that CVE-2013-2566, the RC4 weakness when used in TLS/SSL, received.
Next, we have Access Vector and you’re saying, “But wait, Tyler! This has to be scored as Network.” I would argue that Network Adjacent is also an option. The Poodle whitepaper references a man-in-the-middle, and many MitM attacks on NVD are scored as Network Adjacent. Making this change, along with the one mentioned above changes the vector to AV:A/AC:H/Au:N/C:P/I:N/A:N, or a score of 1.8.
Now, we have a vulnerability that arguably has a score somewhere between 1.8 and 4.3. So, based on the official NVD score, this vulnerability would cause a PCI ASV Scan to fail, but if you were to make any changes to the score, you’d have to rely on some of the special conditions of ASV scanning to catch this because it wouldn’t fall into the “any vulnerability scoring above a 4.0 is a failure” requirement.
This all happens because CVSSv2, like most scoring systems, oversimplifies the criteria. FIRST is currently looking to remedy this with CVSSv3 (a preview of the updated metrics is available from the CVSS v3 Development site). Scoring systems that try to be accessible to the masses will always have this issue; a few boilerplate options will never generate a result that satisfies everyone.This is true for CVSS, Tripwire’s IP360 Scoring and a number of other scoring systems.
It all comes down to defining the best criteria to be useful to the end user. If we were to score the POODLE vulnerability with IP360, the score would look like this:
- Scoring Algorithm: floor(sqrt(time) * (risk! / skill^2))
- Time == Today – 10/14/14 = 11/19/14 – 10/14/14 = 36
- Risk == Local Access == 2
- Skill == Extremely Difficult = 5
- Score = floor(sqrt(36) * (2! / 5^2))
- Score = floor(6 * (2/25))
- Score = floor(0.48)
- Score = 0
So, we end up with a low CVSS score and a low IP360 score. Why did it get so much attention?
This is a widespread issue and one that needs to be fixed, but a lot of this can be chalked up to what I call “hype-based scoring.” Those in the security community often lose sight of the end user impact of a vulnerability and while POODLE is definitely a flaw that puts systems at risk, it doesn’t have the ease of use that many regularly exploited issues have.
The industry and media hype have really caused the desire to fix this issue to increase. Instead, look at MS14-066, which hasn’t seen nearly as much public discussion as POODLE. It introduces a lot more risk, with a CVSS Score of 10.0 and an IP360 score of 2036. When you compare the two, MS14-066 vs POODLE, it becomes clear where the patch priority exists and this is where the value of a scoring system becomes evident.
Over the next few weeks, I plan to cover additional topics on scoring as part of this series. If there’s a topic you’d like to see discussed, I’d be more than happy to share my opinions, simply drop a comment below.