Vulnerability Management Scoring Systems
-
Upload
security-b-sides -
Category
Technology
-
view
1.920 -
download
4
description
Transcript of Vulnerability Management Scoring Systems
![Page 1: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/1.jpg)
Making sense of it all
Evert Smith -‐ ZaCon09 – 21 November 2009
Vulnerability Scoring
![Page 2: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/2.jpg)
#index
• Ramblings
• Intro – days of yore • CVSS – the beginning • CVSS – the metrics
• CalculaGon Insight • Vulnerability InvesGgaGon
![Page 3: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/3.jpg)
#Caveat
PresentaGon is a result of:
-‐ general curiosity
-‐ thirst for anything historic
This is not:
-‐ an aKempt to find fault or suggest recommendaGons
![Page 4: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/4.jpg)
#Bio
![Page 5: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/5.jpg)
#amygdala
• Fear overrules reason
• Amygdala vs Neocortex
• “Afraid of the dark”
![Page 6: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/6.jpg)
![Page 7: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/7.jpg)
#DaysofYore
1995 • Windows 3.1 Workgroup / 95 / NT4.0
• Solaris 2.3/2.4 • Linux Kernel: 1.1, 1.2 • Banyan Vines • BugTrac just began
![Page 8: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/8.jpg)
#DaysofYore
-‐ SATAN -‐ COPS -‐ ESM Omniguard (Axent Technologies)
-‐ Nessus -‐ CyberCop (NA -‐> McAfee: circa 2000)
-‐ NETRECON (Axent Technologies -‐> Symantec: circa 2000)
-‐ ISS -‐ Qualys
![Page 9: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/9.jpg)
#DaysofYore • NIST – 1901
• CERT – DARPA 1988 afer the Morris worm
• CVE – MITRE corporaGon (DHS, NCSD) 1999
• NVD -‐ is synchronized with, and based on the CVE list
• CSD – NIST (2002)
Everything
American I see
![Page 10: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/10.jpg)
#Didyouknow?
NVD contains:
39396 CVE VulnerabiliGes 129 Checklists
183 US-‐CERT Alerts 2348 US-‐CERT Vuln Notes
2517 OVAL Queries
Last updated: 11/20/09 CVE PublicaGon rate:
12 vulnerabili-es / day
![Page 11: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/11.jpg)
./NessusPlugin
MS08-‐067:
Microsof Windows Server Service Crafed RPC Request Handling Unspecified Remote Code ExecuGon (958644)
CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
![Page 12: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/12.jpg)
#VendorScoringSystems
Microso< Model
Low – exploitaGon difficult
Moderate– miGgaGng in place
Important – CIA compromised
Cri-cal – worm type exploits
![Page 13: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/13.jpg)
![Page 14: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/14.jpg)
#Vulnerability
• CondiGons == fail ++
– DoS – Non-‐repudiaGon – ImpersonaGon
– Data destrucGon – ExploiGng an encrypGon system
![Page 15: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/15.jpg)
./CVSS the beginning
ExisGng scoring systems in 2003 were: – Different – Non-‐common metrics – Internet centric – No change over Gme – No space for operaGonal environments
![Page 16: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/16.jpg)
#IniGalPlan
IniGal plan was to create a system which was:
– Open – Comprehensive
– Interoperable – Flexible – Simple
![Page 17: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/17.jpg)
#CVSSthebeginning
• Started July 2003 -‐ Completed in January 2004 – released January 2005 on DHS website
• ObjecGves: • Understand the severity of vulnerabiliGes • Method to prioriGze remediaGon efforts
• Develop overall scoring method
![Page 18: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/18.jpg)
#ParGcipants
CVSS was a joint effort
• CERT/CC • Cisco • DHS/MITRE • eBay • IBM Internet Security Systems
• Microsof • Qualys • Symantec
![Page 19: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/19.jpg)
#CurrentCustodian
• The Forum of Incident Response and Security Teams (FIRST) sponsors and supports the Common Vulnerability Scoring System-‐Special Interest Group (CVSS-‐SIG.
• The team – 36 people from Cisco, Unisys, MITRE, Lumeta, IBM, BB&T, nCircle, RedSeal, CERT/CC, NIST, Skybox, Tenable., Qualys
![Page 20: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/20.jpg)
#Adopters
![Page 21: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/21.jpg)
#WhatItsNot
• CVSS is not a threat scoring system (DHS colour warning system),
• a vulnerability database or
• a real-‐Gme aKack scoring system.
Does colour really make us
safe?
![Page 22: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/22.jpg)
#CVSS – this is it
![Page 23: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/23.jpg)
#Metrics
• Base Metric Group
– Access Vector – Access Complexity
– AuthenGcaGon – ConfidenGality Impact
– Integrity Impact
– Availability Impact
The metric which shows the intrinsic nature of the vulnerability
![Page 24: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/24.jpg)
Access Vector Local Adjacent Network
Access Complexity High Medium Low
Authen-ca-on MulGple Single None
Confiden-ality Impact None ParGal Complete
Integrity Impact None ParGal Complete
Availability Impact None ParGal Complete
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Value
Access Complexity LOW
AuthenGcaGon NOT-‐REQUIRED
ConfidenGality Impact NONE
Integrity Impact NONE
Availability Impact COMPLETE
Impact Bias AVAILABILITY
BASE SCORE 5.0
Exploitability HIGH
RemediaGon Level OFFICIAL-‐FIX
Report Confidence CONFIRMED
TEMPORAL SCORE 4.4
Collateral Damage PotenGal NONE
Target DistribuGon HIGH
ENVIRONMENTAL SCORE 4.4
![Page 25: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/25.jpg)
#Doh
![Page 26: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/26.jpg)
#Sowehavenumbers?
How should the numbers drive us?
0-‐3 = No impact, wait for SP
4-‐5 = Next patch cycle
6-‐7 = Next 14 days
7-‐10 = ASAP – this week
![Page 27: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/27.jpg)
#Say Nuts
![Page 28: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/28.jpg)
#conFicker
Official BulleGn:
A remote code execuGon vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafed RPC requests. An aKacker who successfully exploited this vulnerability could take complete control of an affected system.
![Page 29: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/29.jpg)
#conFicker
The payload: #Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
![Page 30: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/30.jpg)
#conFicker
MiGgaGon (Server Service Vulnerability)
-‐ To protect against external – implement firewall rules to block RPC traffic
-‐ On Vista – the aKack only works if the a`acker is authen-cated
-‐ Disable Server and Computer Browser service
![Page 31: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/31.jpg)
#conFickerCVSS
CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) Code Ra-ng New
AV N N
AC L L
AU N R
C C C
I C C
A C C
BASE SCORE 10 6
![Page 32: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/32.jpg)
./NessusPlugin -‐ revisit
MS08-‐067: CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 10 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) = 10 CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C) = 6 CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C) = 4.8 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6
hKp://nvd.nist.gov/cvss.cfm?calculator
![Page 33: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/33.jpg)
#Ponders
Does it tally?
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 3.3
Add ImpactBias = Weight Availability
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 5
![Page 34: Vulnerability Management Scoring Systems](https://reader033.fdocuments.in/reader033/viewer/2022052505/5555d02ed8b42aaf158b4cbd/html5/thumbnails/34.jpg)
#BUT
And when they've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall