SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Adam Shostack on Jan 10

I'm sorry, but I need to rant a little.

A decade back, I wrote a "DREAD is DEAD, please stop" blog post for
Microsoft. If you are getting consistent scoring out of DREAD, you
are not using DREAD (as described in Writing Secure Code 1, which I
think is the first public description).

You are using some derivitive that adds tools to provide for
that consistency. Those tools may be as simple as a set of examples
of each of the...

Posted by Monroe, Bruce on Jan 10

Uh no. CVSS scores a vulnerability and if it’s a vendor we’re scoring that without knowing how you have the vulnerable
software/firmware/hardware/ect deployed in your environment. It’s why the CVSS Base Score is worst case. The resulting
CVSS V3 vulnerability score is one element you can then calculate into your overall risk factoring. It’s the orgs job
consuming the CVSS V3x vulnerability score to determine their risk and set their...

Posted by Thierry Zoller on Jan 10

CVSS needs to be embedded as a parameter/criteria in a Risk Evaluation;
it is not a risk indicator in itself and should not be used for patch
prioritisation in itself.

The importance of the asset (business process it supports, revenue
generated by adjacent processes etc.) .i.e the "criticality"[1] of an
asset needs to be taken into account when risk scoring and prioritising
remediation.

[1] Of course other factors like for example...

Posted by Eric Schultz on Jan 10

CVSS' greatest attribute is that it lets assessors fudge the numbers to
make assessors happy and gives risk people some kind of industry standard
document/organization attesting to the risk. Everyone wins.

It's only when people start asking (valid) questions where things fall
apart.

There are two other scoring systems I haven't seen referenced much: NIST's
CMSS and Mitre's CWSS. May be worth checking out if you're...

Posted by Dave Aitel on Jan 10

Ok, so half of FIRST or the CVSS team is angry at me for my tweets about
the examples on FIRST.com being wrong. But here, in general, is a common
issue I see with CVSS scores in our deliverables, that I try to correct,
although admittedly I'm not an expert at CVSS itself.

The issue is simplified to: If an SQLi exists, how does that rank for the
CVSS Confidentiality, Integrity, and Availability sections. Like, here's an
example:...

Posted by Adrian Sanabria on Jan 10

Okay, we keep touching on this point, that CVSS isn't intended to score
risk, just vulnerability severity. I'm having a hard time seeing what value
there is in having a vulnerability score that doesn't reflect risk. What
use does it have?

Or is that exactly what we're saying? That since it doesn't reflect risk,
it's essentially useless. If that's the conclusion, I'm on the same page.

--Adrian

Posted by Adrian Sanabria on Jan 10

Our pentesters use DREAD, which I think most people have moved on from, but
at least the scoring is clear and consistent.

In addition to CVE being wrong on critical details, I've found that most of
ExploitDB isn't exploits. Many are vulnerability checks and almost all are
incorrectly entered. PrivEsc will be labeled RCE and RCE will be labeled
DoS. It's all a mess. If I had the resources to burn it all down and start
from scratch,...

Posted by toby on Jan 10

I'm going to nitpick this. Not because your complaints about CVSS are bad,
just that they are unsupported and insufficiently explained.

A. I have been smacking people who try to pretend that qualitative
measurements are made better by wrapping them in numbers for 15 years. I
completely agree.

Second. We use numbers to represent qualitative values to enable reasoning.
You can't multiply High * Medium * Low but you can multiply 5 * 3 *...

Posted by Adrian Sanabria on Jan 10

CVSS is useful, but not in isolation.

Let me back up a bit. Apologies, but I'm going to rant a bit and mention my
employer. Not because I want to shill product, but because this issue is
the entire reason I joined this vendor in the first place. I had offers for
a lot more money elsewhere, but this problem pisses me off and I want to
take a stab at solving it before I get old(er) and cranky(ier) and give
this industry the finger for good....

Posted by Wim Remes on Jan 10

Hi,

Bruce really hits the nail on the head here. CVSS != Risk. To broaden that discussion and not waste too many words,
I’ll reference FAIR (Factor Analysis of Information Risk, https://www.fairinstitute.org/what-is-fair
<https://www.fairinstitute.org/what-is-fair>) to indicate where “Vulnerability” contributes to an eventual quantitative
risk valuation.

I also always considered CVSS scoring to be qualitative instead of...

Posted by SEC Consult Vulnerability Lab on Jan 09

SEC Consult Vulnerability Lab Security Advisory < 20190109-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Cisco VoIP Phones, e.g. models 88XX
vulnerable version: See list of vulnerable devices/firmwares below
fixed version: 12.5.1 MN
CVE number: CVE-2018-0461
impact: high
homepage: https://www.cisco.com...

Posted by Qualys Security Advisory on Jan 09

Qualys Security Advisory

System Down: A systemd-journald exploit

========================================================================
Contents
========================================================================

Summary
CVE-2018-16864
- Analysis
- Exploitation
CVE-2018-16865
- Analysis
- Exploitation
CVE-2018-16866
- Analysis
- Exploitation
Combined Exploitation of CVE-2018-16865 and CVE-2018-16866
- amd64 Exploitation
- i386...

Posted by SEC Consult Vulnerability Lab on Jan 09

SEC Consult Vulnerability Lab Security Advisory < 20190109-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Cisco VoIP Phones, e.g. models 88XX
vulnerable version: See list of vulnerable devices/firmwares below
fixed version: 12.5.1 MN
CVE number: CVE-2018-0461
impact: high
homepage: https://www.cisco.com...

Posted by Moritz Muehlenhoff on Jan 08

-------------------------------------------------------------------------
Debian Security Advisory DSA-4364-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ruby-loofah
CVE ID : CVE-2018-16468

It was...

Posted by Moritz Muehlenhoff on Jan 08

-------------------------------------------------------------------------
Debian Security Advisory DSA-4363-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2019-3498

It was...

Posted by Nathaniel Ferguson on Jan 08

Over the years I've worked at a few different consultancies and at least originally basically no one used any sort of
standardized metric, the reports were generally humorous from a technical standpoint as the numbers were basically just
made up and didn't adhere to even basic statistics methodologies-- we take the X and multiple it by Y and add the Z and
there's your score! Some even plotted them along cartoon looking graphs...

Posted by Monroe, Bruce on Jan 08

Hi Dave,

I participate on the CVSS SIG being ran out of FIRST that is working on improvements to CVSS. So do a number of people
out of CERT CC, NIST, MITRE along with a good representation of industry. A number of us provided feedback on this
paper. CVSS is for scoring the severity of a vulnerability. CVSS does not = Risk.

My understanding is there is a number of government entities that believe CVSS does = Risk and are using it in a vacuum...

Posted by Konrads Smelkovs on Jan 08

The question is not whether it is a bad metric, but whether it is a useful
one.

As a lurker on the first.org mailing list for CVSSv3 SIG, I can assure you
that there are a lot of discussions about edge cases etc. v3 is a
meaningful improvement over v2. So far, CVSS has allowed industry broadly
to triage security issues and decide if something can be addressed in next
image refresh or something that needs to be done now as an emergency, out
of...

Posted by Sahil Dhar on Jan 08

Hello all,

I would like to inform you about the Remote Command & Code Injection
vulnerabilities found in Wifi-soft's Unibox Controllers.

Name: Remote Code Injection in Wifi-soft's Unibox Controllers
Affected Software: Unibox Controller
Affected Versions: 0.x - 2.x
Homepage: https://wifi-soft.com/unibox-controller/
Vulnerability: Remote Code Injection
Severity: Critical
Status: Not Fixed
CVSS Score (3.0):...

Posted by Jaroslav Lobačevski on Jan 08

Aspose.ZIP for .NET was vulnerable to path traversal that allowed an
attacker overwriting arbitrary file in a context of running application.
The issue was fixed in version 19.1.0.

Timeline:
04-10-2018 - Issue found and reported by email without reply.
10-10-2018 - Successfully reported in a private Aspose forum conversation
12-11-2018 - Vendor confirms that issue was fixed and will be released with
18.11.0
21-11-2018 - 18.11.0 is released...