Dailydave mailing list archives
Re: Dailydave Digest, Vol 22, Issue 2
From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Tue, 1 Mar 2005 16:59:08 -0800 (PST)
: I didn't try to be too narrow with my interpretation of Access : Complexity, I think it's a great term. One of my personal beefs is that : some people neglect to differentiate between the level of access : required to exploit the vulnerability. If authentication is required, : is admin/root privileges required to exploit it? To exploit the vuln but wait.. it doesn't get that detailed. your PDF modeled after their criteria just said "is authentication required". it doesn't say "is root required" or "administrative privs". it doesn't ask if i need admin privs on a phpBB installation vs admin privs on a cisco router. it doesn't distinguish between 'authentication' of a free WWWboard account or anything else. this is the first step to the system not adequately describing the risk of a vulnerability.
What I'm saying is that a system that attempts to capture too much detail will be awkward. CVSS does account for "Access Complexity" where the response is simply "high" or "low". I believe this provides for some flexibility in application. I also believe that the variables provide a fair basis for a common score.
: As with any scoring system there is potential for : misuse and errors. I created the calculator do : illustrate how CVSS works and to do what-if scenarios.
as i mentioned in another mail to you, how do you classify a remote overflow? if you use the standard CIA measure, it is
CVSS is still maturing. As more vulnerabilities are "scored" and the model refined and elaborated on, it should become easier to consistently score vulnerabilities. Anyone care to select 5 CVE vulns and compare how we rate them? Brian Erdelyi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Dailydave Digest, Vol 22, Issue 2 Brian Erdelyi (Mar 01)
- Re: Re: Dailydave Digest, Vol 22, Issue 2 security curmudgeon (Mar 01)