Full Disclosure mailing list archives
Re: When is it valid to claim that a vulnerability leads to a remote attack?
From: James Matthews <nytrokiss () gmail com>
Date: Sun, 11 Oct 2009 20:18:33 -0400
If you classify a remote bug (anything that can be exploited remotely) then you are classifying all bugs (you can use a privilege escalation exploit remotely) I agree with Thor, anything that exploits a remote service (HTTP,FTP Etc..) without any user interaction. On Sun, Oct 11, 2009 at 12:54 AM, Thor (Hammer of God) <thor () hammerofgod com
wrote:
I think we can agree that yes, it is remotely exploitable and as such should be categorized as "remote" in Risk/Impactt scoring systems ? Does anybody disagree ? I'd be interested to hear your point of view.Hey Thierry - I hope all is well... I'm happy to include "user assisted remote exploitation" as a "remote" vulnerability in academic conversations, but I don't categorize it as "remote" when assessing overall risk to a particular threat in production environments. Like everyone else, my TMs include impact and skill required to exploit a particular vulnerability; but they also include "likelihood of exploitation." While that may sound like a wildcard metric, I quantify it by applying the internal controls in place that may mitigate a particular attack. In "my" networks (networks I control, design, or consult for) most users couldn't execute [common] exploits even if they wanted to. I won't bore you with the controls I deploy as I'm confident you are well aware of the options one has, but the fact they exist at all place "user assisted remote exploits" in a different category for me when assessing risk. When the propensity for a vulnerability to be exploited lies in a particular user's response to any given trigger, as opposed to any authoritative in-place controls to mitigate exposure, then a model's relevant response options are greatly diminished (IMO). As such, I choose to categorize "remote" exploits as those that may be executed against a given host that is autonomously running a [vulnerable] service that can be connected to by some (any) other network client, device, or service for the purposes of ascertaining overall risk. t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- http://www.goldwatches.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- When is it valid to claim that a vulnerability leads to a remote attack? Jonathan Leffler (Oct 08)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 09)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Valdis . Kletnieks (Oct 09)
- Message not available
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 10)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thor (Hammer of God) (Oct 10)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? James Matthews (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Jeremy Brown (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Paul Schmehl (Oct 11)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thor (Hammer of God) (Oct 11)
- Re: [-SPAM-] Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 12)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Valdis . Kletnieks (Oct 09)
- Re: When is it valid to claim that a vulnerability leads to a remote attack? Thierry Zoller (Oct 09)