Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dailydave Digest, Vol 22, Issue 2

From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Tue, 1 Mar 2005 16:59:08 -0800 (PST)


: I didn't try to be too narrow with my
interpretation of Access 
: Complexity, I think it's a great term.  One of my
personal beefs is that 
: some people neglect to differentiate between the
level of access 
: required to exploit the vulnerability.  If
authentication is required, 
: is admin/root privileges required to exploit it? 
To exploit the vuln 

but wait.. it doesn't get that detailed. your PDF
modeled after their 
criteria just said "is authentication required". it
doesn't say "is root 
required" or "administrative privs". it doesn't ask
if i need admin privs 
on a phpBB installation vs admin privs on a cisco
router. it doesn't 
distinguish between 'authentication' of a free
WWWboard account or 
anything else. this is the first step to the system
not adequately 
describing the risk of a vulnerability.


What I'm saying is that a system that attempts to
capture too much detail will be awkward.  CVSS does
account for "Access Complexity" where the response is
simply "high" or "low".  I believe this provides for
some flexibility in application.  I also believe that
the variables provide a fair basis for a common score.


: As with any scoring system there is potential for
: misuse and errors.  I created the calculator do
: illustrate how CVSS works and to do what-if
scenarios.



as i mentioned in another mail to you, how do you
classify a remote 
overflow? if you use the standard CIA measure, it is


CVSS is still maturing.  As more vulnerabilities are
"scored" and the model refined and elaborated on, it
should become easier to consistently score
vulnerabilities.

Anyone care to select 5 CVE vulns and compare how we
rate them?

Brian Erdelyi

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: