Re: Exploits matter.

[security curmudgeon <jericho () attrition org>]

On Thu, 8 Oct 2009, Tom Parker wrote:

: > Ten thousand or not, I cannot download the exploit from Immunity's web
: > site, milw0rm or anywhere else, correct? To me, and to OSVDB who tracks
: > that metric, that is flagged as 'rumored/private'.
: 
: > Can our industry really put a numeric line on public vs private in the
: > scenario you describe? Do 9,999 CANVAS customers = private, but 10,000
: > CANAVAS customers = public?
: 
: While I understand the challenge of verifying the existence and nature 
: of commercial exploitation tools, down playing exploits by databases 
: like OSVDB is damaging to the industry and is creating a false sense of 

How exactly does OSVDB 'downplay' exploits using the current 
classification system? We're the only VDB to even say "an exploit likely 
exists, even though not public" which should be the opposite of 
downplaying.

If you have a good answer to that, how can we improve the classification 
system to more accurately track such metrics, without causing a problem?

: security amongst organizations - especially those who charge their 
: security programs to vanilla CISSP's. Case in point - large company runs 
: an automated scanner over their network on a monthly basis, which 
: regularly finds flaws. They prioritize remediation of findings based on 
: CVSS scores, which have been calculated in part through utilizing data 
: from OSVDB. Days, months, weeks later the organization is 
: attacked/audited by a group who paid/stole/borrowed a copy of 
: Canvas/Core/et al. Organization gets owned.

First, we display CVSS scores as calculated by NVD if there is a CVE 
assignment. We will calculate our own scores if we a) disagree or b) have 
an entry w/o a CVE.

Either way, I don't quite follow the logic above, as applies to how OSVDB 
(or any VDB) is doing wrong or contributing to the problem.

: The past two VzB data breach reports have demonstrated a trend, that a 
: large number of compromises (around 70% if memory serves), resulted from 
: exploitation of vulnerabilities that at time of compromise had been 
: patched by the vendor for a year or more. I'm not sure how you would go 
: about obtaining this kind of data (or indeed how VzB gets their data), 

They get their data from their own clients, based on forensic examination 
post-compromise.

: but it would be an interesting metric to see how many of those 
: known/vendor-patched issues had been neglected/de-prioritized due to 
: misconceptions about their level of exploitability.

That would be a really neat addition to the report next year.

: It would indeed be a good thing if Immunity et al would publish some 
: kind of unified database of their proprietary exploits, mapped to CVE-ID 
: etc, but I'm not sure if it's their responsibility to do so. IMO, the 

I'd love for them to use CVE or another VDB to do just that. They have 
absolutely zero responsibility to do it, and it has a bigger chance of 
hurting them than helping them (see my previous post about disclosing your 
0-day).

: scanning vendors, Qualys, Rapid7, nCircle etc are missing a trick if 
: they aren't buying themselves a copy of CANVAS and ensuring that when 
: their scanner finds a vulnerability supported by it [CANVAS], they are 
: providing users a CVSS score based on the fact that they have 
: independently verified the existence of robust exploit code for the 
: respective vuln.

I believe many of these products have licenses that prevent reverse 
engineering. If a company like the ones you mention above were to obtain 
a copy, they would be violating the licensing and possibly the law. If a 
scanner had a consistent pattern of adding checks that mirrored an 
exploit framework, it would be pretty easy for them to be called out.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave