Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Today's CVSS v2 Migration

from [George A. Theall] Network Security [Permanent Link]
Subject: Today's CVSS v2 Migration
Date: Wed, 15 Aug 2007 12:38:08 -0400 
As many of you are probably aware, we've been using CVSS scores for 
nearly two years to assess the seriousness of vulnerabilities which 
various plugins test for, and for several months we've been syncing our 
scores with those published by NIST as part of their National 
Vulnerability Database.

Last June, the CVSS SIG announced CVSS v2 to address some of the issues 
in the original v1 scores and improve scoring granularity, and more 
accurately reflect the seriousness of the vulnerabilities themselves. 
Starting today, Tenable will migrate to the new scoring system in Nessus 
as well as PVS, our Passive Vulnerability Scanner. The migration will 
bring about some changes, which you might notice when you sync your 
plugins after 3 pm EDT today.

First, the risk factors in plugin descriptions will look somewhat 
different. For example, a v1 score such as this:

    High / CVSS Base Score : 8
   (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N)

will appear in v2 as:

   High / CVSS Base Score : 9.3
   (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

[Note that some of the appreviations used for the metrics changed across 
v1 and v2.]

Second, changes in the scoring equation used for v2 will lead to changes 
for *some* plugins in the risk factor, and hence the reporting 
functions. This is largely a reflection of criticisms that v1 
underweighted the importance of remotely-exploitable vulnerabilities. 
The worst-case jump will occur for 14 plugins that currently have a risk 
factor of Low but will change to High -- they are associated with 
vulnerabilities that can be exploited remotely and without 
authentication or any mitigating factors and lead to complete loss of 
either confidentility, integrity, or availability of an affected system 
(think of a issue in which a single UDP packet can take down your border 
router).

While we expect to handle a large portion of the migration today, there 
are a number of plugins that we will have to re-score manually so don't 
be surprised if you still see the older v1 scores after today -- we'll 
rescore them as time permits.

If you have any questions about specific CVSS scores or the migration 
process itself, feel free to contact me or Ron Gula, 
rgula@tenablesecurity.com.  You may also wish to visit some of the 
following URLs to learn more about CVSS in general:

   - Tenable's Earlier Announcement about CVSS v2
     http://blog.tenablesecurity.com/2007/07/cvss-version-2-.html

   - CVSS SIG homepage
     http://www.first.org/cvss/

   - NIST's National Vulnerability Database
     http://nvd.nist.gov/


George
-- 
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Today's CVSS v2 Migration, George A. Theall <=
Previous by Date:  September 6th Chicago 2600/DefCon 312 Meeting Information, Steven McGrath
Next by Date:  HTTP and HTTPS Detection, Zate Berg
Previous by Thread:  September 6th Chicago 2600/DefCon 312 Meeting Information, Steven McGrath
Next by Thread:  HTTP and HTTPS Detection, Zate Berg
Indexes:  [Date] [Thread] [Top] [All Lists]