vulnerability management scoring systems
DESCRIPTION
Evert SmithZaCon 2009http://www.zacon.org.za/Archives/2009/slides/TRANSCRIPT
Making sense of it all
Evert Smith -‐ ZaCon09 – 21 November 2009
Vulnerability Scoring
#index
• Ramblings
• Intro – days of yore • CVSS – the beginning • CVSS – the metrics
• CalculaGon Insight • Vulnerability InvesGgaGon
#Caveat
PresentaGon is a result of:
-‐ general curiosity
-‐ thirst for anything historic
This is not:
-‐ an aKempt to find fault or suggest recommendaGons
#Bio
#amygdala
• Fear overrules reason
• Amygdala vs Neocortex
• “Afraid of the dark”
#DaysofYore
1995 • Windows 3.1 Workgroup / 95 / NT4.0
• Solaris 2.3/2.4 • Linux Kernel: 1.1, 1.2 • Banyan Vines • BugTrac just began
#DaysofYore
-‐ SATAN -‐ COPS -‐ ESM Omniguard (Axent Technologies)
-‐ Nessus -‐ CyberCop (NA -‐> McAfee: circa 2000)
-‐ NETRECON (Axent Technologies -‐> Symantec: circa 2000)
-‐ ISS -‐ Qualys
#DaysofYore • NIST – 1901
• CERT – DARPA 1988 afer the Morris worm
• CVE – MITRE corporaGon (DHS, NCSD) 1999
• NVD -‐ is synchronized with, and based on the CVE list
• CSD – NIST (2002)
Everything
American I see
#Didyouknow?
NVD contains:
39396 CVE VulnerabiliGes 129 Checklists
183 US-‐CERT Alerts 2348 US-‐CERT Vuln Notes
2517 OVAL Queries
Last updated: 11/20/09 CVE PublicaGon rate:
12 vulnerabili-es / day
./NessusPlugin
MS08-‐067:
Microsof Windows Server Service Crafed RPC Request Handling Unspecified Remote Code ExecuGon (958644)
CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
#VendorScoringSystems
Microso< Model
Low – exploitaGon difficult
Moderate– miGgaGng in place
Important – CIA compromised
Cri-cal – worm type exploits
#Vulnerability
• CondiGons == fail ++
– DoS – Non-‐repudiaGon – ImpersonaGon
– Data destrucGon – ExploiGng an encrypGon system
./CVSS the beginning
ExisGng scoring systems in 2003 were: – Different – Non-‐common metrics – Internet centric – No change over Gme – No space for operaGonal environments
#IniGalPlan
IniGal plan was to create a system which was:
– Open – Comprehensive
– Interoperable – Flexible – Simple
#CVSSthebeginning
• Started July 2003 -‐ Completed in January 2004 – released January 2005 on DHS website
• ObjecGves: • Understand the severity of vulnerabiliGes • Method to prioriGze remediaGon efforts
• Develop overall scoring method
#ParGcipants
CVSS was a joint effort
• CERT/CC • Cisco • DHS/MITRE • eBay • IBM Internet Security Systems
• Microsof • Qualys • Symantec
#CurrentCustodian
• The Forum of Incident Response and Security Teams (FIRST) sponsors and supports the Common Vulnerability Scoring System-‐Special Interest Group (CVSS-‐SIG.
• The team – 36 people from Cisco, Unisys, MITRE, Lumeta, IBM, BB&T, nCircle, RedSeal, CERT/CC, NIST, Skybox, Tenable., Qualys
#Adopters
#WhatItsNot
• CVSS is not a threat scoring system (DHS colour warning system),
• a vulnerability database or
• a real-‐Gme aKack scoring system.
Does colour really make us
safe?
#CVSS – this is it
#Metrics
• Base Metric Group
– Access Vector – Access Complexity
– AuthenGcaGon – ConfidenGality Impact
– Integrity Impact
– Availability Impact
The metric which shows the intrinsic nature of the vulnerability
Access Vector Local Adjacent Network
Access Complexity High Medium Low
Authen-ca-on MulGple Single None
Confiden-ality Impact None ParGal Complete
Integrity Impact None ParGal Complete
Availability Impact None ParGal Complete
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Value
Access Complexity LOW
AuthenGcaGon NOT-‐REQUIRED
ConfidenGality Impact NONE
Integrity Impact NONE
Availability Impact COMPLETE
Impact Bias AVAILABILITY
BASE SCORE 5.0
Exploitability HIGH
RemediaGon Level OFFICIAL-‐FIX
Report Confidence CONFIRMED
TEMPORAL SCORE 4.4
Collateral Damage PotenGal NONE
Target DistribuGon HIGH
ENVIRONMENTAL SCORE 4.4
#Doh
#Sowehavenumbers?
How should the numbers drive us?
0-‐3 = No impact, wait for SP
4-‐5 = Next patch cycle
6-‐7 = Next 14 days
7-‐10 = ASAP – this week
#Say Nuts
#conFicker
Official BulleGn:
A remote code execuGon vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafed RPC requests. An aKacker who successfully exploited this vulnerability could take complete control of an affected system.
#conFicker
The payload: #Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
#conFicker
MiGgaGon (Server Service Vulnerability)
-‐ To protect against external – implement firewall rules to block RPC traffic
-‐ On Vista – the aKack only works if the a`acker is authen-cated
-‐ Disable Server and Computer Browser service
#conFickerCVSS
CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) Code Ra-ng New
AV N N
AC L L
AU N R
C C C
I C C
A C C
BASE SCORE 10 6
./NessusPlugin -‐ revisit
MS08-‐067: CriGcal / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 10 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) = 10 CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C) = 6 CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C) = 4.8 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6
hKp://nvd.nist.gov/cvss.cfm?calculator
#Ponders
Does it tally?
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) = 6
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 3.3
Add ImpactBias = Weight Availability
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) = 5
#BUT
And when they've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall