List Info

Thread: Today's CVSS v2 Migration
Today's CVSS v2 Migration
country flaguser name
United States		 2007-08-15 11:38:08 
As many of you are probably aware, we've been using CVSS
scores for 
nearly two years to assess the seriousness of
vulnerabilities which 
various plugins test for, and for several months we've been
syncing our 
scores with those published by NIST as part of their
National 
Vulnerability Database.

Last June, the CVSS SIG announced CVSS v2 to address some of
the issues 
in the original v1 scores and improve scoring granularity,
and more 
accurately reflect the seriousness of the vulnerabilities
themselves. 
Starting today, Tenable will migrate to the new scoring
system in Nessus 
as well as PVS, our Passive Vulnerability Scanner. The
migration will 
bring about some changes, which you might notice when you
sync your 
plugins after 3 pm EDT today.

First, the risk factors in plugin descriptions will look
somewhat 
different. For example, a v1 score such as this:

    High / CVSS Base Score : 8
   (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N)

will appear in v2 as:

   High / CVSS Base Score : 9.3
   (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

[Note that some of the appreviations used for the metrics
changed across 
v1 and v2.]

Second, changes in the scoring equation used for v2 will
lead to changes 
for *some* plugins in the risk factor, and hence the
reporting 
functions. This is largely a reflection of criticisms that
v1 
underweighted the importance of remotely-exploitable
vulnerabilities. 
The worst-case jump will occur for 14 plugins that currently
have a risk 
factor of Low but will change to High -- they are associated
with 
vulnerabilities that can be exploited remotely and without 
authentication or any mitigating factors and lead to
complete loss of 
either confidentility, integrity, or availability of an
affected system 
(think of a issue in which a single UDP packet can take down
your border 
router).

While we expect to handle a large portion of the migration
today, there 
are a number of plugins that we will have to re-score
manually so don't 
be surprised if you still see the older v1 scores after
today -- we'll 
rescore them as time permits.

If you have any questions about specific CVSS scores or the
migration 
process itself, feel free to contact me or Ron Gula, 
rgulatenablesecurity.com.  You may also wish to visit some
of the 
following URLs to learn more about CVSS in general:

   - Tenable's Earlier Announcement about CVSS v2
     http://blog.tenablesecurity.com/2007/07/cvss-version
-2-.html

   - CVSS SIG homepage
     http://www.first.org/cvss/


   - NIST's National Vulnerability Database
     http://nvd.nist.gov/


George
-- 
thealltenablesecurity.com
_______________________________________________
Nessus-announce mailing list
Nessus-announcelist.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus-announce
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )