As many of you are probably aware, we've been using CVSS scores for
nearly two years to assess the seriousness of vulnerabilities which
various plugins test for, and for several months we've been syncing our
scores with those published by NIST as part of their National
Vulnerability Database.
Last June, the CVSS SIG announced CVSS v2 to address some of the issues
in the original v1 scores and improve scoring granularity, and more
accurately reflect the seriousness of the vulnerabilities themselves.
Starting today, Tenable will migrate to the new scoring system in Nessus
as well as PVS, our Passive Vulnerability Scanner. The migration will
bring about some changes, which you might notice when you sync your
plugins after 3 pm EDT today.
First, the risk factors in plugin descriptions will look somewhat
different. For example, a v1 score such as this:
High / CVSS Base Score : 8
(AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N)
will appear in v2 as:
High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
[Note that some of the appreviations used for the metrics changed across
v1 and v2.]
Second, changes in the scoring equation used for v2 will lead to changes
for *some* plugins in the risk factor, and hence the reporting
functions. This is largely a reflection of criticisms that v1
underweighted the importance of remotely-exploitable vulnerabilities.
The worst-case jump will occur for 14 plugins that currently have a risk
factor of Low but will change to High -- they are associated with
vulnerabilities that can be exploited remotely and without
authentication or any mitigating factors and lead to complete loss of
either confidentility, integrity, or availability of an affected system
(think of a issue in which a single UDP packet can take down your border
router).
While we expect to handle a large portion of the migration today, there
are a number of plugins that we will have to re-score manually so don't
be surprised if you still see the older v1 scores after today -- we'll
rescore them as time permits.
If you have any questions about specific CVSS scores or the migration
process itself, feel free to contact me or Ron Gula,
[EMAIL PROTECTED] You may also wish to visit some of the
following URLs to learn more about CVSS in general:
- Tenable's Earlier Announcement about CVSS v2
http://blog.tenablesecurity.com/2007/07/cvss-version-2-.html
- CVSS SIG homepage
http://www.first.org/cvss/
- NIST's National Vulnerability Database
http://nvd.nist.gov/
George
--
[EMAIL PROTECTED]
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
