Re: [Openvas-discuss] Fwd: CVE-2011-0539 - Medium?
On Wednesday 21 December 2011 20:15:18 Michael Meyer wrote: But i agree with you. IMHO a risk_factor of Medium is much too high. I would prefer to set the risk_factor to None and make this NVT just informational. Any thoughts? the best approach is to assign a CVSS carefully according to official guidelines. This ensures we have a rationale (the vector) documented. If possible, any additional consideration should be added to the description so that it becomes transparent why a NVT is assigned a certain threat level. -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Fwd: CVE-2011-0539 - Medium?
*** Reindl Harald h.rei...@thelounge.net wrote: they are forced to a distribution upgrade with classification Middle where the is no real reason As Henri told you, CVE-2011-0539 comes with a CVSS base score of 5.0. CVSS provides a universal open and standardized method for rating IT vulnerabilities. That's nothing we have just devised. What do you expect from us now? Micha -- Michael MeyerOpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Fwd: CVE-2011-0539 - Medium?
We need to distinguish between *potential* customer impacts and *real* customer impacts on a given network. Vulnerability scanners can *NEVER* fully understand the network they are auditing and what the true impact of an issue is. That's the job of an auditor, not a free tool. If a vulnerability has the potential for being a critical vulnerability (e.g. root exploit against IIS), but is a non-event on your network because of how you've filtered things using an Apache reverse proxy, does that mean it should be reported as Low as opposed to Critical? The scanner will (and in my opinion SHOULD) always report what the potential is for a vulnerability. It is up to the auditor to then examine this in the context of the network setup to decide if the issue needs remediation or not, and if so, what sense of urgency is associated with it. The problem here is not the scanner - it is using the scanner in an appropriate way. If an auditor is (and I say this in the context of providing auditing services to thousands of customers) is claiming that because their scanner is finding a vulnerability that the issue must be repaired or the service stopped, without providing even basic due diligence on the impact of that vulnerability, then either fire the auditor (or if you are the auditor, rethink your business plan). Thomas Reindl Harald wrote: On 22.12.2011 03:00, Christian Kuersteiner wrote: The scanner doesn't know if /admin or /myprivatedocs is something worth to report or not but you know as you know your setup. exactly - the scanner does not know and if he can not classify what he finds it should be low or even informational and not middle I think the way to go is in general to make a override of the thread if it doesn't match with your risk assessment. you do not understand the problem: a big client makes security audtis via a third party they start automated scans, provide the result and say Middle has to be fixed or the site has to go down so, the robots.txt is a part of fully autmativally deployed system for 100 customers and i have no understanding change things because some foreigner outside is able to start a scan-software and decides global changes :-( On the other side I agree that robots.txt is not a medium risk but would rather mark it Low than None for the reason stated above please yes! currently it makes robots.txt unuseable for companies which which have a secaudit once each week P.S.: i fixed CVE-2011-0539 by rebuild the Fedora1 6 openssh on our F15 buildservr and deploy the new openssh. But not all users out there have the knowledge and infrastructure to do so they are forced to a distribution upgrade with classification Middle where the is no real reason ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Fwd: CVE-2011-0539 - Medium?
*** Reindl Harald h.rei...@thelounge.net wrote: and there is no need to take action because any robots.txt especially the one below with does not leaking a single folder [...] Disallow: /admin Disallow: / not leaking a single folder? ;) But i agree with you. IMHO a risk_factor of Medium is much too high. I would prefer to set the risk_factor to None and make this NVT just informational. Any thoughts? Micha -- Michael MeyerOpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Fwd: CVE-2011-0539 - Medium?
On 22.12.2011 03:00, Christian Kuersteiner wrote: The scanner doesn't know if /admin or /myprivatedocs is something worth to report or not but you know as you know your setup. exactly - the scanner does not know and if he can not classify what he finds it should be low or even informational and not middle I think the way to go is in general to make a override of the thread if it doesn't match with your risk assessment. you do not understand the problem: a big client makes security audtis via a third party they start automated scans, provide the result and say Middle has to be fixed or the site has to go down so, the robots.txt is a part of fully autmativally deployed system for 100 customers and i have no understanding change things because some foreigner outside is able to start a scan-software and decides global changes :-( On the other side I agree that robots.txt is not a medium risk but would rather mark it Low than None for the reason stated above please yes! currently it makes robots.txt unuseable for companies which which have a secaudit once each week P.S.: i fixed CVE-2011-0539 by rebuild the Fedora1 6 openssh on our F15 buildservr and deploy the new openssh. But not all users out there have the knowledge and infrastructure to do so they are forced to a distribution upgrade with classification Middle where the is no real reason signature.asc Description: OpenPGP digital signature ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss