23/04/18
1
CyberSecurityRiskAssessmentSpring2018
Lecture11Quan,ta,veRiskAnalysis
ScoringVulnerabili,es–CVSSEnvironment
23/04/18 FabioMassacci-CyberRiskAssessment 1
RecallExampleScenario
• Chris,ne’scompanyhasrecentlybecomeaLevel3merchant…– Level3Merchant=Morethan20000ecommercetransacAonsperyear(~55transac?onsxday)
– TheymustbecerAfiedbyanexternalassessornottohavehighriskvulnerabiliAes
• LotsofVulnerabili,esAround– itdiscoversthatitsinternalassessorshaveunderesAmatedthescopeofPCIduetotheirflatcorporatenetwork.
– Therearelegacysystemnotinvolvedincardprocessingonitscorporatenetwork,andmanyofthosearenolongermaintainedandcannotmeetPCIDSSrequirements.
• Whatisshegoingtodoasacountermeasure?– Differentsecuritymeasurescostsalot.
23/04/18 FabioMassacci-CyberRiskAssessment 2
23/04/18
2
Recall:qualita?vevsquan?ta?ve• Isthisalwaysreasonable?– ShouldChrisAnePatchALLSQLivulnerabiliAesonALLsoWware?
– Cannotknowwithoutatechnical/objecAveanalysisofthevulnerability/threat
23/04/18 FabioMassacci-CyberRiskAssessment 3
Whatwedidlast?me?
• Notallvulnerabili,esarethesame– HowseverearethesecurityproblemsaffecAngmysoWwareanddatabaseconfiguraAon?
• FirstPartoftheQues,on:– Howseverearethesecurityproblems…àusedCVSSBasetomakeaspecificguideline
• Secondpartoftheques,on– …affecAngmysoWwareanddatabaseconfiguraAon?àwilluseCVSSEnvironment
23/04/18 FabioMassacci-CyberRiskAssessment 4
23/04/18
3
CVSSv3hKp://www.first.org/cvss/v3/development
• CVSSisbasedonthreemetricgroups
FabioMassacci-CyberRiskAssessment 523/04/18
Qualita?vera?ngsofGlobalCVSS
FabioMassacci-CyberRiskAssessment 623/04/18
23/04/18
4
TheWebServer
• CVE-2016-5425– TheTomcatpackageonRedHatEnterpriseLinux(RHEL)7,Fedora,CentOS,OracleLinux,andpossiblyotherLinuxdistribuAonsusesweakpermissionsfor/usr/lib/tmpfiles.d/tomcat.conf,whichallowslocaluserstogainrootprivilegesbyleveragingmembershipinthetomcatgroup.
– Basescore• AV: AC: UI: PR: S: C: I: A:
23/04/18 FabioMassacci-OffensiveTechnologies 7
WebServerScoring
23/04/18 FabioMassacci-OffensiveTechnologies 8
23/04/18
5
Vulnerabilityseverity–astablemetric?
• CVSSBasescore– DescribestechnicalproperAesofthevulnerability– Alwaysthesameindependentlyof
• Time• DeploymentofthesoWware
• Doyouthink,memaTers?– CantheriskberepresentedbyavulnerabilitychangewithAme?
• DospecificdeploymentsofthesoVwaremaTer?– IstheriskrepresentedbyavulnerabilitythesameforallinstallaAonsofthesoWware?
23/04/18 FabioMassacci-OffensiveTechnologies 9
Whatcanchange?
• In,me– Exploits(alleged,workingorevenautomated)– RemediaAonfixes– Patches
• Inspace– LocalmiAgaAngmeasures(configuraAons)– RelaAveimportanceofthesoWwaretotheorganizaAon• LinkfromprimarytosupporAngasset
23/04/18 FabioMassacci-CyberRiskAssessment 10
23/04/18
6
Scenarioexample
• Youworkforaflightcompany• Eachplanewithamediacenteronboardforpassengers
hasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers
– NospecificinformaAonabouteachclientexistsontheserver• MedianetworkOpera,onalDeployment
– Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard
– ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork
– NoauthenAcaAonrequiredbydefaultonthesedeployments• Doesthischangehowyouevaluateotherbasemetrics?
23/04/18 FabioMassacci-OffensiveTechnologies 11
Vulnerability“riskfactors”
• Vulnerabilityseveritymaychangebothin,meandspace– Severaloftheseaspectsarecommonlyrecognizedintheindustry• Ad-hocmodificaAonsoWenemployedinorganizaAons
• Time– Howcertainareyouofthevulnerabilityexistence?– Doesanexploitexist,andwhatlevelofautomaAondiditreach?– Doesapermanentfixexist?
• Space– DospecificdeploymentcondiAonsaltersomecharacterisAcsofthevulnerability?
– AresomecharacterisAcsmoreimportantthanothers?
23/04/18 FabioMassacci-OffensiveTechnologies 12
23/04/18
7
TemporalandEnvironmental
23/04/18 FabioMassacci-OffensiveTechnologies 13
CVSSTEMPORAL
LucaAllodi-VulnerabilityassessmentwithCVSSv3 14
23/04/18
8
Temporalmetric
• TheTemporalmetricsmeasurecharacteris,csofthevulnerabilitythatmaychangewith,me– currentstateofexploittechniques/codeavailability– existenceofanypatchesorworkarounds– theconfidencethatonehasinthedescripAonofavulnerability.
• Theymodifythescoreassignedbythebasemetric– ”Notdefined”valueleavesscoreuntouched
LucaAllodi-VulnerabilityassessmentwithCVSSv3 15
Temporal:Exploitcodematurity
• ExploitCodeMaturitymeasuresthecurrentstateofexploittechniques
• Publicavailabilityofeasy-to-useexploitcodeincreasesthenumberofpoten,alaTackers
• Theexploitcodeavailablemayprogressfromaproof-of-conceptdemonstra,ontoexploitcodethatissuccessfulinexploi,ngthevulnerabilityconsistently.
• Possiblevalues– Notdefinedàdonotmodifybasescore– HighàfuncAonalcodeexistsornoexploitrequired,detailsarepublic
available.Exploitishighlyreliable,possiblybeingusedinthewild– FuncAonalàcodeexistsandworks,butnotreliably– Proof-of-conceptàexisAngafackdemonstraAonisnotpracAcaland
requiressubstanAalmodificaAontoworkreliably– UnprovenàexploitonlytheoreAcallypossible,nopubliccode
availableLucaAllodi-Vulnerabilityassessmentwith
CVSSv3 16
23/04/18
9
Temporal:Remedia?onlevel
• Thetypicalvulnerabilityisunpatchedwhenini,allypublished.
• Workaroundsorho`ixesmayofferinterimremedia,onun,lanofficialpatchorupgradeisissued.
• Possiblevalues:– Notdefinedànochangetobasescore– UnavailableàsoluAondoesnotexistorcannotbeapplied– WorkaroundàunofficialsoluAonavailable– Temporaryàtemporaryhojixesorworkaroundsissuedbyvendor
– OfficialFixàofficialpatchexists
LucaAllodi-VulnerabilityassessmentwithCVSSv3 17
Temporal:reportconfidence
• Thismetricmeasuresthedegreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityoftheknowntechnicaldetails.
• Possiblevalues:– Notdefinedànochangetobasemetric– ConfirmedàreproducAonispossible,detailsareavailableandverifiedbyvendor/sourcecodeanalysis
– ReasonableàRootcauseofvulnerabilityisunknown,vulnmayexistbutnotreacheable/traceable
– Unknownàvulnerabilityisnotverified(e.g.not-reproduciblebugthatleadstocrash)
LucaAllodi-VulnerabilityassessmentwithCVSSv3 18
23/04/18
10
WebServer–ExploitsintheWild?
• Youdosomeinves,ga,onsandfindsomeinfoonaPoC
23/04/18 FabioMassacci-OffensiveTechnologies 19
WebServerScoring-II
• Supposeatsomepointyoudiscoverthataproofofconceptexploitforthevulnerabilityexists– Somebodyclaimsitdoes
• Shouldyourriskchange?– Evidencethatitcanbeexploited,unclearwhetherthisrepresentsrealthreat
23/04/18 FabioMassacci-OffensiveTechnologies 20
23/04/18
11
23/04/18 FabioMassacci-OffensiveTechnologies 21hfp://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
TheWebServerScoring-III
• Nowyouknowthattheexploitworks– Andcanbeautomated
• Youalsofindthataworkaroundexists– “Adjustpermissionson/usr/lib/tmpfiles.d/tomcat.conffiletoremovewritepermissionforthetomcatgroup.”
• …Andeventuallythatthereisanofficialupdate– “AlternaAvely,updatetothelatestpackagesprovidedbyyourdistribuAon.ConfirmthefilepermissionsaWertheupdate.”
23/04/18 FabioMassacci-OffensiveTechnologies 22
23/04/18
12
Backtoourscenario(on-flightmediaserver)
1. Exploitcodeexists,youtesteditanditworksunderallcondi,ons:– Exploitcodematurityà
2. Youfindseveralreportsofthisvulnerabilityformul,plesources– Reportconfidenceà
3. Anofficialpatchexists– RemediaAonlevelà
23/04/18 FabioMassacci-OffensiveTechnologies 23
TemporalscoreI–ExploitExists
LucaAllodi-VulnerabilityassessmentwithCVSSv3 24
23/04/18
13
TemporalScoreII–KnowledgeWidespread
LucaAllodi-VulnerabilityassessmentwithCVSSv3 25
TemporalScore–FixExists
LucaAllodi-VulnerabilityassessmentwithCVSSv3 26
23/04/18
14
CVSSENVIRONMENTAL
23/04/18 FabioMassacci-OffensiveTechnologies 27
Environmental:Securityrequirements
• AccountfortheimportanceoftheaffectedITassettoauser'sorganiza,on– e.g.ifanITassetsupportsabusinessfuncAonforwhichAvailabilityis
mostimportant,theanalystcanassignagreatervaluetoAvailabilityrelaAvetoConfidenAalityandIntegrity.
• ImportanceofITassetisdefinedbythebusinessunit+technical– SystemsupporAngcriAcalfuncAonality– SystemcriAcaltomeetcompliance
• PossiblevaluesforanyofC,I,A– Notdefinedànochangetotemporalmetric– High[C,I,A]àcatastrophiceffectonorganizaAon/individuals– Medium[C,I,A]àseriouseffectsonorganizaAon/individuals– Low[C,I,A]àlimitedeffectonorganizaAon/individuals
LucaAllodi-VulnerabilityassessmentwithCVSSv3 28
23/04/18
15
Environmental:modifiedbasemetrics
• It’spossibletomodifyeachofthebasemetricsrela,vetothespecificsehng
• Exploitability– ModifiedAV,ModifiedAC,ModifiedPR,…
• Scope– ModifiedS
• Impact– ModifiedC,ModifiedI,ModifiedA
LucaAllodi-VulnerabilityassessmentwithCVSSv3 29
Scenarioexample-Environmental
• EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthe
passengers– NospecificinformaAonabouteachclientexistsontheserver
• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysical
terminalonboard– ThenetworksharestheentertainmentandtheoperaAonalcontrol
network– NoauthenAcaAonrequiredbydefaultonthesedeployments
• Forthemediaserverdoesthischange– howyouevaluatebasemetrics?– howyouevaluatesecurityrequirements
23/04/18 FabioMassacci-OffensiveTechnologies 30
23/04/18
16
Scenarioexample-Requirments
• EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthe
passengers– NospecificinformaAonabouteachclientexistsontheserver
• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysical
terminalonboard– ThenetworksharestheentertainmentandtheoperaAonalcontrol
network– NoauthenAcaAonrequiredbydefaultonthesedeployments
• Forthemediaserverdoesthischange– howyouevaluatebasemetrics?– howyouevaluatesecurityrequirements
23/04/18 FabioMassacci-OffensiveTechnologies 31
Scenario–ModifiedBaseMetrics
• EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthe
passengers– NospecificinformaAonabouteachclientexistsontheserver
• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysical
terminalonboard– ThenetworksharestheentertainmentandtheoperaAonalcontrol
network– NoauthenAcaAonrequiredbydefaultonthesedeployments
• Forthemediaserverdoesthischange– howyouevaluatebasemetrics?– howyouevaluatesecurityrequirements
23/04/18 FabioMassacci-OffensiveTechnologies 32
23/04/18
17
Scenario–ModifiedMetrics+Requirements
• EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthe
passengers– NospecificinformaAonabouteachclientexistsontheserver
• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysical
terminalonboard– ThenetworksharestheentertainmentandtheoperaAonalcontrol
network– NoauthenAcaAonrequiredbydefaultonthesedeployments
• Forthemediaserverdoesthischange– howyouevaluatebasemetrics?– howyouevaluatesecurityrequirements
23/04/18 FabioMassacci-OffensiveTechnologies 33
Scenario–ThreeAlterna?ves• Eachplanewithamediacenteronboardforpassengershasa
smallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthe
passengers– NospecificinformaAonabouteachclientexistsontheserver
• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysical
terminalonboardinthepilotcabin(1)– ThenetworksharestheentertainmentandtheoperaAonalcontrol
network(2)– Nostrong(3)authenAcaAonrequiredonthesedeployments
• Forthemediaserverdoesthischange– howyouevaluatebasemetrics?– howyouevaluatesecurityrequirements?
23/04/18 FabioMassacci-OffensiveTechnologies 34
23/04/18
18
Scenario–ThreeAlterna?ves• MedianetworkOpera,onalDeployment– Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboardinthepilotcabin(1)
– ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork(2)
– Nostrong(3)authenAcaAonrequiredonthesedeployments
• Opera,onalQues,ons– Whodoyouwanttorestartthemediaserverifitcrashesorifthereissomethingthatdoesn’twork?Theflightafendantorthepilot?
– Howmanyflightafendants/pilotsareonthesamephysicalplane(asopposedtothesameflight)?
23/04/18 FabioMassacci-OffensiveTechnologies 35
Scenario–NewCustomerFeature!
• EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7– Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers
– NospecificinformaAonabouteachclientexistsontheserver• MedianetworkOpera,onalDeployment
– Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard
– ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork
– NoauthenAcaAonrequiredbydefaultonthesedeployments• Businesscustomerscannowconnecttothemediaserver
tostreamtheirowncontentontheseat’svideo
23/04/18 FabioMassacci-OffensiveTechnologies 36
23/04/18
19
CVSSENVIRONMENTALANDCOMPLIANCE
TheexampleofPCI-DSS
23/04/18 FabioMassacci-OffensiveTechnologies 37
PCI-DSS
• PaymentCardIndustryDataSecurityStandard• Informa,onsecuritystandardfororganiza,onsthathandlecreditcarddata– OperaAonsonVISA,Mastercard,AEcircuits,etc.– POSsystems,serversthathandlepayments..
• CardholderDataEnvironment(CDE)– Allprocessesandtechnologyaswellasthepeoplethatstore,processortransmitcustomercardholderdataorauthenAcaAondata,includingconnectedsystemcomponentsandanyvirtualizaAoncomponents(i.e.,servers,applicaAons,etc.)
23/04/18 FabioMassacci-OffensiveTechnologies 38
23/04/18
20
PCI-DSSandenvironments
• StandardcomplianceoVenrequires”sensi,ve”systemstobesegmentedawayfromsystemsthatdonotmanagesensi,vedata
• Isola,onofsensi,vecomponentsfromtherestofthenetwork– InPCI-DSS,called“ScopereducAon”
• e.g.segmentaAonofanetworkinseveralsubnetworks• Scope:Anynetworkcomponent,server,orapplica,on
thatisincludedorconnectedtothecardholderdataenvironment– “Anetworkcomponentsincludebutarenotlimitedtofirewalls,switches,routers,wirelessaccesspoints,netappliances..”
– Anysysteminthescopeisconsideredtohavehighsecurityrequirements
23/04/18 FabioMassacci-OffensiveTechnologies 39
Joe’sStore.
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
InternetSwitch
Customers
Store
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers
B
C
B
C
23/04/18
21
Joe’sStoreInstalledaFirewall
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
Internet
Customers
Store
ManagedSwitch
DMZ
Firewall
DMZandFirewallInternalsoftheRouterSub-net01
Sub-net02
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet
B
C
D
B
C
D
PCI-DSSandCVSS
• PCI-DSSmandatesthatavulnerabilityassessmentshouldbeperiodicallyrunonthesystemsinscope– Rememberthat“PCI-DSSnscope”=somehowaccesssensiAvedata
• Rule– AnythingwithaCVSS(base)>=4needbepatched
• CanCVSSenvironmentalhelp?• ForRequirements– In-scopesystemsàhigherscore– Out-of-scopesystemsàlowerscore
23/04/18 FabioMassacci-OffensiveTechnologies 42
23/04/18
22
JoerunsaVAtoolonhissystems
SystemID
Aff_Sw(NVD) CVE_ID
Descrip?on
A,C WIN10 CVE-2016-3236
TheWebProxyAutoDiscovery(WPAD)protocolimplementaAoninMicrosoWWindowsVistaSP2,WindowsServer2008SP2andR2SP1,Windows7SP1,Windows8.1,WindowsServer2012GoldandR2,WindowsRT8.1,andWindows10Goldand1511mishandlesproxydiscovery,whichallowsremoteafackerstoredirectnetworktrafficviaunspecifiedvectors,aka"WindowsWPADProxyDiscoveryElevaAonofPrivilegeVulnerability."
23/04/18 FabioMassacci-OffensiveTechnologies 43
• LooksitupontheNVD• Basescore:9.8• AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OriginalConfigura?onofJoe’sStore
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
InternetSwitch
Customers
Store
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers
B
C
B
C
WhatHappenstotheRequirements?DowehaverequirementsonCustomers’Computers
23/04/18
23
OriginalConfigura?onofJoe’sStore-II
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
InternetSwitch
Customers
Store
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers
B
C
B
C
OriginalConfigura?onofJoe’sStore-III
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
InternetSwitch
Customers
Store
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers
B
C
B
C
23/04/18
24
Joe’sOriginalStore
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
InternetSwitch
Customers
Store
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers
B
C
B
C
AoerJoe’sInstalledtheFirewall
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
Internet
Customers
Store
ManagedSwitch
DMZ
Firewall
DMZandFirewallInternalsoftheRouterSub-net01
Sub-net02
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet
B
C
D
B
C
D
23/04/18
25
AoerJoe’sInstalledtheFirewall-II
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
Internet
Customers
Store
ManagedSwitch
DMZ
Firewall
DMZandFirewallInternalsoftheRouterSub-net01
Sub-net02
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet
B
C
D
B
C
D
AoerJoe’sInstalledtheFirewall-III
POSterminals
RouterDSL
Kiosk
Wi-fiFree
PCsusedbymanagerandassistantmanager
e-commerceWebsite
HosAngCompany
Internet
Customers
Store
ManagedSwitch
DMZ
Firewall
DMZandFirewallInternalsoftheRouterSub-net01
Sub-net02
A
A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet
B
C
D
B
C
D
23/04/18
26
Scoringexample
• YouworkinthePSIRTofafirewallvendor.• Asecurityresearchersendsdetailsofavulnerabilitythey
havefoundinoneofyourfirewallproducts.Yourcompanypriori,zesworkbasedonCVSSscores.
• Details:thevulnerabilityallowsaTackerstobypassauthen,ca,ontothefirewall’sadminpanelwhenthedefault“defragpacketsbeforeforward”flagisdisabled,duetoafaultymanagementofinvalidfragmentedIPdatagrams.
1. calculateaCVSSBaseScorebasedontheresearcher'sreport,toratetheseverityofthevulnerability.
AV,AC,UI,PR,S,C,I,A
LucaAllodi-VulnerabilityassessmentwithCVSSv3 51
Scoringexample
• Beforeyoucanreproducethevulnerabilityonyourtestsystemsusingtheproof-of-conceptcodetheresearcherprovided,customerscontactyousayingtheirsystemshavebeencompromisedandbelieveyourfirewallproductisatfault.Youreleaseapublicadvisorytoallcustomerswarningthemoftheproblem.
2. calculateaCVSSTemporalScoresothepublicadvisoryindicatesthecurrentsitua,onwithrespecttoreproducingandfixingthevulnerability.
E(exploitcodematurity),R(emedia,onlevel),R(eport
confidence)
LucaAllodi-VulnerabilityassessmentwithCVSSv3 52
23/04/18
27
Scoringexample
• YourcompanyusestheaffectedfirewallproductforitsmainInternetsite,whichmanages– Customersupport– Onlineorders
3. CalculateaCVSSEnvironmentalScoretodeterminetherisktothefirewallinstanceusedonthemainInternetsite.
LucaAllodi-VulnerabilityassessmentwithCVSSv3 53
Scoringexample
• Duetothehighpriorityyouputonthevulnerability.thedevelopmentteamsoonreproducetheproblemandhaveafix.RecalculatetheTemporalscoresothatitiscreateforanupdatedpublicadvisorythatyouwillsendtocustomers,alongwiththefixes.
4. RecalculatetheCVSSTemporalScore.
E(exploitcodematurity),R(emedia,onlevel),R(eportconfidence)
LucaAllodi-VulnerabilityassessmentwithCVSSv3 54
23/04/18
28
EXAMPLE2
23/04/18 FabioMassacci-OffensiveTechnologies 55
Furtherreading
• Chapters10,11onTextbook• RossAnderson’sbook.• CVSSFirstWebSite(SeeWikiforlinks)
23/04/18 FabioMassacci-CyberRiskAssessment 56