Security Vulnerability Severity Classification
Posted by jericho
http://www.suse.de/~thomas/papers/Severity-Metric.pdf
Security Vulnerability Severity Classification by Thomas Biege (thomas[at]suse.de) 27th January 2005
Abstract
This paper will describe a method of classifying the severity of security bugs in software for Unix-like systems. On the following pages I will propose a metric with weights to describe the impact of vulnerabilities on a scala S with n elements to provide an objective rating system. This classification scheme should serve as reference for the SuSE Security Team for releasing security announcements. Hopefully this mechanism will be adopted by other vendors to have a vendor independent rating system. Such a vendor independent rating scheme will help customers, other vendors, and security companies/organisations to judge more precisely about the level of impact of a released security update.
Great, YAVCS (yet another vulnerability classification system), just what we need.
While it’s a commendable goal to have a consistant cross-vendor scheme, the fact that this is limited to one platform is of very limited utility to end users.
This one seems to suffer all the limitations of CVSS (limited and arbitrary variables, weightings are subjective and not based on any published analysis or research, arbitrary mapping of numerical severity to qualitative ratings), without the benefit of being adaptable to a particular environment or recognizing that threat levels change over time.
The paper recognizes the difficulties that currently exist: “Most advisories include a severity level for this particular update but unfortunately most vendors use different schemes for classifying the same vulnerability and only a few of them are based on a comprehensive system. This situation makes it hard for other groups to compare the different advisories and to make the correct assumption about the level of impact as well as ranking different vulnerabilities.”
The paper then fails to propose a solution to this problem, instead proposing another proprietary scheme that isn’t comprehensive and only addresses the needs of a small group of vendors.
From the perspective of an end-user organization, a vulnerability classification system has to at a minimum help identify the relative risk levels of all the vulnerabilities in the environment, so that decisions on prioritizing efforts and allocating always scarce resources can be made somewhat rationally. If a system can help track overall risk levels in an environment so that an organization can decide if enough resources are available for reasonable risk management, it’s a bonus.
For all its shortcomings, CVSS can do this, along with the added benefit that it’s simple enough for management to understand. Of course, CVSS could be improved greatly by having at least some statistical justification for the values and weightings it chooses for the different variables, if not some qualitative analysis based on testing a large sample of cases and seeing that the results make sense.
If SuSE was proposing a standard rubric to guide Linux vendors in consistantly setting the base scores in CVSS, this might be useful to both vendors and users and actually have some chance of improving the current situation through widespread adoption.
This proposal isn’t going to go anywhere. Where’s the incentive for other vendors to use it? Where’s the benefit to end users? Am I better off knowing that SUSE-SA:2004:020 will now be rated 7 instead of 6, while SUSE-SA:2004:019 will now be rated 4 instead of 5?
Speaking of standards and adopting.. CVSS has been in the works for almost two years. It has now been published and presented at several conferences. The two people spearheading this are Mike Schiffman (Cisco) and Dave Ahmed (SecurityFocus/Symantec).
http://www.cisco.com/warp/public/707/cisco-sn-20050608-8021x.shtml
http://securityresponse.symantec.com/avcenter/security/Content/2005.04.27.html
Both advisories in the last couple of months, neither with a CVSS score. If the companies that want to see this implemented have not done it, it begs the question of why they haven’t adopted their own scoring system.
Yeah, well, anything that “Big Government” and “Big Business” is involved in takes about 10 times as long as it should.
Actually, Cisco is using, and publishing, CVSS scores on their MySDN service. See “Cisco’s Free Threat-Alerts Service Uses CVSS” http://www.eweek.com/article2/0,1759,1821377,00.asp
Here’s a couple examples (sorry for the formatting):
http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=4353 Sun Solaris Runtime Linker LD_AUDIT Privilege Escalation Discovered: 29 Jun 2005 Severity: High Report Last Published: 29 Jun 2005 Urgency: Level 1 of 3: Standard Maintenance cycle CVE ID: CVSS Score: Base: 10.0 Temporal: 9.0 ID: 4353
http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=4348 Cisco IOS RADIUS Authentication Bypass Discovered: 29 Jun 2005 Severity: Medium Report Last Published: 29 Jun 2005 Urgency: Level 1 of 3: Standard Maintenance cycle CVE ID: CVSS Score: Base: 3.5 Temporal: 2.6 ID: 4348
Symantec is probably trying to figure out how to charge their customers more money for CVSS scores.
Qualys is going to start using CVSS “real soon now”. If they publish scores in the section of the SANS @Risk weekly bulletin that they write it would help CVSS a lot. More likely, they’ll only include the scores in their private vulnerability database reserved for paying customers.