#Heise hat (schon vor längerer Zeit) #CVE und #CVSS erklärt:

"Schubladen für Schwachstellen: Das CVE-System im Überblick"
https://www.heise.de/hintergrund/Schubladen-fuer-Schwachstellen-Das-CVE-System-im-Ueberblick-4940478.html

"Von niedrig bis kritisch: Schwachstellenbewertung mit CVSS"
https://www.heise.de/hintergrund/Von-niedrig-bis-kritisch-Schwachstellenbewertung-mit-CVSS-5031983.html

#Security #Schwachstellen

Ausgerechnet mal wieder kurz vor meinem Urlaub gibt es eine #Sicherheitslücke in den #aruba #switches mit einem #cvss score vom 8.3. Das wird ja noch mal ne menge Arbeit .....

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt

#CVE202339266

This one looks horrible:
A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.9

https://www.fortiguard.com/psirt/FG-IR-23-183

#FortiGate #Vuln #CVSS #ArbExec

Pleased to see @firstdotorg throwing up that Mastodon link! I noticed it while evaluating the new #CVSS 4.0 user guide. A very pleasant surprise that now has me following them on Mastodon. :)

Zyxel risolve diverse vulnerabilità sui suoi firewall e una RCE da 9.8

Il produttore di apparecchiature di #rete #Zyxel ha rilasciato correzioni per una #vulnerabilità critica nei suoi #firewall. Il #bug permette di eseguire da remoto codice arbitrario sui #sistemi vulnerabili.

È stato riferito che la #vulnerabilità è stata scoperta dagli specialisti di TRAPA Security e ha ricevuto l’identificatore CVE-2023-28771 e una valutazione di 9,8 punti su 10 sulla scala di valutazione della #vulnerabilità #CVSS.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/zyxel-risolve-diverse-vulnerabilita-sui-suoi-firewall-e-una-rce-da-9-8/

#CVSS 9.3
Workstation
Fusion

I don't know if this is a controversial opinion, but I will state it anyway:

I believe that the CVE system has some serious deficiencies. In particular, using the same system for both user-facing products and third-party libraries is problematic to the point of actually reducing overall security in the industry.

Let me give an example: Let's say you run a self-hosted piece of server-software written in Java. Let's call the product "Foo". You use something like Sonatype to monitor vulnerabilities in the software you use.

You happily run Foo for a few months and CVE-2023-0001 is reported on product Foo with a CVSS score of 9.9. In this case the system works great because you can now patch Foo as soon as possible, and in the meantime you can look at the remediation procedure documented in the CVE report to determine how much of a hurry you are in.

But that's unfortunately not what happens. What you are actually going to see is hundreds of vulnerabilities of varying severity reported not just on Foo as a product, but on every single third-party library that the product Foo happens to use.

Let's say that Foo generates SVG from a template and then uses a library to convert said SVG into images before sending them to the client (never mind that seems like a stupid solution, just go with it). And then a CVSS 10.0 appears because there is an RCE when passing specially crafted SVG data to the library.

Now you have Sonatype reporting that you have a severity 10 issue with the workaround static "upgrade this library". This information would be useful for the developer of Foo, but not for the user.

In fact, the developer may already have investigated this and downgraded the score since the library is never used to process untrusted input.

What this means is that as a user of some piece of software you will feel a lot of pressure internally to pursue CVE reports that are in fact not relevant, but since it shows up in your scan you have an obligation to do this, and check with the vendor to ask about the root cause of these results. This takes time and energy away from your real job: To keep your infrastructure secure.

I lay the blame for this happening squarely on the bad organisation of the CVE database, and I really wish there was a better way. Unfortunately right now it's all we have.

#cve #infosec #cvss

Security flaws can be overwhelming, but don't despair! Learn more about patching, #CVEs and #CVSS with #RedHat's @vdanen in the latest Security Detail video. #security #opensource https://sprou.tt/1SaIqJaqVVV

NY TORSDAG! NY udsendelse af CYBER2GO!

* Offentlig ansat: adgang til tusindvis af borgeres oplysninger

* #BitWarden #CVSS på 5.3

* #NVidia hot-fix fixer #BSoD

Lyt med hvor du normalt finder dine #podcasts eller på https://cyber2go.buzzsprout.com!

#cybersikkerhed #teknik #IT #cyber2go

Prioritizing vulnerabilities with exploit code publicly available is 👉11x more effective 👈 than #CVSS is for minimizing exploitability. Check out https://learn-cloudsecurity.cisco.com/kenna/prioritization-to-prediction-volume-8#page=1 from Kenna Security for more proven ways to squeeze the most risk reduction from your vuln mgmt efforts.

The whole thing with CVSS and trusting anyone's scoring of a given vulnerability, including the product maintainer, is that very few people actually follow the CVSS spec properly when scoring.

The other thing is that the addition of "scope change" to CVSSv3 led to generally higher numeric scores (and an additional layer of confusion.)

Scope change is when exploiting a vulnerability would allow an attacker to break out of the vulnerable application's security domain and into another. Say a web application that has its own authentication and authorization mechanisms has a vulnerability that allows interaction with the filesystem on the underlying OS, that's a scope change.

Now what happens to the scoring? Well the spec says you have to score your CIA impact as the worst of either impact to the original scope or the new scope. In the vast majority of circumstances the impact to the original scope will be rather high, even if the impact in the newer (and arguably more important) scope is rather limited.

So scoring wise there is basically no difference between a vulnerability that would allow root/SYSTEM level RCE, and one that would only permit limited access to the underlying OS but fully compromise the vulnerable application.

Also if we're talking exploit difficulty, a trivially exploitable unauthenticated RCE would score a 10.0 in CVSSv3. What if everything else is the same but the vulnerability involves a "probably" unexploitable race condition? Still scored a 9.0 and considered "critical".

Anyway, CVSS is not great, but frankly we don't have anything else better and I don't see anyone stepping up to change that in a free and open way.

#cvss #vulnerability #appsec

Another unambiguous write up by Daniel Stenberg and very nice to learn some more about the subjective nature of the CVSS scores and how it all fits together.

How do we get the NVD to stop the insanity?

[...] In the curl project we decided to abandon CVSS years ago because of its inherent problems. Instead we use only the four severity names: Low, Medium, High, and Critical [...] I have talked to humans on the GitHub database team and I push for them to ignore or filter out the severity levels as set by NVD, if possible. But me being just a single complaining maintainer I do not expect this to have much of an effect. I would urge NVD to stop this insanity if I had any way to. [...]

https://daniel.haxx.se/blog/2023/03/06/nvd-makes-up-vulnerability-severity-levels/

#CVSS #NVD #CVE #MITRE #VulnerabilityManagement

Cisco risolve una vulnerabilità critica sui telefoni IP da 9,8 di score

Il 1 marzo, #Cisco ha rilasciato #aggiornamenti di sicurezza per risolvere una #vulnerabilità critica che interessa i suoi telefoni IP serie 6800, 7800, 7900 e 8800.

Tracciata come CVE-2023-20078, la #vulnerabilità è valutata 9,8 su 10 nel #sistema di punteggio #CVSS ed è descritta come “un errore di iniezione di comandi dell’interfaccia di gestione #web dovuto a un’insufficiente #convalida dell’#input dell’utente”.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/cisco-risolve-una-vulnerabilita-critica-sui-telefoni-ip-da-98-di-score/

@heiseonline @heisec Heute hat #ubuntu endlich aktualisierte Pakete für die kritischen #sicherheitslücke #CVE202320032 von #calmav mit einem #cvss score von 9.8 rausgebracht. Alle die Ubuntu und ClamAV einsetzen sollten die jetzt schnell installieren.

Ich finde 12 Tage dafür deutlich zu lange und hoffe, dass das zukünftig bei so krassen Lücken wieder schneller geht. Debian hat es ja auch in 5 Tagen geschafft.

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456

Here's another cvss-rescore update. The package code is written in Python, but maybe you're not running Python or have an orchestration using a different language or framework. Want to rescore vulns using an API endpoint instead? I just build a docker example that calls the rescore functionality from a FastAPI REST endpoint.

https://github.com/bp4151/cvss-rescore-example

https://github.com/bp4151/cvss-rescore-example/blob/main/DOCKER-API-README.md

#devsecops #appsec #cvss

#CVSS explained - a short intro #devsecops #cybersecurity #itsecurity #scoring #vulnerabilities https://youtu.be/CZrS_UFT37Y

#CVSS system criticized for failure to address real-world impact
#cybersecurity #it #portswigger
https://portswigger.net/daily-swig/cvss-system-criticized-for-failure-to-address-real-world-impact

Does anyone know of any vulnerability management tool that actually allows you to generate your own CVSS? To the best of my knowledge neither Rapid7 nor Tenable do this. CVSS, while problematic, does contain scoring for Temporal and Environmental, but I haven't seen a product that lets you actually input your own meta data to adjust the score for your business.

#Security #BlueTeam #VulnMgmt #VulnerabilityManagement #CVSS #Risk #RiskScoring #Rapid7 #Tenable #CVE

@heiseonline @heisec Bei #ubuntu ist der Status bei der kritischen #sicherheitslücke #CVE202320032 von #calmav mit einem #cvss score von 9.8 immer noch „Needs triage“ mit einer Priorität von gerade mal Medium. Derweil diskutieren die Launchpad User darüber das Update selber zu bauen. Was ist den nur bei Ubuntu los? Sind die da alle am Karneval feiern?

Seit 5 Tagen ist bei #clamav die #sicherheitslücke #CVE202320032 mit ein einem #cvss score von 9.8 bekannt, über die @heisec am Freitag berichtete. Ich habe die Systeme die bei mir betroffen sind und den bisherigen Ablauf bei dem Bekanntwerden der Sicherheitslücke mal in einem Blogbeitrag festgehalten. Die Liste mit den verfügbaren Updates werde ich auch noch ergänzen, wenn neue rauskommen. Vielleicht hilft das ja dem einen oder anderen.

https://www.purrucker.de/2023/02/20/kritische-sicherheitsluecke-in-clamav-cve-2023-20032/