32 cve 2003 0818 consider cve 2003 0818 microsoft

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: --------------------------------- 3.3.2 CVE-2003-0818 Consider CVE-2003-0818: Microsoft Windows Abstract Syntax Notation 1 (ASN.1) Library Integer Handling Vulnerability. In September 2003, a vulnerability was discovered that targets the ASN.1 library of all Microsoft operating systems. Successful exploitation of this vulnerability results in a buffer overflow condition allowing the attacker to execute arbitrary code with administrative (system) privileges. This is a remotely exploitable vulnerability that does not require authentication, therefore the Access Vector is “Network” and “Authentication” is “None”. The Access Complexity is “Low” because no additional access or specialized circumstances need to exist for the exploit to be successful. Each of the Impact metrics is set to “Complete” because of the possibility of a complete system compromise. Together, these metrics produce a maximum base score of 10.0. The base vector for this vulnerability is therefore: AV:N/AC:L/Au:N/C:C/I:C/A:C. Known exploits do exist for this vulnerability and so Exploitability is “Functional”. In February 2004, Microsoft released patch MS04-007, making the Remediation Level “Official-Fix” and the Report Confidence “Confirmed”. These metrics adjust the base score to give a temporal score of 8.3. Assuming that availability is less important than usual for the targeted systems, and depending on the values for Collateral Damage Potential and Target Distribution, the environmental score could vary between 0.0 (“None”, “None”) and 9.0 (“High”, “High”). The results are summarized below. ---------------------------------------------------BASE METRIC EVALUATION SCORE ---------------------------------------------------Access Vector [Network] (1.00) Access Complexity [Low] (0.71) Authentication [None] (0.704) Confidentiality Impact [Complete] (0.66) Integrity Impact [Complete] (0.66) Availability Impact [Complete] (0.66) ---------------------------------------------------FORMULA BASE SCORE ---------------------------------------------------Impact = 10.41*(1-(0.34*0.34*0.34)) == 10.0 Exploitability = 20*0.71*0.704*1 == 10.0 f(Impact) = 1.176 BaseScore =((0.6*10.0)+(0.4*10.0)–1.5)*1.176 == (10.0) ---------------------------------------------------- 18 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS ---------------------------------------------------TEMPORAL METRIC EVALUATION SCORE ---------------------------------------------------Exploitability [Functional] (0.95) Remediation Level [Official-Fix] (0.87) Report Confidence [Confirmed] (1.00) ---------------------------------------------------FORMULA TEMPORAL SCORE ---------------------------------------------------round(10.0 * 0.95 * 0.87 * 1.00) == (8.3) ------------------------------------------------------------------------------------------------------ENVIRONMENTAL METRIC EVALUATION SCORE ---------------------------------------------------Collateral D...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online