85 09 095 100 100 remediationlevel case

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: .00 RemediationLevel = case RemediationLevel of official-fix: temporary-fix: workaround: unavailable: not defined: 0.87 0.90 0.95 1.00 1.00 ReportConfidence = case ReportConfidence of unconfirmed: uncorroborated: confirmed: not defined: 0.90 0.95 1.00 1.00 3.2.3 Environmental Equation If employed, the environmental equation will combine the environmental metrics with the temporal score to produce an environmental score ranging from 0 to 10. Further, this equation will produce a score no higher than the temporal score. The environmental equation is: EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+ (10-AdjustedTemporal)*CollateralDamagePotential)*TargetDistribution) AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact subequation replaced with the AdjustedImpact equation AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq) *(1-AvailImpact*AvailReq))) 15 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS CollateralDamagePotential = case CollateralDamagePotential of none: 0 low: 0.1 low-medium: 0.3 medium-high: 0.4 high: 0.5 not defined: 0 TargetDistribution ConfReq IntegReq AvailReq 3.3 = case TargetDistribution of none: 0 0.25 low: medium: 0.75 high: 1.00 not defined: 1.00 = case ConfReq of low: medium: high: not defined: 0.5 1.0 1.51 1.0 = case IntegReq of low: medium: high: not defined: 0.5 1.0 1.51 1.0 = case AvailReq of low: medium: high: not defined: 0.5 1.0 1.51 1.0 Examples Below, we provide examples of how CVSS is used for three different vulnerabilities. 3.3.1 CVE-2002-0392 Consider CVE-2002-0392: Apache Chunked-Encoding Memory Corruption Vulnerability. In June 2002, a vulnerability was discovered in the means by which the Apache web server handles requests encoded using chunked encoding. The Apache Foundation reported that a successful exploit can lead to denial of service in some cases, and in others, the execution of arbitrary code with the privileges of the web server. Since the vulnerability can be exploited remotely, the Access Vector is "Network". The Access Complexity is "Low" because no additional circumstances need to exist for this exploit to be successful; the attacker need only craft a proper exploit message to the Apache web listener. No authentication is required to trigger the vulnerability (any Internet user can connect to the web server), so the Authentication metric is "None". Since the vulnerability can be exploited using multiple methods with different outcomes, scores need to be generated for each method and the highest used. If the vulnerability is exploited to execute arbitrary code with the permissions of the web server, thereby altering web content and possibly viewing local user or configuration information (including connection 16 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS settings and passwords to back-end databases), the Confidentiality and Integrity Impact metrics are set to “Partial”. Together,...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online