Vulnerabilities
Ok, fun things to learn about me, I don’t like CVEs or CVSS because my brain can’t really read them! I have the same challenge with some server naming standards. I need something like SRV-UK-ADDS-01 if it’s not goy hyphens I need a tool to read them for me! (true story!). So lets look at CVSS (I know I’m full of fun topics).
Letters and Letters and oh my!
and I have to spend a god awful amount of time changing: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H to
See look at this, we’ve gone from crazy string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
you get the picture!
What does a CVSS 10 mean?
If you see a CVE with CVSS 10 it means:
Unauthenticated Remote Code Execution (RCE)
If we change the auth requirement it stops being a 10! watch this!
If we move from Network to Network adjacent, the score drops.
If we move to local access requirements the score drops even more:
and if we say physical access required:
we are down to a 7.6! this is for a Low complexity, no privs required, no user interaction that gives you Changed score and high level of impact to Confidentiality, Integrity and availability.
Well hopefully that was ‘fun’, personally CVSS gets annoying to me, people game it, it doesn’t cater for chains and the level of letters makes my dyslexic brain melt a bit! but they are what they are!
