topic Re: CVSS rating for Meltdown and Spectre in Tech Talk

CVSS rating for Meltdown and Spectre

re — Mon, 08 Jan 2018 06:51:35 GMT

Hi,

Hopefully this is the right place to ask a question like this.

Today I looked in the ISC2 Vulnerability Central for the CVSS score for Meltdown and Spectre. To my surprise they scored pretty high. But when I look at NIST NVD they seem to differ. My question is why they differ?

	ISC2	NVD
CVE-2017-5754	7.9	5.6
CVE-2017-5753	8.2	ongoing
CVE-2017-5715	8.2	5.6

Regards

Roger

Re: CVSS rating for Meltdown and Spectre

Early_Adopter — Mon, 08 Jan 2018 08:08:08 GMT

Nor sure, but I suspect that as ISC2 is using https://www.cytenna.com/technology.html then the score are different because the NVD is scoring in a certain way and Cytenna is doing something different.

It would make sense to me that these were higher up the chain even though they will take some smarts to exploit because of the ubiquity, time to patch performance impact of patch etc.

Whoever works at Cytenna can probably explain more/better.

Re: CVSS rating for Meltdown and Spectre

Graham_Murphy — Mon, 08 Jan 2018 09:40:30 GMT

As far as I can see, for CVE-2017-5754 the differences come down to the following:

Attack Complexity (Low vs High)
Privileges Required (None vs Low)
Integrity (Low vs None)

From my personal opinion, as far a privileges required, I'd probably go for "none", as attacks can be carried out on a drive-by basis via JavaScript. I'm not entirely sure I'd consider integrity to be none either, given the exposure of secrets and keys could result in an indirect impact on integrity.

Re: CVSS rating for Meltdown and Spectre

Ewald — Mon, 08 Jan 2018 10:45:22 GMT

The risk against integrity is a secondary risk and, with the same logic, availability risk should also be none-zero. Because with the right password recovered it's also possible to shut down services or do other nasty stuff. I am not sure you should take into account these secondary risks when scoring CVSS because confidentiality risks would mostly imply risks to I & A, so for clarity is better to only score the primary risks?

Re: CVSS rating for Meltdown and Spectre

Graham_Murphy — Mon, 08 Jan 2018 10:54:00 GMT

That's a good point. I had tried to think of similar hardware issues that affect all software, and the closest I could think of was Rowhammer. I tried to dig up how it was scored,(I think CVE-2015-0565) but I haven't be able to find details.

Re: CVSS rating for Meltdown and Spectre

Nothwindtrader — Mon, 08 Jan 2018 14:29:47 GMT

For an overview of Meltdown and Spectre, I recommend watching the following video from

SANS Digital Forensics and Incident Response: https://www.youtube.com/watch?v=8FFSQwrLsfE