Hi,
Hopefully this is the right place to ask a question like this.
Today I looked in the ISC2 Vulnerability Central for the CVSS score for Meltdown and Spectre. To my surprise they scored pretty high. But when I look at NIST NVD they seem to differ. My question is why they differ?
ISC2 | NVD | |
CVE-2017-5754 | 7.9 | 5.6 |
CVE-2017-5753 | 8.2 | ongoing |
CVE-2017-5715 | 8.2 | 5.6 |
Regards
Roger
Nor sure, but I suspect that as ISC2 is using https://www.cytenna.com/technology.html then the score are different because the NVD is scoring in a certain way and Cytenna is doing something different.
It would make sense to me that these were higher up the chain even though they will take some smarts to exploit because of the ubiquity, time to patch performance impact of patch etc.
Whoever works at Cytenna can probably explain more/better.
As far as I can see, for CVE-2017-5754 the differences come down to the following:
From my personal opinion, as far a privileges required, I'd probably go for "none", as attacks can be carried out on a drive-by basis via JavaScript. I'm not entirely sure I'd consider integrity to be none either, given the exposure of secrets and keys could result in an indirect impact on integrity.
That's a good point. I had tried to think of similar hardware issues that affect all software, and the closest I could think of was Rowhammer. I tried to dig up how it was scored,(I think CVE-2015-0565) but I haven't be able to find details.
For an overview of Meltdown and Spectre, I recommend watching the following video from
SANS Digital Forensics and Incident Response: https://www.youtube.com/watch?v=8FFSQwrLsfE