cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
re
Viewer III

CVSS rating for Meltdown and Spectre

Hi,

Hopefully this is the right place to ask a question like this.

Today I looked in the ISC2 Vulnerability Central  for the CVSS score for Meltdown and Spectre. To my surprise they scored pretty high. But when I look at NIST NVD they seem to differ. My question is why they differ?

 

 

 ISC2NVD
CVE-2017-5754 7.95.6
CVE-2017-57538.2ongoing
CVE-2017-57158.25.6

 

Regards

Roger

5 Replies
Early_Adopter
Community Champion

 

Nor sure, but I suspect that as ISC2 is using https://www.cytenna.com/technology.html then the score are different because the NVD is scoring in a certain way and Cytenna is doing something different.

 

It would make sense to me that these were higher up the chain even though they will take some smarts to exploit because of the ubiquity, time to patch performance impact of patch etc. 

 

Whoever works at Cytenna can probably explain more/better.

Graham_Murphy
Newcomer I

As far as I can see, for CVE-2017-5754 the differences come down to the following:

  • Attack Complexity (Low vs High)
  • Privileges Required (None vs Low)
  • Integrity (Low vs None)

From my personal opinion, as far a privileges required, I'd probably go for "none", as attacks can be carried out on a drive-by basis via JavaScript. I'm not entirely sure I'd consider integrity to be none either, given the exposure of secrets and keys could result in an indirect impact on integrity.

Ewald
Viewer II

The risk against integrity is a secondary risk and, with the same logic, availability risk should also be none-zero. Because with the right password recovered it's also possible to shut down services or do other nasty stuff. I am not sure you should take into account these secondary risks when scoring CVSS because confidentiality risks would mostly imply risks to I & A, so for clarity is better to only score the primary risks?
Graham_Murphy
Newcomer I

That's a good point. I had tried to think of similar hardware issues that affect all software, and the closest I could think of was Rowhammer. I tried to dig up how it was scored,(I think CVE-2015-0565) but I haven't be able to find details.

Nothwindtrader
Newcomer II

For an overview of Meltdown and Spectre, I recommend watching the following video from

SANS Digital Forensics and Incident Response: https://www.youtube.com/watch?v=8FFSQwrLsfE