cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
re
Viewer III

CVSS rating for Meltdown and Spectre

Hi,

Hopefully this is the right place to ask a question like this.

Today I looked in the ISC2 Vulnerability Central  for the CVSS score for Meltdown and Spectre. To my surprise they scored pretty high. But when I look at NIST NVD they seem to differ. My question is why they differ?

 

 

 ISC2NVD
CVE-2017-5754 7.95.6
CVE-2017-57538.2ongoing
CVE-2017-57158.25.6

 

Regards

Roger

5 Replies
Advocate I

Re: CVSS rating for Meltdown and Spectre

 

Nor sure, but I suspect that as ISC2 is using https://www.cytenna.com/technology.html then the score are different because the NVD is scoring in a certain way and Cytenna is doing something different.

 

It would make sense to me that these were higher up the chain even though they will take some smarts to exploit because of the ubiquity, time to patch performance impact of patch etc. 

 

Whoever works at Cytenna can probably explain more/better.

Newcomer I

Re: CVSS rating for Meltdown and Spectre

As far as I can see, for CVE-2017-5754 the differences come down to the following:

  • Attack Complexity (Low vs High)
  • Privileges Required (None vs Low)
  • Integrity (Low vs None)

From my personal opinion, as far a privileges required, I'd probably go for "none", as attacks can be carried out on a drive-by basis via JavaScript. I'm not entirely sure I'd consider integrity to be none either, given the exposure of secrets and keys could result in an indirect impact on integrity.

Viewer II

Re: CVSS rating for Meltdown and Spectre

The risk against integrity is a secondary risk and, with the same logic, availability risk should also be none-zero. Because with the right password recovered it's also possible to shut down services or do other nasty stuff. I am not sure you should take into account these secondary risks when scoring CVSS because confidentiality risks would mostly imply risks to I & A, so for clarity is better to only score the primary risks?
Newcomer I

Re: CVSS rating for Meltdown and Spectre

That's a good point. I had tried to think of similar hardware issues that affect all software, and the closest I could think of was Rowhammer. I tried to dig up how it was scored,(I think CVE-2015-0565) but I haven't be able to find details.

Newcomer II

Re: CVSS rating for Meltdown and Spectre

For an overview of Meltdown and Spectre, I recommend watching the following video from

SANS Digital Forensics and Incident Response: https://www.youtube.com/watch?v=8FFSQwrLsfE