26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

CVSS scoring often does not work well for DNS

27 Oct 2024, 11:45
15m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
In-Person Standard Presentation Session 2

Speaker

Cathy Almond (Internet Systems Consortium)

Description

The developer community handles security defects on a regular basis and most organisations now use CVSS (the Common Vulnerability Scoring System framework) to convey vulnerability severity and impact to users of their software products. The laudable objective behind encouraging all software vendors and distributors to use the same metrics system is that enables software administrators to more easily make the right decisions on how quickly to respond to each new security report they receive. "Is this an issue that should be patched as soon as possible, or can it wait until the next scheduled maintenance window?"

What we have found however is that the majority of vulnerabilities reported against BIND nearly always score one of a small number of values regardless of their actual operational risk if instead assessed based on the popularity or obscurity of the feature involved and on the likelihood that the defect that has been uncovered would make a feasible attack.

How can we more realistically evaluate and report DNS security vulnerabilities so that the information we provide on each is genuinely useful? How can we do something better than just scoring most of our BIND Security Advisories at 7.5?

Talk duration 20 Minutes (+5 for Q&A)

Primary author

Cathy Almond (Internet Systems Consortium)

Presentation materials