Cisco Moves To Vulnerability Scoring Standard
The San Jose, Calif.-based on Wednesday published CVSS scores for a pair of recently discovered vulnerabilities in Cisco Clean Access (CCA), a software solution consisting of Clean Access Server (CAS) and Clean Access Manager (CAM) that detects, isolates and fixes infected devices that try to access the network.
The move highlights the increasing profile of CVSS, a vendor-neutral, 10-point threat rating scale that's designed to replace proprietary scoring systems and clarify the true impact of vulnerabilities. CVSS was developed as a cooperative effort between the National Infrastructure Advisory Council and a number of security industry vendors, including Cisco, Qualys, Nessus and Skype.
Although CVSS promises to simplfy threat scoring, so far vendors have been slow to adopt the system. Oracle, which began publishing CVSS scores in its October critical patch update, was roundly criticized for downplaying vulnerabilities in its products by issuing low CVSS scores.
For solution providers, the proliferation of proprietary threat ratings systems has led to confusing messages from vendors. When multiple threat scores are issued for a product they sell, VARs often find it necessary to reassure customers and spend time on due diligence to determine the true impact of the vulnerability.
Jay Aho, security practice lead at Madison, Wis.-based solution Berbee Information Networks, now a division of CDW, says PSIRT's decision to go with CVSS will help eliminate confusion over scores. "It's always a good thing when industry standards are implemented that stakeholders across vendors and manufacturers can all agree upon," he said.
Russell Smoak, director of Cisco's PSIRT, says publishing CVSS scores will help clarify the seriousness of vulnerabilities and help customers prioritize Cisco alerts against those from other vendors.
Cisco previously published CVSS scores on its MySDN (My Self-Defending Network) Website and through its subscription based IntelliShield Alert Manager service. From now on, PSIRT will score vulnerabilities using CVSS and MySDN and Intellishield will publish the same scores, according to Smoak.
"Both MySDN and Intellishield include vendor neutrality and individual analysis, and they'll continue to be free to comment on their perception of vulnerabilities," Smoak said.
To provide visibility into the rationale behind its scores, Cisco will publish both CVSS base scores and temporal scores, Smoak said. CVSS base scores take into account whether a flaw can be remotely exploited, whether authentication is required, and how difficult it is to exploit, while temporal scores focus on the sophistication of available exploits and whether the flaw has been patched.
"We're clearly stating all the metrics as we see them, which we hope will clarify any concerns," Smoak said.
Cisco, which has patched both of the CCA vulnerabilities, assigned a CVSS base score of 8 out of 10 to a flaw that prevents the shared secret in the CAM and CAS components of Cisco Clean Access from being changed.
The other vulnerability stems from the manual database backups performed on CAM being vulnerable to brute force download attacks in which an attacker guesses the file name and is able to download it without logging in. For this flaw, Cisco assigned a CVSS score of 10 out of 10.