[Openvas-devel] Resolving CVSS-Severity mismatches

Jan-Oliver Wagner Jan-Oliver.Wagner at greenbone.net
Mon Dec 5 12:29:13 CET 2011


since our recent cleanups regarding CVSS we now we have more and also more visible
mismatches between CVSS and severity category in our results.

Examples I see on a lenny box:

ImageMagick Buffer Overflow Vulnerability (Linux)  (OID: 
CVSS 9.3, but reported as "Medium" (security_warning).

In mid-term this should be solved via CR59, but we need a short-term fix IMHO.

The idea is to change the message types according to CVSS:
CVSS = 0.0 -> log_message()
0.1 <= CVSS <= 2.0 -> security_note()
2.1 <= CVSS <= 5.0 -> security_warning()
5.1 <= CVSS <= 1.0 -> security_hole()

We would have problems with NVTS that optionally send different messages.
Count says there are 7308 NVTs with more than one security_*().
1872 of this 7308 NVTs have a different severity. E.g. security_hole
and security_note. These surely need attention. Around 1600 of these
are autogenerated freebsd tests where the security_note is in fact used to send
log information and therefore could easily be changed.
Doing the remaining manually sounds doable (and we need to work only on those
with a CVE attached).
Some problematic NVTs will remain, I guess - but that is something solved later
on via CR57 and CR59.

Any flaws in this idea?
It would mean some changes in the scan results regarding severity category. However,
the situation as of now appears inconsistent or at least a little bit hard to interpret.

We also would then establish a automated adjustment QA process according to CVSS changes
in the CVE data.



Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

More information about the Openvas-devel mailing list