It is always a very hard task to rate the risk of a security issue. When we started doing pentests some years ago, we used a rating from 1 to 5 (very low, low, medium, high, very high). It turned out fast that it is hard to tell wether a vulnerability has to be rated e.g. high or very high. In practice, you often cannot distinguish between those cases. That’s why we decided only to differ between low, medium and high in our penetration test reports.
Take a look at the ServerView advisory we published some weeks ago. We have rated that issue high. Now take a look at how other people are estimating the risk:
- NIST is scoring the vulnerability with a base score of 7.5/10
- Secunia is rating the issue with 3/5 (moderately critical)
- ISS also addresses it as high risk
So, as you can see, the ratings differ a lot. It seems to be hard to rate an issue correctly for all different circumstances. After publishing the advisory we got some comments on our rating, sounding like: Well, a ServerView interface is always in a completely separated management network, so nobody but the admins themselves can exploit that issue, so one should rate it to low or medium. Absolutely correct, if it is in such a management network… In practice we (or any other attacker) often can find a way into most of the internal networks. And suddenly, a formerly low rated vulnerability has a high impact.
So, what do we do in our reports? We try to rate the risk individually for our customer. How hard is it to exploit that error and what advantages can we get by doing so? Let me give an example: If you are attacking a web shop, trying to extract credit card information out of the backend database, we would rate a vulnerability giving us that info as high as possible; Even if we have no root exploit. Some people will tell you again: Well, this cannot be a highly critical vulnerability, as a root compromise would be even worse. But from the customer’s perspective it is totally uninteresting if an attacker gets root if he already has the credit card data.
What can we learn? Always rate a security issue yourself, from your perspective. Do not trust any rating that is not individually composed for your special case. That’s why we need a disclosure of the complete bug. Otherwise, nobody is able to calculate the risk and the rating may not fit for your environment.