cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Add support for CVSS 3.0 for Firmware Vulnerabilities

Add support for CVSS 3.0 for Firmware Vulnerabilities

As of NCM V7.9, NCM uses the old NIST XML feed, which provides CVSS 2.0 Base Impact Scores. CIsco's Security Bulletin default has been CVSS 3.0 for awhile now. The XML Feed was scheduled to retire in April, 2019, but has been extended to October 9, 2019:

NVD - XML Vulnerability Feed Retirement

Please start using the JSON feed, which supports both CVSS 2.0 and CVSS 3.0.

In addition, please break out the Impact metrics to allow better search and sorting of more critical issues. Medium/High/Critical Base scores are not that useful by themselves.

Some example JSON fields in this regard:

"impact" : {

      "baseMetricV3" : {

        "cvssV3" : {

          "version" : "3.0",

          "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",

          "attackVector" : "NETWORK",

          "attackComplexity" : "LOW",

          "privilegesRequired" : "NONE",

          "userInteraction" : "REQUIRED",

          "scope" : "CHANGED",

          "confidentialityImpact" : "LOW",

          "integrityImpact" : "LOW",

          "availabilityImpact" : "NONE",

          "baseScore" : 6.1,

          "baseSeverity" : "MEDIUM"

        },

        "exploitabilityScore" : 2.8,

        "impactScore" : 2.7

      },

      "baseMetricV2" : {

        "cvssV2" : {

          "version" : "2.0",

          "vectorString" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",

          "accessVector" : "NETWORK",

          "accessComplexity" : "MEDIUM",

          "authentication" : "NONE",

          "confidentialityImpact" : "NONE",

          "integrityImpact" : "PARTIAL",

          "availabilityImpact" : "NONE",

          "baseScore" : 4.3

        },

        "severity" : "MEDIUM",

        "exploitabilityScore" : 8.6,

        "impactScore" : 2.9,

        "acInsufInfo" : false,

        "obtainAllPrivilege" : false,

        "obtainUserPrivilege" : false,

        "obtainOtherPrivilege" : false,

        "userInteractionRequired" : true

      }

    },

Ideally, as part of CVSS v3.0, we should be able to enter, save, and report on Temporal and Environmental Metrics for each device:

CVSS v3.0 Specification Document

3. Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

4. Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of base metrics and are assigned metrics value based on the component placement in organization infrastructure.

We currently have to do this with painful spreadsheets. Temporal metrics do not appear in the current JSON feed, and have to be researched.

Tags (2)
3 Comments

BUMP. Really need the Firmware Vulnerability Data to be made available within NCM with support for the latest CVSS 3.0.

Deprecation Notice in NCM 2019.4 hints that the Firmware Vulnerability feature may be removed completely in future versions of NCM, this is such a backwards step.

Level 7

Any updates on the fix for the NIST data feeds?

Level 13

It looks like JSON is supported in NCM 2019.4 HF 1 release according to the release notes.

Network Configuration Manager 2019.4 Release Notes