Standardizing the Severity of Security Vulnerabilities

ISC has recently become aware of a security advisory, CVE-2010-3762 filed against BIND 9 on October 5th 2010. ISC did not request this CVE, nor was it contacted by the submitter prior to its submission.

We believe the reported severity assessment of this CVE to be higher than is realistic. Specifically, because a recursive operator needs to have configured a specific zone to be trusted via adding a trust-anchor statement for it, we believe the impact of this vulnerability to be low.

Using the Common Vulnerability Scoring System (CVSS), we arrived at a score of 2.1 for this bug. The difference between our CVSS classification and the published score in the CVE is related to the exploitability metrics. The submitter had complexity at medium and authentication at none. We feel this issue is a much harder exploit than that, as it requires the administrator to trust a specific zone, and that trust is, in effect, single authentication.

Our recommendation is that administrators not add trust-anchors for zones which you do not trust.

ISC is now using the CVSS, a program of and NIST, to determine the severity of potential security issues. Users can enter their own specific environment variables into the CVSS scoring tool to determine the risk of the specific issue to their own environment. We encourage BIND users to investigate how the CVSS system can help them to determine the level of threat of specific vulnerabilities to their operational environments. Please do not hesitate to contact ISC with concerns either about this specific CVE or the CVSS process in general.


Leave a reply

Last modified: June 17, 2013 at 6:12 pm