Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?

["Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>]

> I  think we can agree that yes, it is remotely exploitable and as such
> should be categorized as "remote" in Risk/Impactt scoring systems ?
> 
> Does anybody disagree ? I'd be interested to hear your point of view.

Hey Thierry - I hope all is well...

I'm happy to include "user assisted remote exploitation" as a "remote" 
vulnerability in academic conversations, but I don't categorize it as "remote" 
when assessing overall risk to a particular threat in production environments.  
Like everyone else, my TMs include impact and skill required to exploit a 
particular vulnerability; but they also include "likelihood of exploitation."   
While that may sound like a wildcard metric, I quantify it by applying the 
internal controls in place that may mitigate a particular attack.  In "my" 
networks (networks I control, design, or consult for) most users couldn't 
execute [common] exploits even if they wanted to.  I won't bore you with the 
controls I deploy as I'm confident you are well aware of the options one has, 
but the fact they exist at all place "user assisted remote exploits" in a 
different category for me when assessing risk.  When the propensity for a 
vulnerability to be exploited lies in a particular user's response to any given
  trigger, as opposed to any authoritative in-place controls to mitigate 
exposure, then a model's relevant response options are greatly diminished 
(IMO).  

As such, I choose to categorize "remote" exploits as those that may be executed 
against a given host that is autonomously running a [vulnerable] service that 
can be connected to by some (any) other network client, device, or service for 
the purposes of ascertaining overall risk. 

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/