Reading CVE descriptions and CVSS results may often be spooky. However important and useful they are, there is always a grain of salt. Information security is an industry. It is their job to find out as much vulnerabilities as possible. Unfortunately, promotion of cybersecurity not uncommonly is accompanied by dissemination of FUD.
At the same time security basic principles are:
- security measures must not be more troublesome and more expensive than recovery from possible incidents;
- security risks assessment takes into account probability of incidents on the long run;
- security measures often do not address each possible incident directly, but create conditions which make whole classes of incidents and risks impossible and/or irrelevant.
The bottom line is that information security risks and vulnerabilities should always be carefully assessed. To put it simply, one does not need an umbrella indoors or under the sun shining in the cloudless sky.
Here are some real life examples.
- In Linux world too many CVEs are theoretical and do not exist in the wild. That is they are found in the source code of applications and utilities. No array boundary checks of procedural parameter results in medium to high risk stack overflow CVE, etc.
- Scanners are not perfect. They are unaware of context and purpose. For example:
- IP routing enabled is scored regardless of being legitimate server function.
- Source routing enabled is scored while IP routing is not allowed.
- SSH configuration does not deny root logins. That is scored despite the fact that root logins are disabled system-wide.
- Command-line privileges elevation vulns are scored while server does not provide multi-user environment/service.
pingis scored for having SUID bit set, etc.