A failing grade
When reading CERT advisories in the ICS space I used to skim to the CVSS score as a quick way to assess what the vuln was. I rarely like what I see when I think about the actual vulnerability to which the score is applied.
CVSS, or the Common Vulnerability Scoring System, is meant to provide an abbreviated summary of a vulnerability. Chiefly, it is a means to quickly convey how serious a vulnerability is by showing both how easy a vulnerability is to exploit, as well as what the impacts of exploitation are.
There are two big problems with CVSS in the ICS space. For starters, it doesn’t tell us much about the ICS impact of a vulnerability (whether a bug can cause a loss of view or a loss of control for a control system would be nice to know). More importantly, the scores published in official advisories are often just plain wrong.
The latest example of this would be the Garrettcom Magnum switch advisory, released only a few weeks ago.
One of the discoverers, Ashish Kamble, has a good technical summary of the vulnerabilities here: https://community.qualys.com/blogs/securitylabs/2015/06/16/device-vulnerabilities-fixed-garrettcom-magnum-series .
There are a few interesting issues, chiefly surrounding how Ashish’ writeups conflict with the ICS-CERT advisory: