Is there a CVE or CVSS for enumeration of ports?

Question

Lets say that there is a company which does not have a firewall and it is possible to perform an enumeration of ports and services.

Could it be considered a vulnerability if it provides fingerprinting information? Or is it only considered a vulenerability to the process of exploitation?

To be more precise, I have found a port for a legit service that is not protected outside of their DMZ and is providing information to exploit some other real vulnerabilities in other services. In fact, it is providing the version of the MySQL server that they use which is quite old and highly vulnerable.

How should I notify it? If I cannot set a CVSS they will suppose that there is not any risk associated.

There is some risk to, reporting this as they may accuse you of having hacked them. And the cwe is https://cwe.mitre.org/data/definitions/200.html — Neil Smithline, Mar 28 '18 at 14:24

score 1 · Answer 1 · answered Mar 28 '18 at 10:16

1

CVE is meant for specific security-related bugs in software.
"Some single random company has a bad IT department" is not something to write there.

All mentioned problems boil down to a bad IT department, namely wrong FW configuration (not the same as a FW software bug), and no updates on their DB ("no updates made by the admin" is again not a software bug).

answered Mar 28 '18 at 10:16

user155462

421
2
3

I think https://cwe.mitre.org/data/definitions/200.html is probably relevant. – Neil Smithline Mar 28 '18 at 14:27

score 1 · Accepted Answer · answered Mar 28 '18 at 12:52

Even if there's no specific CVSS, you can still consider it a finding from a security and industry best practice perspective. Once you provide them with your findings, they [are supposed to] have a responsibility to rank the findings in your report and mitigate or resolve accordingly.

If they are doing the testing in order to align with some compliance or other security standard, there may be requirements which they're contravening through the current configuration.

Your finding suggests the business may have some of the following issues:

A public firewall with open inbound ports to the database server - maybe there is business justification, maybe no ruleset reviews are performed
A DMZ containing a database server - maybe the database server should be in a non-public facing VLAN
A poor systems update and patching policy
A lack of security awareness/training
A lack of vulnerability management processes - the business should have identified and remedied this issue without needing to hire a third party to tell them

But even if it is a best practice, if it is not measurable they could take it as an advisory, not as a requirement. But I guess that I forgot about the role of the risk analysis and its methodologies. — Cod1ngFree, Mar 28 '18 at 15:37

Is there a CVE or CVSS for enumeration of ports?

2 Answers2