Questions about CVSS score of SSL/TLS certificate issues from Community Feed NVTs

OpenVAS using the Greenbone Community Feed (GCF) reports several standard SSL/TLS certificate issues, such as self-signed certificates and certificate name not matching the target FQDN, with a “log” severity level and score 0.0.

Is there a reason this happens, as especially the self-signed certificate should warrant a CVSS score closer to a medium severity (around 5) based on the potential impact enabling attackers to perform various MITM attacks…

You can use overrides to model your policy according to your needs.

I appreciate the quick response, but the problem I see with that is twofold:

  • The CVSS scoring mentioned above is not correct from a cyber security standpoint and should be corrected. Invalid certificate issues are security risks and should be identified as such.
  • Overrides work as interface filters but in reality do not change the underlying score value, meaning when the OpenVAS API is used, the original score is returned. Applying the override filter via API apart from being complicated, would create discrepancies between what the GUI shows and what the API returns.

A certificate self singed or not is not a vulnerability, this is only a claim from the SSL CA industry. You can use a self signed certificate total secure if you pin it. Cipher and lengths are much more critical. If you disagree use a override.

I would not want to argue semantics here, but your statement is significantly incorrect.
I am not advocating for paid CA certificates. You can as easily create your own CA using OpenSSL and use that sign your domain certificates and then add your CA to the trusted list. This is totally fine. But having a self-signed certificate, one where there is no CA chain (paid or own/free) and the certificate signs itself with its key is a significant degradation of security.

In any case, can you elaborate on what would be the best way to apply overrides to OpenVAS API results (instead of using the GUI) ?


please create a new thread about this question in (there might be even existing threads there providing an answer). Such API questions are unrelated to the Vulnerability Tests category and should be asked and answered in a better fitting category to avoid mixing different questions / topics.

1 Like

That is called self signed :wink: Unknown issuer … and there is no way to know all the different issuer.
Anyway we collect all certificated and you can build a GMP script to check the correct Root-CA.