Posted inconduct

A Complete Guide to the Common Vulnerability Scoring System (CVSS)

No Comments

The Common Vulnerability Scoring System (CVSS) is a standardized, open framework for communicating the characteristics and severity of software vulnerabilities. It provides a numerical score reflecting the severity of a vulnerability, helping organizations prioritize their response efforts. This guide provides a comprehensive overview of CVSS, including its components, recent changes in version 4.0, and best practices for its implementation.

Understanding the CVSS Framework

CVSS consists of four metric groups, each contributing to the overall score:

  • Base Metrics: These represent the intrinsic, fundamental characteristics of a vulnerability that are constant across time and different environments.
  • Threat Metrics: These reflect characteristics of a vulnerability that can change over time, such as the existence of exploit code or active exploitation.
  • Environmental Metrics: These represent the characteristics of a vulnerability that are unique to a user’s specific environment, reflecting the potential impact on their systems and data.
  • Supplemental Metrics: These offer additional insights into a vulnerability’s characteristics without directly affecting the final score.

The Base metrics, combined with default values for Threat and Environmental metrics, generate an initial score ranging from 0 to 10. This score can be further refined by adjusting Threat and Environmental metrics based on threat intelligence and environmental factors. Supplemental metrics provide additional context but do not influence the final score. The entire assessment is represented in a CVSS vector string, a compact text format representing the metric values used to calculate the score.

CVSS version 4.0 incorporates Base, Threat, Environmental, and Supplemental metrics to comprehensively assess vulnerabilities.

Key Changes in CVSS Version 4.0

CVSS version 4.0 focuses on improving and clarifying the existing standard, addressing ambiguities, and enhancing its practical application. Key changes include:

CVSS Nomenclature: Communicating the Metrics Used

CVSS v4.0 introduces a clear naming convention to indicate which metric groups were used in calculating the score:

  • CVSS-B: Base metrics only.
  • CVSS-BE: Base and Environmental metrics.
  • CVSS-BT: Base and Threat metrics.
  • CVSS-BTE: Base, Threat, and Environmental metrics.

This nomenclature ensures transparency and allows users to understand the basis of the score. It should be used whenever a numerical CVSS value is displayed or communicated. Note that even without explicit Threat and Environmental metric selections, default values (“Not Defined”) are used to generate a complete score.

CVSS Base Score Measures Severity, Not Risk

CVSS v4.0 emphasizes that the Base score (CVSS-B) measures the severity of a vulnerability, not its risk. The Base score reflects the intrinsic characteristics of the vulnerability, independent of threat factors or the specific environment. A comprehensive risk assessment requires supplementing the Base score with Environmental and Threat metrics (CVSS-BTE).

Changes to Assessment Guidance

CVSS v4.0 provides additional guidance for consistent and defensible scoring across various situations, including:

  • Scope Removed: The concept of Scope has been replaced with explicit references to the vulnerable system (VC, VI, VA) and any subsequent system (SC, SI, SA) affected, capturing impacts from both.
  • Assessing Vulnerabilities in Software Libraries: New guidance clarifies how to assess the impact of vulnerabilities in libraries, considering the “reasonable worst-case scenario” for their use.
  • Multiple CVSS Base Scores: Explicitly allows generating multiple Base scores for vulnerabilities affecting different product versions, platforms, or operating systems.
  • Guidance for Using Environmental Security Requirements Metrics: Provides detailed guidance and examples for using the Confidentiality Requirement (CR), Integrity Requirement (IR), and Availability Requirement (AR) metrics.
  • Guidance for Using Supplemental Metrics: Detailed information about assessing each of the new Supplemental Metrics is provided.

New Base Metric: Attack Requirements (AT)

CVSS v4.0 introduces the “Attack Requirements” (AT) metric to refine the “Attack Complexity” (AC) metric from CVSS v3.1. AC now focuses on the exploit engineering complexity needed to bypass security mitigations, while AT captures prerequisite conditions of the vulnerable component that enable the attack.

Updated Base Metric: User Interaction (UI)

The User Interaction metric is updated to provide more granularity:

  • None (N): No user interaction required.
  • Passive (P): Limited, involuntary user interaction with the attacker’s payload.
  • Active (A): Specific, conscious user interaction with the attacker’s payload or active subversion of protection mechanisms.

Temporal Metrics Evolved to Threat Metrics

The Temporal Metric Group has been renamed the Threat Metric Group, with several changes:

  • Remediation Level and Report Confidence retired.
  • Exploit Code Maturity renamed Exploit Maturity.
  • Enhanced impact for Threat Metric values.

The Threat Metric Group adjusts the Base score based on threat intelligence, addressing concerns that Base scores are often too high. The Exploit Maturity (E) metric is critical for reflecting the real-world threat landscape. Integrating vulnerability scan results with threat intelligence allows for a more accurate prioritization of vulnerabilities based on active exploitation.

The Threat Metric Group in CVSS v4 refines severity scores by incorporating real-world exploit maturity and threat intelligence.

The CVSS Extensions Framework

CVSS v4.0 defines a standardized method for extending CVSS with additional metrics and metric groups, enabling industry sectors like privacy or automotive to assess factors beyond the core standard.

Best Practices for CVSS Implementation

To maximize the effectiveness of CVSS in vulnerability management, consider these best practices:

Integrate Vulnerability Scan Results with Asset Management and Threat Intelligence

Combine vulnerability scan data with asset management information (asset class, security requirements) and threat intelligence feeds (Exploit Maturity) to generate more accurate CVSS-BTE scores and prioritize remediation efforts effectively. Automation is key to efficiently integrate these data sources.

Use Environmental Metrics to Reflect Your Environment

Customize the Environmental Metrics to reflect the specific security requirements and configurations of your environment. Consider factors like the Confidentiality, Integrity, and Availability requirements of affected systems. The Security Requirements (CR, IR, AR) metrics should be based on the classification level of the data, importance of accuracy, and uptime requirements of the device or the applications hosted by the device.

Understand Vulnerability Chaining

CVSS is designed to rate individual vulnerabilities. However, consider “vulnerability chaining,” where multiple vulnerabilities are exploited in a sequence to compromise a system. In these cases, assess the Exploitability of the initial vulnerability and the Impact of the final vulnerability in the chain.

Correctly Interpret Impact Metrics

Confidentiality and Integrity metrics refer to impacts on data, while Availability refers to the operation of the service. Assess vulnerabilities based on the reasonable worst-case scenario, constraining impacts to what an attacker can confidently achieve.

Supplemental Metrics enhance CVSS v4 by providing additional context regarding safety, automation, and other considerations.

Leveraging Supplemental Metrics

The optional Supplemental Metrics group provides valuable context for vulnerabilities. Consider using metrics like:

  • Safety: To reflect the potential for exploiting a vulnerability to cause physical harm or damage.
  • Automatable: To indicate whether the kill chain (reconnaissance, weaponization, delivery, exploitation) can be reliably automated.
  • Provider Urgency: To incorporate vendor-supplied severity ratings.
  • Recovery: To describe the resilience of a Component/System to recover services after an attack has been performed.
  • Value Density: To characterize the concentration or dispersion of value (e.g., data, assets) on the vulnerable system.

Conclusion

The Common Vulnerability Scoring System (CVSS) is an essential tool for vulnerability management, providing a standardized framework for assessing and communicating vulnerability severity. Understanding the components of CVSS, including the Base, Threat, Environmental, and Supplemental metrics, along with the changes introduced in version 4.0, enables organizations to effectively prioritize their security efforts and mitigate risks. By integrating CVSS with asset management, threat intelligence, and environmental considerations, organizations can achieve a more accurate and actionable view of their vulnerability landscape.

Resources

  • FIRST: https://www.first.org/cvss/
  • CVSS v4.0 Specification Document
  • NIST National Vulnerability Database (NVD)

Disclaimer: This guide is for informational purposes only and should not be considered a substitute for professional security advice. Always refer to the official CVSS documentation for the most accurate and up-to-date information.

[1] IETF – The Internet Engineering Task Force is the premier internet standards body, responsible for the evolution and smooth operation of the Internet. https://www.ietf.org/
[2] IANA – The Internet Assigned Numbers Authority is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. https://www.iana.org/
[3] NIST – National Institute of Standards and Technology https://www.nist.gov/
[4] The Open Group. 2018. Security Lexicon, Version 1.0. https://publications.opengroup.org/security-lexicon.
[5] Based on definitions from ISO 29147:2018, Vulnerability disclosure.
[6] Swanson, M., et al. 2013. NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments. p. 75.
[7] Based on definition of “privilege” from https://techterms.com/definition/privilege and on definition of “authorization” from https://www.iso.org/standard/63729.html.
[8] Inspired by multiple passages of NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments.
[9] Extracted from the definition of “activity resource” within ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.
[10] Based on definitions from ISO 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary.
[11] Based on definitions from Swanson, M., et al. 2013. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems.
[12] Swanson, M., et al. 2013. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems.
[13] Based on definitions from ISO 29147:2018, Vulnerability disclosure.
[14] Based on the definition of “exploit sequence” within ISO 29147:2018, Vulnerability disclosure.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *