Vulnerability management is a crucial security strategy that helps software teams continually identify, assess, report, manage, and remediate software vulnerabilities. Embracing a vulnerability management program requires deep knowledge of the severity of vulnerabilities and the damage potential of a successful exploit. For a diligent assessment of vulnerability severity, security teams often use numerical scores that offer guidance on the impact of the security flaws.
Common Vulnerability Scoring System (CVSS) is a scoring calculator that identifies and mitigates IT vulnerabilities. This article discusses the Common Vulnerability Scoring system and how CVSS ratings are calculated for each exploitable vulnerability.
What is the Common Vulnerability Scoring System?
The Common Vulnerability Scoring System is an open framework for vulnerability prioritization and textual representation of an organization’s security posture. CVSS provides a standardized approach to vulnerability management by defining different metrics that denote the reality of vulnerabilities encountered. The scoring system captures the principal characteristics of a known vulnerability while producing a numerical score that helps measure each identified flaw’s severity and technical impact.
Understanding CVSS Ratings
CVSS severity ratings are a numerical representation of different sets of information about a specific vulnerability. CVSS scores are categorized into three groups of metrics: base metrics, temporal, and environmental metrics. The following section discusses the three metrics and their contribution to the overall vulnerability scores.
CVSS base score metrics represent the inherent characteristics of a vulnerability. These are typically static characteristics that do not change with time and are not influenced by vulnerability’s exploitability or availability of mitigations the enterprise has put in place.
As CVSS base scores only offer recommendations on vulnerability prioritization and patching without accounting for the availability of patches or real-world exploits, these metrics are mostly considered as a starting point of vulnerability management programs.
Base score metrics are divided into sub-score groups: Exploitability, Scope, and Impact.
Exploitability subscores help determine the attributes of a software component that make it vulnerable. These include:
- Attack vector – An attack vector represents the entry point to initiate an attack. The base score of an attack vector is determined by access complexity and authentication processes required for the software component. For instance, the score is higher for exploits that can be carried out remotely than those that need physical access.
- Attack complexity – Describes how easy or difficult it is to exploit the vulnerability once it has been discovered. This score increases with factors outside the attacker’s control that are needed to access the system, such as credentials and session keys.
- Privileges required – This score depends on the access privileges necessary to orchestrate the attack. The score is highest in vulnerabilities that require administrative rights to exploit.
- User interaction – Depends on whether the attacker has to trick a registered user or access user environments into completing their exploit. The score is higher if the attacker can operate autonomously without the help of authorized users.
Scope base metrics denote whether a vulnerability in one part of the application can propagate to other components. The score is higher for vulnerabilities where one exploit can lead to a more profound compromise of the framework, such as successful attacks on operating systems or databases.
Impact metrics are based on the potential consequences of an attack. The impact subscore group is sub-divided into metrics such as:
- Confidentiality impact – Denotes how much data the attacker has access to.
- Integrity impact – Based on whether the attacker can alter data within the vulnerable systems.
- Availability impact – Describes the loss of availability after an exploit. The score is higher if the vulnerable software is no longer accessible to users after an exploit.
The temporal score metrics describe the attributes of a vulnerability that change over time, such as the current exploitability and availability of mitigations. Temporal values that contribute to the overall vulnerability score include:
- Exploit Code Maturity – This score increases as the code available to exploit the target system matures and becomes more stable.
- Remediation Level – This score decreases with more workarounds, fixes, and official patches becoming available.
- Report Confidence – This represents the confidence score that describes the proof of concept with validation to confirm if the vulnerability is real and exploitable.
The environmental score allows organizations to modify base scores to account for internal aspects that may increase or reduce a vulnerability’s severity. Environmental metrics consist of modified base metrics combined with security requirements that define the criticality of a physical asset. These metrics help security teams modify the base metric based on mitigations, such as removing adjacent network access and “air gapping” a server.
CVSS Qualitative Ratings
Besides providing a numerical (0-10) representation of vulnerability severity, CVSS scores also include qualitative ratings to help inform non-technical personnel of an enterprise. CVSS scores are typically mapped with textual representations for qualitative ratings, as shown below:
0.0 : None
0.1 – 3.9 : Low
4.0 – 6.9 : Medium
7.0 – 8.9 : High
9.0 – 10.0 : Critical
Differences Between CVSS Base Score and Temporal Score
Differences between the base and temporal scores in CVSS include:
Base metrics represent the intrinsic qualities of a vulnerability that cannot change over time, while temporal metrics represent the characteristics that change over time.
The base score is determined by evaluating the geographical scope, access vector, access complexity, authentication, confidentiality impact, integrity impact, and availability impact. This results in a range of 0-10, with 10 being the most severe.
The temporal score uses all the same factors as the base score but also accounts for how long the exploit window is open and any mitigations in place. This can result in a lower or higher severity than the base score.
CVE vs. CVSS – How Do They Differ?
Common Vulnerabilities and Exposures (CVE) is a list of known and publicly identified security vulnerabilities, while CVSS represents the overall score assigned to a particular vulnerability. Since CVSS scores are not directly mapped to vulnerabilities listed in the CVE database, it is recommended to utilize NVD for identifying the assigned CVSS scores of CVE entries.
Some numeric scores for CVE entries are listed below:
- Remote Code Execution via data binding – CVE-2022-22965 CVSS Base Score 9.8 (Critical)
- Attacker controlled LDAP in Apache Log4J – CVE-2021-44228 CVSS Base Score 10 (Critical)
- Lacking proper initialization in pipe buffer structure – CVE-2022-0847 CVSS Base Score 7.8 (High)
- Local Privilege Escalation in polkit’s pkexec – CVE-2021-4034 CVSS Score 7.8
What are the limitations of CVSS base scores?
CVSS vulnerability scores represent the severity of the vulnerability but do not denote the risk that exposure poses to the IT environment. Given the consistent growth of security vulnerabilities enterprises continue to face, an effective vulnerability management program should also account for the temporal and environmental impacts. Therefore, CVSS vulnerability scores should be used as part of a risk-based approach to vulnerability management for maximum effectiveness. However, it is impossible to correlate the CVSS score entirely with temporal and environmental factors since this requires internal knowledge of the IT assets used, identification of adequate security measures, and the existing real-world exploitability of a vulnerability.
What are CVSS calculators, and why are they important?
CVSS is a standard for measuring the severity of vulnerabilities in software. It’s used by security professionals, vendors, and customers to determine an issue’s seriousness. The more severe it is, the more likely someone will take action.
Publicly-available vulnerability scores only consider base metrics, which do not indicate the actual risk posed by known vulnerabilities, consequently requiring an evaluation of organizational measures and physical assets. On the other hand, CVSS calculators help calculate the base, temporal and environmental scores of an organization’s internal environment. As a starting step, organizations can also leverage free CVSS calculators offered by FIRST, NIST, and CISCO to help evaluate temporal and environmental metrics.