CVSS is a standardized method used to determine the severity of vulnerabilities in the software across your technical assets. The vulnerabilities are assigned specific scores that help prioritize remediation efforts. This blog will take you through the essential details about CVSS, including its version history, different metric groups, and scoring.
Common Vulnerability Scoring System (CVSS)
CVSS stands for Common Vulnerability Scoring System. It’s an open framework that helps understand the characteristics and severity of software vulnerabilities. When suppliers of vulnerability management products use their own in-house developed scoring methods, remediation efforts become difficult. CVSS enables the organization to use the same scoring framework to rate the severity of IT vulnerabilities across a range of software products. CVSS scores help security teams to prioritize the vulnerabilities that need immediate attention.
CVSS was first introduced in 2005 by NIAC. It is now owned and managed by the International Forum for Incident Response and Security Teams (FIRST). The CVSS Special Interest Group (SIG) supported by FIRST was responsible for the initial design of the CVSS framework and the testing and refining of formulas used in new CVSS versions. The CVSS SIG comprises representatives from a broad range of industry sectors.
CVSS has gone through major and minor revisions since its inception. Three CVSS versions have been released to date.
CVSS v1 was released by the US National Infrastructure Advisory Council (NIAP) in 2005. The objective was to create a standard for severity ratings of vulnerabilities in software.
In 2007, CVSS version 2 significantly improved over the first version. It helped reduce inconsistencies, provided additional granularity, and reflected the actual properties of IT vulnerabilities despite the various vulnerability types.
CVSS v3 is a more refined version and the latest version, which is CVSS v3.1, was released in June 2019. It addresses the privileges required to exploit a vulnerability and the opportunities that the hacker can tap into once the vulnerability is exploited.
CVSS Metrics Groups
A CVSS score comprises three sets of metrics, namely base, temporal, and environmental.
The metric base group represents the characteristics of the vulnerability. These characteristics remain the same across user environments. The metric-based group comprises three sub-core elements: exploitability, scope, and impact.
Exploitability metrics deal with the ease and technical means required to exploit a vulnerability. Exploitability consists of four more sub-components: attack vector, attack complexity, privileges required, and user interaction.
- Attack vector: The attack vector represents the level of access required to exploit a vulnerability. A vulnerability that can be controlled remotely will be assigned higher scores, whereas lower scores are associated with vulnerabilities that demand physical presence to be used.
- Attack complexity: The score here depends on factors outside of the attacker’s control to exploit a vulnerability successfully. Vulnerabilities that require extra effort by an attacker will have higher scores than attacks that don’t need any additional work.
- Privileges required: This score relies on the level of privileges needed for an attacker to exploit. The score will be higher if the attacker needs administrative rights to exploit a vulnerability than exploits requiring no authentication.
- User interaction: This is about whether the attacker will need the assistance of another user to exploit the vulnerability. If the attacker can complete the task with no external help, the score assigned will be higher.
Scope refers to the possibility of a vulnerability in one component impacting the other components in the system. Scope score is higher if successfully exploiting one vulnerability enables the attacker to gain access to other system areas.
Impact in base metrics refers to the consequences of an attack. The three sub-metrics of impact metrics include confidentiality, integrity, and availability.
- Confidentiality: The confidentiality score varies depending on the amount of data accessed by the attacker after the exploit.
- Integrity: Integrity refers to the extent to which an attacker can manipulate the data on the impacted system.
- Availability: The availability scores depend on the system’s availability for authorized users after the attack. The score will be high if the system is not accessible to users following the attack.
Temporal metrics reflect the characteristics of a vulnerability that change over time. But it doesn’t consider the different user environments. Current exploitability and the availability of remediating factors are the primary considerations here. Temporal metrics have sub-components called Exploit Code Maturity, Remediation Level, and Report Confidence.
- Exploit code maturity: A vulnerability is potentially harmless until a method to exploit it exists. But once an exploit code matures and becomes widely available, the risk increases, leading to higher scores.
- Remediation level: The score goes down when appropriate remediation becomes available to fix a vulnerability.
- Report confidence: This measures the degree of confidence in the existence of a real vulnerability that is exploitable.
Environmental metrics represent the characteristics of a vulnerability while considering the user’s environment. These metrics allow the organization to customize the base CVSS score depending on security requirements and modification of base metrics.
- Security requirements: The significance of the IT asset in terms of confidentiality, integrity, and availability are taken into consideration. For instance, vulnerabilities in critical assets like customer data are assigned higher scores than those in a non-privileged user’s workstation.
- Modified base metrics: The base CVSS metrics can be modified based on the mitigation efforts employed by an organization. With vulnerability management techniques like removing external network connections or any other measures that block hacking attempts, the attack vector base metric score can be reduced.
A CVSS base score can be anything between 0.0 and 10.0. The base score is derived from the exploitability score and impact score. The base score is mandatory, whereas temporal and environmental scores are optional. But the base score can be modified by scoring the temporal and environmental metrics. This helps to understand the severity of the vulnerability in each environment at a given point in time.
Figure 1. CVSS scoring example - Holm Security's Security Center
CVSS is a critical methodology to identify the severity of vulnerabilities and is an essential part of any Next-Gen Vulnerability Management solution. It has evolved to provide a shared vocabulary for solution providers to convey the severity of vulnerabilities. However, CVSS should ideally be combined with threat intelligence that will identify specific threats such as ransomware as well as other exploit types so that you will be able to concentrate on the most critical risks threatening your business. Thereby enhancing your remediation efforts and lowering your attack surface.