As a security professional, being able to accurately assess and prioritize vulnerabilities is a critical skill. Than you must know CVSS (Common Vulnerability Scoring System). One of the most widely used risk rating systems for vulnerabilities. Let’s break down the things a security professional should know about the CVSS in this blog post.
Table of Contents
What is CVSS?
The first of all, what is CVSS. The CVSS is an open industry standard for assessing the severity of vulnerabilities. It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high and critical) to help organizations properly assess and prioritize vulnerabilities.
A Brief History of CVSS
Before CVSS was introduced in 2005, there was no standardized way to characterize and score vulnerabilities. Each security vendor had their own scoring system and terminology to describe vulnerabilities. This made it impossible to accurately compare and prioritize the severity of vulnerabilities across different software products and systems.
CVSS was created through a collaboration between the National Infrastructure Advisory Council (NIAC) and a community of vulnerability experts to address this problem. The goal was to establish an open standard that could be used by all parties to consistently rate vulnerabilities.
The first version, CVSS v1.0, was adopted quickly based on its innovative risk rating approach. However, early feedback highlighted areas of improvement around consistency and accuracy of scores. This led to the release of CVSS v2.0 in 2007, which further refined the framework with new metrics.
CVSS v3.0 was released in June 2015 with additional metrics that increase granularity and analytical depth. The latest version – CVSS v3.1 was released in 2019 with a renewed focus on simplicity, ease of adoption and backwards compatibility with previous versions.
Over its 17+ year journey, CVSS has now become an essential standard in the vulnerability management ecosystem. It is used by vulnerability bulletins like the NVD, vulnerability scanners, threat intelligence services, risk analysis platforms and security operations teams across the world.
Key Elements of CVSS v3.1
The CVSS v3.1 formula calculates a vulnerability score based on three key metric groups:
The base metrics represent the inherent qualities of a vulnerability that remain constant over time and user environments. They measure two key factors – ease of exploitability and impact of exploitation.
Some key base metrics are:
- Attack Vector (AV) – Reflects how a vulnerability can be exploited – locally, adjacent network, network or physically. A network attack vector represents the highest risk.
- Attack Complexity (AC) – Indicates the complexity of an attack – low complexity attacks require little effort so they carry higher risk.
- Privileges Required (PR) – Level of privileges (none, low or high) an attacker needs to exploit this vulnerability. “None” is highest risk.
- User Interaction (UI) – Specifies if user interaction is required for an attack to be successful. No user interaction represents higher risk.
- Scope (S) – Reflects whether a vulnerability in one system component impacts resources beyond its security scope. A vulnerability allowing wider impact represents higher risk.
- Confidentiality Impact (C) – Level of impact on confidentiality of data – none, low or high.
- Integrity Impact (I) – Level of impact on integrity of data – none, low or high.
- Availability Impact (A) – Level of impact on availability of systems – none, low or high.
Temporal metrics represent the characteristics of a vulnerability that may change over time typically for the better as defensive measures are developed. Key temporal metrics include:
- Exploit Code Maturity (E) – Reflects the maturity and availability of exploit code – unproven, proof-of-concept, functional to high. Higher maturity indicates higher risk.
- Remediation Level (RL) – Describes whether viable fixes, workarounds or patches exist. Lack of fixes represents greater risk.
- Report Confidence (RC) – Reflects the level of confidence in vulnerability reports – unknown, reasonable, confirmed. Higher confidence indicates higher precision in scores.
Environmental metrics enable fine-tuning of CVSS scores to your organization’s unique environment by specifying attributes like security requirements, vulnerability coverage and modified impact metrics.
Some key environmental metrics are:
- Confidentiality Requirement (CR), Integrity Requirement(IR), Availability Requirement (AR) – Allows setting confidentiality, integrity and availability requirements per organization – not defined, low, medium or high.
- Modified Impact Metrics – Enables overriding base group impact metrics to match the importance of a vulnerable system in organization’s environment.
By combining the scores from these three metric groups, CVSS produces a numerical score ranging from 0 to 10 for a vulnerability, with 10 being the most severe. Organizations can use the base metrics to understand a vulnerability’s severity, and then customize it for their environment using temporal and environmental metrics.
CVSS v3.1 Formula
The overall CVSS v3.1 score is calculated using this basic formula:
Base Metric Score x Temporal Metric Score x Environmental Metric Score = Total CVSS v3.1 Score
However, the actual computations behind this formula are quite complex. They are based on a set of equations maintained by the Forum of Incident Response and Security Teams (FIRST) – the non-profit that oversees CVSS standards.
The detailed technical specification for CVSS v3.1 scoring runs over 70 pages! Thankfully, as practitioners we are mostly concerned with properly setting the metrics based on vulnerability characteristics and do not need to worry about the mathematical calculations.
Here is a simplified overview of how scores are determined:
The base equation considers exploitability (attack vector, attack complexity, privileges required, user interaction) and impact sub-scores (confidentiality, integrity, availability) to produce a 0-10 base score.
Exploitability and impact sub-scores are calculated using their component metrics based on defined equations. These sub-scores are then aggregated into the overall 0-10 base score.
The temporal score starts with the base score, and then applies the Exploit Code Maturity, Remediation Level and Report Confidence modifiers ranging from 0-1 to arrive at a 0-10 temporal score.
Specific decimal multipliers are defined for each temporal metric value. Metrics with higher risk values have higher multipliers.
The environmental score calculation builds on temporal score, but applies additional modifiers based on security requirements and modified base impact metrics.
Setting requirements for confidentiality, integrity and availability higher than their base impacts increases the risk score accordingly.
Total CVSS Score
The final CVSS v3.1 score is then rounded off to 1 decimal place. So scores will appear as whole numbers on a scale of 0.0 to 10.0.
As you can see, while the high level formula may seem simple, the actual CVSS calculations are quite involved and rigorous. Fortunately, security analysts only need to focus on understanding risk characteristics to set the metrics accurately.
Understanding the CVSS Vector String
When analyzing vulnerabilities, you will often come across a CVSS vector string. It is a text string that communicates the values assigned to different metrics used by CVSS framework to score a vulnerability.
Here is an example CVSS vector string:
This may look confusing at first, but the structure is quite simple. Here is what each element conveys:
- CVSS:3.1– Specifies version of CVSS
- AV:N– Attack Vector is Network (N) – Vulnerability can be exploited remotely over network
- AC:L– Attack Complexity is Low (L) – Little specialized skills/conditions required for attack
- PR:N– Privileges Required is None (N) – Attacker can exploit as an unprivileged user
- UI:N– User Interaction is None (N) – No user interaction required for successful exploit
- S:U– Scope is Unchanged (U) – Vulnerability only impacts resources managed by same authority
- C:H– Confidentiality Impact is High (H) – Total loss of confidentiality if exploited
- I:H– Integrity Impact is High (H) – Vulnerability allows full modification of impacted component
- A:H– Availability Impact is High (H) – Leads to total denial of access if successfully exploited
As you can see, the vector string elegantly captures all the key metrics used for scoring in an easy to understand format.
CVSS Use Cases
Now that you have a solid grasp of CVSS concepts, let’s talk about some practical use cases:
CVSS enables standardized severity ratings for comparing vulnerabilities across diverse systems in an organization – web applications, cloud servers, networking devices, user workstations etc.
By sorting vulnerabilities by CVSS scores, you can objectively prioritize the most critical issues for patching across the enterprise. This ensures limited security resources are utilized optimally.
Estimating vulnerability risk to the organization
The granularity of CVSS metrics allows you to accurately estimate potential real-world damage from weaponized vulnerabilities.
For example, vulnerability allowing remote code execution on databases storing customer data poses higher risk than denial of service on a marketing website.
Benchmarking risk levels over time
Tracking longitudinal changes in CVSS scores provides insight into risk trajectory – is it improving or worsening?
Organizations can identify unusual spikes that need investigation. Steady improvements suggest that vulnerability management programs are delivering results.
Risk based budgeting for security
Since CVSS scores indicate potential business impact, they can guide investment of security resources.
Higher budgets may be warranted for segments with more high/critical vulnerabilities. As scores decrease over time, budget can be optimized to address residual risk.
Cost/benefit analysis of fixes
Do the costs of implementing a fix outweigh the risk indicated by CVSS scores?
CVSS quantitative scores help answer this question and prevent wasting resources on vulnerabilities that pose negligible real-world risk.
Measuring vendor performance
Tracking vulnerability severity scores and longevity over time provides insight into vendor security quality.
Vendors releasing fixes for critical vulnerabilities sooner may be preferred over those taking months.
Real World Challenges
While CVSS has provided a common language for vulnerability management, it has some real-world implementation challenges:
Subjective interpretations – Classifying some metrics like attack vector, complexity and privileges required involves subjective analysis. Researchers may differ in their interpretation.
Prioritization conflicts – Strict CVSS based prioritization may sometimes conflict with business needs forcing exceptions.
Calculating temporal/environmental scores – Manual computation of these scores is incredibly hard at scale leading to reliance on just base scores.
Communicating severity – Conveying nuanced risk levels to senior management can be difficult requiring simplification.
Legacy systems – Rigid reliance on CVSS scores risks breaking legacy systems not designed for constant patching.
Commercial interests – Vendors have incentives towards lower CVSS ratings that satisfy customer requirements but downplay risk.
Limited automation – Lack of scoring automation in many vulnerability management tools is a key adoption barrier for CVSS.
I hope this post has helped you understand CVSS better. As you gain more exposure to analyzing vulnerabilities, your ability to accurately assign CVSS metrics and scores will improve. Over time, you will be able to intuitively review vulnerability descriptions and quickly determine base, temporal and environmental metrics. This will help tremendously in reducing risk for your organization.
Here are some parting thoughts:
- Treat CVSS score mapping to severity classes as guidelines – your business context should drive prioritization.
- Periodically review temporal and environmental metrics – threat landscape and business priorities change over time.
- Leverage automation wherever possible – scoring and prioritization manually does not scale.
- Consider CVSS limitations before completely relying on it.
Let me know in the comments if you have any other questions regarding CVSS!
We hope this post helped in learning about CVSS as a security professional. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.