What is CVSS
The Common Vulnerability Scoring System (CVSS) is an open and standardized framework used to rate the severity of security vulnerabilities in software. Developed to provide a universal standard, CVSS helps organizations understand and prioritize vulnerabilities based on their potential impact. Since its inception by the Forum of Incident Response and Security Teams (FIRST) in 2005, CVSS has evolved through various iterations, with the most recent version improving upon the accuracy and usability of the system.
CVSS Versions and Revisions
CVSS provides a way to capture the principal characteristics of a security vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Over time, CVSS has undergone several revisions to improve its accuracy and usability. Each successive version of CVSS refines the methodology for scoring and interpreting security vulnerabilities, ensuring it remains relevant in an evolving cybersecurity landscape.
- CVSS v1 - Introduced in 2005 by the National Infrastructure Advisory Council (NIAC), it was the first attempt to provide a standardized scoring system for vulnerabilities.
- CVSS v2 - Released in 2007, it improved scoring consistency and clarity. It includes three metric groups: Base, Temporal, and Environmental metrics, which provide a more dynamic scoring system that could account for different scenarios.
- CVSS v3.0 - Launched in 2015, this version introduced changes to address various shortcomings in CVSS v2, such as the scope of impact beyond the initially affected component and a more detailed method for measuring user interaction and privileges required.
- CVSS v3.1 - Released in 2019, this version clarifies and makes minor adjustments to the CVSS v3.0 guidelines without changing the underlying scoring system. It aims to make the scoring system easier to understand and apply.
- CVSS v4.0 - Released in 2023, this version expands the metric definitions to include a more detailed view of Attack Complexity and Requirements, offering a nuanced approach to assessing exploitation risks. These refinements improve the flexibility and accuracy of the CVSS framework, enabling more tailored and effective vulnerability management across different environments.
Components of CVSS
The Common Vulnerability Scoring System (CVSS) comprises three primary metric groups, each providing a unique perspective on vulnerability severity and context:
- Base Metrics: These are the core aspects of a vulnerability that are constant over time and across user environments. They assess the intrinsic qualities of a vulnerability, considering factors like the complexity of the attack, the required privileges to exploit it, and the potential impact on confidentiality, integrity, and availability.
- Temporal Metrics: These metrics account for factors that change over time, such as the availability of exploits or the existence of patches. They help refine the base score by considering the current state of the vulnerability's exploitability and the level of remediation available.
- Environmental Metrics: Tailored to reflect the specific impact of the vulnerability on an individual organization, these metrics consider customized factors such as the security requirements of affected systems and the potential collateral damage.
Together, these metrics provide a comprehensive and adaptable framework, allowing organizations to evaluate vulnerabilities within both global and local contexts.
Calculating CVSS Scores
The CVSS scoring system provides a standardized approach to assessing the severity of security vulnerabilities. Here, we break down the step-by-step calculation of CVSS scores into its component parts:
Understanding Base Metrics
Base Metrics provide the foundational score of a vulnerability and include factors such as Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability. Each factor is assessed and assigned a value that contributes to the base score.
Incorporating Temporal Metrics
Temporal Metrics adjust the base score to reflect the current exploitability and remediation status of a vulnerability. This includes Exploit Code Maturity, Remediation Level, and Report Confidence. Adjusting the base score with temporal metrics allows for a more time-sensitive assessment.
Applying Environmental Metrics
Environmental Metrics further modify the base score to account for the specific impact on an individual organization. These metrics include Collateral Damage Potential, Target Distribution, and Security Requirements for Confidentiality, Integrity, and Availability. This customization helps organizations prioritize vulnerabilities based on their unique environment and security posture.
Example CVSS Score Calculation
To illustrate, consider a vulnerability with high privileges required and no current fix. First, calculate the Base Score based on the intrinsic qualities of the vulnerability. Then, adjust this score with Temporal Metrics, considering the lack of a fix (Remediation Level). Finally, apply Environmental Metrics that reflect the particular importance of the system affected within your organization.
Let's calculate a CVSS v3 score using an example from a well-known vulnerability: CVE-2017-0144, better known as the vulnerability exploited by the WannaCry ransomware attack.
CVSS v3 Metrics for CVE-2017-0144:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
Score Calculation:
- Base Score Calculation:some text
- Calculate the Impact Subscore:
Impact = 6.42 + [1 - (1 - 0.56) * (1 - 0.56) * (1 - 0.56)]
- Calculate the Exploitability Subscore:
Exploitability = 8.22 * 0.85 * 0.62 * 0.85
- Calculate the Impact Subscore:
- Overall Score:some text
- If (Impact Subscore <= 0), then Base Score = 0; otherwise,
Base Score = Round_up(Min[(Impact + Exploitability), 10]) if Scope is unchanged. If Scope is changed, Base Score = Round_up(Min[1.08 * (Impact + Exploitability), 10])
.
Online CVSS Calculator
FIRST provides online calculators to facilitate the process of calculating a CVSS score. For users looking to access this tool, the calculator can be found through the following link: CVSS v4 Calculator. This resource aims to assist users by providing an interactive interface to input vulnerability details and receive an immediate CVSS score, simplifying the evaluation of security threats.
What is the difference between CVE and CVSS?
CVE (Common Vulnerabilities and Exposures) and CVSS serve distinct roles in cybersecurity. CVE provides a standardized list of publicly known cybersecurity vulnerabilities, each identified by a unique number, along with a brief description to ensure clear communication. In contrast, CVSS offers a scoring system that evaluates the severity of these vulnerabilities on a scale from 0 to 10, helping organizations prioritize their security measures based on the potential impact of each vulnerability. While CVE identifies and catalogs the vulnerabilities, CVSS quantifies their severity to guide response efforts.
Conclusion
The Common Vulnerability Scoring System (CVSS) provides an essential framework for assessing the severity of security vulnerabilities. Its structured approach helps organizations worldwide prioritize vulnerabilities, manage risks, and comply with regulatory requirements effectively. Despite some challenges, such as its complex scoring system and static nature, CVSS remains a cornerstone in cybersecurity. As threats evolve, so will CVSS, adapting to provide more accurate and relevant information for securing information systems. This ongoing evolution will ensure that CVSS remains a valuable tool for cybersecurity professionals.