An Overview of CVSS Score
The Common Vulnerability Scoring System (CVSS) is the industry standard for scoring the severity of a vulnerability. In this article, we will take a closer look at this score.
CVSS is maintained and created by the Forum of Incident Response and Security Teams (FIRST) and used mostly by NVD for rating vulnerabilities. The metric is designed to be repeatable based on objective assessments of some characteristics. The score is mainly used for two purposes, which are:
- To prioritize the work when remediating different vulnerabilities.
- To understand the characteristics and severity of a vulnerability.
The first is essential when the score is used for vulnerability evaluation and the second is used to ensure resources are allocated properly. With over 15,000 new vulnerabilities recorded in the NVD database every year, it’s possible that your organization will face issues finding solutions to vulnerabilities on a regular basis.
Different CVSS Scores
Although CVSS is most times known as one score, it typically has three different scores. This includes:
Base Score: This score showcases the internal properties of a vulnerability. It collects information that won’t change. Therefore, the base score is generally fixed throughout its lifetime. It consists of impact and exploitability metrics.
Temporal Score: This score is based on data that can change over time. This means that the score will change. Data that is used as input is exploitability, the status of available fixes and the report confidence.
Environmental Score: This score can be modified to how it affects a particular firm. It can be used to modify the different parts of the base metric and to alter the severity based on how the firm values particular impacts.
NVD only offers data for the base score. The other scores must be gathered through a third-party provider or compiled individually.
CVSS Metrics
The base score has some set of metrics. These metrics are selected to
- Reflect the exploitability of the vulnerability
- Determine its impact if exploited
These metrics and their granularity have evolved through the different versions of CVSS. There is a tradeoff between scoring complexity and granularity that must be taken into consideration when defining CVSS. A highly granular metric offers ideal score diversity, and it will also capture more information about the vulnerability.
A major aspect of the CVSS score is that two independent analysts must be able to offer the same score. Therefore, irrelevant options will not increase diversity and must be avoided. The base score is a combination of two scores: impact and exploitability. These are computed with eight metrics.
Selecting the Constants
The expressions and the numeric values for the different choices may seem subjective at first but much work has been put into selecting the expressions and the constants. They were determined by rating real vulnerabilities based on different options, ranking them in order of severity and also giving them a numeric score.
Qualitative Rating
In some cases, having a qualitative rating and not using the 0-10 score can be valuable. This is achieved by leveraging a simple mapping from a wide range of scores to a qualitative severity scale. For CVSS v3.2 and (V3.0) this mapping is given by:
Score Range Severity Rating
0.00 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical
Assuming the Worst-Case Scenario
If the original data is not available, the worst-case scenario is assumed. For the base score, if it’s not clear what option to use for a metric, the worst case should be selected. The temporal metrics always default to the worst case. For instance, if we do not know the status of an exploit, we assume that there is one and it is working. Therefore, the temporal score begins by being equal to the base score and additional information concerning fixes, exploits and report confidence can reduce the score.
Due to this factor, the temporal score is never above the base score. The environment score does not have this capacity because it depends on how essential or relevant some aspects of the vulnerability are to an organization.
CVSS Versions
The most recent version is CVSS v3.1 and the previous versions include v1.0, v2.0 and v3.0. There are major changes between v1.0, v2.0 and v3.0, both in granularity, which metrics to be added and how to calculate the score.
CVSS 1.0 was published in 2004 while CVSS 2.0 was published in 2007 and was adopted as an international standard for scoring vulnerabilities. The wide adoption of CVSS v2.0 allowed for identifying enhancements. Such improvements were included in CVSS 3.0 in 2015.
Expressions and metrics were not changed for v3.1, unlike v3.0. V3.1 updated the specification to clarify the guidance and to eliminate ambiguity when determining different metric options. The objective was to allow experts to make more informed and accurate decisions. In September 2019, NVD makes use of CVSS v3.1 for severity scoring for new CVEs and for those that are re-analyzed.
Using the CVSS Score
CVSS score can be used to understand the properties of a vulnerability. These are essential in triaging, where you determine the way to respond to the vulnerability. The response can be in the form of patching, reducing support for certain functionality or accepting the risk.
When it comes to risk, it is essential to know that the base score must not be seen as a risk metric but as a severity score. When calculating risk, the probability of exploitation and the impact are the major aspects that need to be taken into consideration.
Also, the CVSS base score only assesses fundamental parts of the vulnerability, and this is not enough for measuring the risk. The CVSS score should only be used as a part of the risk assessment and not as an actual measure of risk.
Conclusion
The base score does not convey vital information about the vulnerability, but the fundamental metrics, the assessment of the environment and the patch or exploit status is key to make the best decision.
Photo by engin akyurt on Unsplash
