Vulnerability management is critical given the large and growing number of cyber attacks that exploit vulnerabilities present in a software. Misjudging the severity of an existing vulnerability can lead to a range of unintended ramifications. The repercussions for an enterprise include legal battles, financial losses and reputational damage. It is essential to have a vulnerability management program in place to combat today’s modern cyber security challenges. Vulnerabilities in a software can be fixed with appropriate security measures only if their severity and impact are effectively identified.
CVSS is a standardized methodology used to determine the severity of vulnerabilities. The vulnerabilities are assigned specific scores that help prioritize remediation efforts. This article will take you through the important details pertaining to CVSS such as its versions, different metric groups, score calculation among others.
CVSS stands for Common Vulnerability Scoring System. It’s an open framework that helps understand the characteristics and severity of software vulnerabilities. When vendors use their own scoring methods, remediation efforts become difficult. CVSS enables the organization to use the same scoring framework to rate the severity of IT vulnerabilities across a range of software products. CVSS scores help security teams to prioritize the vulnerabilities that need immediate attention.
CVSS was first introduced in 2005 by NIAC. It is now owned and managed by the international Forum for Incident Response and Security Teams (FIRST). The Common Vulnerability Scoring System-Special Interest Group supported by FIRST was responsible for the initial design of the CVSS framework as well as testing and refining of formulas used in new CVSS versions. The CVSS SIG is made up of representatives from a broad range of industry sectors.
CVSS has gone through major and minor revisions since its inception. There are a total of three CVSS versions that have been released till date. Let’s have a look at each of these versions.
CVSS v1 was released by the US National Infrastructure Advisory Council (NIAP) in 2005. The objective was to create a standard for severity ratings of vulnerabilities in software.
CVSS v1 had several shortcomings which led to the development of CVSS v2. Released in 2007, CVSS version 2 was a significant improvement over the first version. It helped reduce inconsistencies and provided additional granularity along with reflecting the true properties of IT vulnerabilities despite the various vulnerability types.
Version 2 too had certain limitations which led to revisions resulting in the release of CVSS v3 in 2015. CVSS v3 is a more refined version as it addresses concerns such as the privileges required to exploit a vulnerability and the opportunities that the hacker can tap into once the vulnerability is exploited. CVSS version 3 again was revised and released as CVSS v3.1 in June 2019.
CVSS Metrics Groups
A CVSS score is made up of three sets of metrics namely base, temporal and environmental. The following sections shed light on each of these metrics in detail.
The base metric group represents the characteristics of the vulnerability. These characteristics remain the same across user environments. Base metric group consists of three subcore elements namely exploitability, scope and impact.
Exploitability metrics deal with the ease and technical means required to exploit a vulnerability.
Exploitability consists of four more sub-components which are attack vector, attack complexity, privileges required and user interaction.
- Attack vector: Attack vector represents the level of access required to exploit a vulnerability. A vulnerability that can be exploited remotely will be assigned higher scores whereas lower scores are associated with vulnerabilities that demand physical presence to be exploited.
- Attack complexity: The score here is dependent on factors outside of the attacker’s control to successfully exploit a vulnerability. Vulnerabilities that require extra efforts by an attacker to exploit will have higher scores compared to attacks that don’t require any additional work.
- Privileges required: This score relies on the level of privileges required by an attacker to exploit. The score will be higher if the attacker will need administrative privileges to exploit a vulnerability compared to exploits that require no authentication.
- User interaction: This is about whether the attacker will need the assistance of another user to exploit the vulnerability. If the attacker can complete the task with no external assistance, the score assigned will be higher.
Scope refers to the possibility of a vulnerability in one component impacting the other components in the system. Scope score is higher if successful exploitation of one vulnerability enables the attacker to gain access to other areas of the system.
Impact in base metrics refers to the consequences of an attack. The three sub-metrics of impact metrics include confidentiality, integrity and availability.
- Confidentiality score varies depending on the amount of data that can be accessed by the attacker after the exploit.
- Integrity refers to the extent to which an attacker can manipulate the data on the impacted system.
- Availability scores are dependent on the availability of the system for authorized users after the attack. The score will be high if the system is not accessible for users following the attack.
Temporal metrics reflect the characteristics of a vulnerability that change over time. But it doesn’t take into account the different user environments. Current exploitability as well as the availability of remediating factors are the major considerations here. Temporal metrics have sub components called Exploit Code Maturity, Remediation Level, and Report Confidence.
- Exploit code maturity: A vulnerability is potentially harmless until a method to exploit it comes into existence. But once an exploit code matures and becomes widely available, the risk increases leading to higher scores.
- Remediation level: The score goes down as and when appropriate remediation becomes available to fix a vulnerability.
- Report confidence: This measures the degree of confidence in the existence of a real vulnerability that is exploitable.
Environmental metrics represent the characteristics of a vulnerability while taking into account the user’s environment. These metrics allow the organization to customize the base CVSS score depending on security requirements and modification of base metrics.
- Security requirements: The significance of the IT asset in terms of confidentiality, integrity and availability is taken into consideration. For instance, vulnerabilities in critical assets like customer data are assigned higher scores compared to those in a non-privileged user’s workstation.
- Modified base metrics: The base CVSS metrics can be modified based on the mitigation efforts employed by an organization. With vulnerability management techniques like removal of external network connections or any other measures that block hacking attempts, the attack vector base metric score can be reduced.
A CVSS score can be anything between 0.0 and 10.0. The base score is derived from exploitability score and impact score. The base score is mandatory whereas temporal and environmental scores are optional. But the base score can be modified by scoring the temporal and environmental metrics. This helps to gain a deeper understanding of the severity of the vulnerability in a given environment at a given point of time.
It is recommended to consider the temporal and environmental metrics as they help arrive at more accurate scores. The base and temporal metrics are provided by the analysts or vendors in most cases as they have the most accurate information pertaining to the characteristics of a vulnerability. The environmental score is calculated by end-user organizations as they know best about the impact of a vulnerability in their computing environment.
Scoring these metrics is based on the assumption that the hacker has detected the vulnerabilities. There is no need to take into account the techniques used by the attackers to locate the vulnerabilities. For detailed information on how scores are assigned under exploitability, impact and scope metrics, click here.
CVSS Score Calculator
CVSS score calculator enables app developers to easily calculate the vulnerability scores. The CVSS calculator is based on the formula specified in the CVSS v3 standard. You have to enter correct metric values for a given vulnerability to obtain accurate scores. It is necessary to enter values for all base metrics. If one or more base metrics value is missing, no results will be displayed.
A reminder will be shown asking you to fill all the values.
As you fill all the values, you will get your CVSS score along with a vector string displayed below. A vector string is a textual representation of the metric values. Once you select all the base metrics, you can see the vector string added to the URL. As you make changes to the base metrics, the vector string will also be updated. The vector string enables you to copy the URL to restore the metrics and scores in future.
Click here if you want to understand how this calculator works and obtain the vulnerability score on the CVSS calculator.
To better understand the implications of CVSS scores, the NVD has provided qualitative severity ratings and categorized these scores into low, medium and high for CVSS v2.0 base metrics. In case of CVSS v3.0, the severity ratings can be categorized into none, low, medium, high and critical.
Here is a glimpse of the base score range and their corresponding severity ratings for CVSS v2.0 and CVSS v3.0.
CVSS v2.0 ratings
|Severity||Base score range|
|Low||0.0 – 3.9|
|Medium||4.0 – 6.9|
|High||7.0 – 10.0|
CVSS v3.0 ratings
|Severity||Base score range|
|Low||0.1 – 3.9|
|Medium||4.0 – 6.9|
|High||7.0 – 8.9|
|Critical||9.0 – 10.0|
Limitations of CVSS
Though CVSS scores help determine the severity of a vulnerability, there are several shortcomings to CVSS as a risk management tool. One of the most significant drawbacks is that only base scores and ratings are publicly available and they aren’t enough to gauge the impact of a vulnerability on a particular environment. CVSS scores don’t reflect the potential impact or the likelihood of exploitation.
Though a high CVSS score may lead you to believe that the vulnerability poses a great risk, it is not true in all cases. CVSS scores don’t take the context and timing into account thereby failing to address the realities facing your organization. A particular vulnerability with a high score may be unexploitable within your organization. At the same time, one with a low score can be exploited easily causing devastating impacts.
Context is important and you need to protect all the assets that are critical to your organization without solely depending on the scores. Attackers exploit vulnerabilities based on the goals they intend to achieve. Exploiting a low score vulnerability may be more profitable for the hackers and you will leave critical data exposed if all your attention is focused on fixing only high score vulnerabilities.
Security teams must prioritize vulnerabilities by considering the broader context. The ultimate goal should not be to channel all your resources in fixing vulnerabilities with the highest CVSS score but to patch all the vulnerabilities that are likely to be exploited by attackers in the real world.
CVSS is a critical tool to identify and detect the severity of vulnerabilities. CVSS has evolved as a useful tool that provides a common vocabulary for vendors and enterprises to convey the severity of vulnerabilities. Though it may not address all the complexities and challenges in the real world, it is a good starting point to strengthen security.
Hackers are utilizing advanced techniques to go past security barriers and extract sensitive information. A recent report revealed that around 50 percent of internal application vulnerabilities come under high or critical risk categories. As the widely published CVSS scores are composed of only base metrics, it is important to consider temporal and environmental factors too to ensure total security.
Despite its limitations, CVSS score is one of the important components of a vulnerability management program. Analyzing CVSS score along with implementation of robust security measures that help concentrate on risks that are most critical for your business will enhance your remediation efforts.
AppSealing is a robust mobile application security solution provider with specialization in safeguarding iOS, Android and Hybrid apps against unauthorized access. With cloud-based zero coding security solutions, it secures applications in runtime to thwart attacks and protect your brand image and reputation. Contact our team today to monitor threats in real-time and make data-driven decisions. Ensure complete protection of fintech, gaming, movies or any other applications with no impact on performance and win a competitive advantage.