The Common Vulnerability Scoring System (CVSS) is a numerical scoring system indicating the severity of an information security vulnerability. These scores are generally used by info security teams as part of a vulnerability management program to provide a point of comparison between vulnerabilities and prioritize responses and resources according to the threat.
It is an open framework maintained by the Forum of Incident Response and Security Teams (FIRST), a US-based non-profit organization.
In this scoring system, scores are calculated based on a formula and it ranges from 0 to 10, with 10 being the most severe. The numerical score can be converted into an approximate representation such as low, medium, high, and critical to helping organizations to prioritize their vulnerability management processes.
CVSS Score and Ratings:
Currently, CVSS is at version 3.1, released in June 2019.
CVSS Metric Categories:
The CVSS measures three basic metrics: Base, Temporal, and Environmental as shown in the figure below:
Cybersecurity experts utilizing this framework to evaluate a system to produce the Base score, and if required, the Temporal score. Subsequently, the final conclusion rests with the end-user to calculate and merge the environmental score, based upon environmental factors unique to the business and system.
Let’s dive into these metrics in a little more detail below.
- Basic Metric Group:
It represents the essential characteristics of a vulnerability that are permanent over time and across user environments and are not dependent on real-world exploitability.
The base metric score works using a 0 to 10 scale allocated to inherent vulnerabilities of software unchanged by time or environmental factors. The CVSS base metric score includes two sub-scores, Exploitability and Impact.
The Exploitability Sub score is extracted from the features of the individual vulnerable component. It includes:
Attack Vector (AV) — score based on how difficult it is for hackers to target the vulnerability.
Attack Complexity (AC) — score based on the environment that a hacker must overcome to attack the vulnerability.
Privileges Required (PR) — score supported the extend of credential access a hacker must use to exploit the vulnerability.
User Interaction (UI) — score based on how difficult a target is to hack unassisted by additional users.
The Impact Sub score is used to calculate the severity of vulnerable discrete components in a successful attack. It includes:
Authorization Scope (S) — score based on the degree of impact a component can have on other parts of the system.
Confidentiality (C) — score based on the level of authority that an exploit lends to the attacker.
Integrity (I) — score based on the degree of corruptible or modifiable data offered by an exploit.
Availability (A) — score based on the loss of availability to an exploitable resource.
- The Temporal Metric Group:
It reflects the characteristics of a vulnerability that may switch over time but not across user environments. These metrics measure the ongoing exploitability of the vulnerability, as well as the availability of remediating controls, such as a patch.
Its scores will impact the metrics used to determine the CVSS Base Score. This score configuration includes three metrics:
The Exploit Code Maturity (E) — score based on the possibility that an exploit will be leveraged based on existing scripts found on the Internet.
Remediation Level (RL) — score based on the ease that an exploit can be rectified.
Report Confidence (RC) — score based on the solidity that a vulnerability exists.
- The Environmental Metric Group:
It represents the characteristics of a vulnerability that are suitable and distinctive to a particular user’s environment. It uses the base and current temporal scores to evaluate the severity of a vulnerability.
The full effect on the environmental score is set by the consistent Modified Base Impact metrics, which means these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics.
For example, if the Modified Confidentiality impact metric weight is increased, then the Confidentiality Requirement is high. Similarly, if the Modified Confidentiality impact metric weight is decreased, then the Confidentiality Requirement is low. Weighting of the Modified Confidentiality impact is neutral if the Confidentiality Requirement is medium.
CVSS Vector String:
The score is additionally as a vector string, a compressed textual representation of the values used to score the vulnerability. It is used to transfer CVSS metric information in a brief form.
The CVSS v3.1 vector string starts with the label “CVSS:” and a numeric representation of the latest version, “3.1”. Metric information follows within the sort of a group of metrics, each preceded by a forward slash, “/”, acting as a delimiter. Each metric is a metric name in concise form, a colon, “:”, and its related metric value in a concise form.
For example, if a vulnerability with base metric values of “Attack Vector: Network, Attack Complexity: Low, Privileges Required: High, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, Availability: None” and no designated Temporal or Environmental metrics would build the following vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
The above example with the inclusion of “Exploitability: Functional, Remediation Level: Not Defined” and with the metrics in a non-preferred ordering would build the following vector:
CVSS:3.1/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F/RL:X
Found this article interesting? Follow DefenseLead on Twitter and Facebook to read more exclusive content we post.