Managing software vulnerabilities is a critical challenge for security teams. However, it can be difficult to communicate the complex details between organizations and departments, vendors, clients, and key non-technical stakeholders. That’s why the CVSS has become such a valuable tool in cybersecurity over the past two decades.
If you pay any attention to cybersecurity news, you’ve likely seen a CVSS score before. But what does the score, and all the letters associated with it, mean? This guide will break down the essentials of CVSS and its various metrics, ensuring you are well-equipped to understand this vital component of vulnerability management.
What is CVSS?
The Common Vulnerability Scoring System (CVSS) is a standardized framework used across the cybersecurity industry to evaluate and communicate the severity of software vulnerabilities. It is created and managed by FIRST (Forum of Incident Response and Security Teams) and is a central component of the CVE (Common Vulnerabilities and Exposures) system, which catalogues disclosed vulnerabilities for both open and closed source software and devices.
CVSS scores range from 0 to 10.0, where 0 represents no issue and 10 signifies a critical vulnerability. The vector string included in a CVSS score efficiently communicates detailed information about a vulnerability. This information allows organizations to understand, prioritize, and respond to vulnerabilities in the way most appropriate for their environments.
CVSS has evolved through several versions since it was first published in 2003. The latest version, CVSS 4.0, was released in November 2023 and introduced enhancements to improve precision and usability. Meanwhile, CVSS 3.1, published in 2019, is also commonly used due to its widespread adoption and integration into existing and legacy systems.
Metric Groups:
CVSS metrics are categorized into four distinct groups, providing a comprehensive assessment of vulnerabilities. These groups (Base, Supplemental, Environmental, and Threat Metrics) collectively ensure a thorough evaluation tailored to general and specific contexts, helping organizations prioritize and manage vulnerabilities effectively.
Base Metrics (Exploitability and Impact)
The Base Metric group captures the fundamental nature of a vulnerability. It is split into two subgroups: Exploitability (how easily a vulnerability can be leveraged) and Impact (what damage can be caused by this vulnerability.)
Exploitability Metrics assess the characteristics of the vulnerable system, focusing on how easily an attacker can exploit it. These include:
- Attack Vector: Measures how remote an attacker can exploit the vulnerability, with values ranging from physical access to network-based attacks.
- Attack Complexity: Evaluate the difficulty of exploiting the vulnerability, considering the need to circumvent security measures.
- Privileges Required: Assesses the level of permissions an attacker must acquire to successfully exploit the vulnerability.
- User Interaction: Determines whether the exploitation requires human interaction other than the attacker.
Meanwhile, Impact Metrics evaluate the consequences of a successful exploit on the vulnerable system:
- Confidentiality (C): Measures the potential for data loss or leakage.
- Integrity (I): Assesses the potential for data corruption and its impact.
- Availability (A): Evaluate the potential and impact on system uptime and functionality.
Theat Metrics:
The Threat Metric group assesses the real-world exploitation of a vulnerability. It includes only one metric, "Exploit Maturity," which measures the likelihood of the vulnerability being exploited based on the availability of exploit techniques or code. This metric considers whether the exploit code is publicly available, the sophistication of the code, and if the vulnerability is actively being exploited in the wild. Higher exploit maturity indicates a greater risk, increasing the overall vulnerability score. This metric relies on current threat intelligence, and its values range from "Unreported" to "Attacked," reflecting the threat's severity and accessibility.
Environmental Metrics
The Environmental Metrics enable analysts to customize scores based on the importance of the affected IT asset within an organization, considering complementary security controls in place. These metrics adjust the Base Metrics to better reflect the specific environment's context and risk tolerance.
- Confidentiality Requirement (CR): Reflects how crucial data confidentiality is for the organization, with values of Low, Medium, or High.
- Integrity Requirement (IR): Measures the importance of maintaining data accuracy and trustworthiness, rated as Low, Medium, or High.
- Availability Requirement (AR): Assesses the need for system uptime and accessibility, categorized as Low, Medium, or High.
Modified Base Metrics are designed to allow organizations to review a vulnerability and customize the score based on their own unique environment. For example, a device that would be vulnerable to a network-based attack and runs in an air-gapped environment would require physical access to exploit.
Supplemental Metrics
The Supplemental Metrics group, introduced in CVSS 4.0, provides additional extrinsic attributes of a vulnerability, offering more context without impacting the final CVSS score. These metrics allow organizations to better understand the vulnerability and structure their response based on their specific environment.
- Safety: Indicates the potential for physical injury due to vulnerability, such as in an Industrial IoT device.
- Automatable: Describes if the exploitation can be automated, allowing threat actors to increase the scale and speed of an attack.
- Provider Urgency: Reflects the urgency of addressing the vulnerability as assessed by the provider, rated as Red, Amber, Green, or Clear.
- Recovery: Describes how well a system is expected to be recoverable and restorable after an attack.
- Value Density: Indicates the resources an attacker could get through a single exploit, which could enable them to launch further attacks.
- Vulnerability Response Effort: Measures how challenging or time-consuming it is to respond to the vulnerability.
By considering these four metric groups, CVSS provides a comprehensive framework for assessing and managing vulnerabilities tailored to both general and specific contexts.
CVSS Scoring:
The CVSS scoring system is designed to provide a transparent and standardized way to assess the severity of software vulnerabilities. A key component of that is the overall numerical score, which provides a quick way to gauge the overall risk posed. The Score ranges from 0 to 10, with vulnerabilities categorized as Low (0-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10). This score helps organizations prioritize their vulnerability management efforts, focusing on the most severe issues first.
Scoring does not necessarily include all four metrics groups (Base, Supplemental, Environmental, and Threat). The CVSS score is labeled to indicate which metric groups were evaluated, ensuring transparency and context. This flexibility allows for tailored assessments that reflect the specific characteristics and needs of different environments and situations.
An essential component of CVSS scoring is the vector string, a textual representation of how each metric was scored. This string is designed to be consistent, standardized, and machine-readable. It enables threat intelligence and vulnerability management platforms to automatically ingest and interpret a vulnerability disclosure using CVSS. The detailed breakdown of the vulnerability scoring in the vector string also promotes transparency, allowing an analyst to double-check and verify the risk estimate provided by the previous scorer.
The CVSS scoring system offers a comprehensive and adaptable method for evaluating vulnerabilities. Using a combination of numeric scores and detailed vector strings, CVSS enables organizations to communicate, prioritize, and manage security risks in a standardized manner.
Conclusion
In the complex world of cybersecurity, effectively managing software vulnerabilities is crucial. The Common Vulnerability Scoring System (CVSS) provides a robust framework for evaluating and communicating the severity of vulnerabilities, helping organizations prioritize their response efforts and enhance their security posture. By understanding the various metric groups (Base, Threat, Environmental, and Supplemental) organizations can gain a comprehensive view of their vulnerability landscape.
Atlantic Data Security is here to help you navigate the challenges of cybersecurity. Speak with one of our advisors today to learn how we can assist you in leveraging CVSS to strengthen your organization's defenses and stay ahead of potential threats.