Security Diaries All About Security
Related Articles
We have seen that there is a lot of noise going around CVSS as FIRST has launched version 4.0 and in this article, I would like to discuss what is CVSS and how it evolved.
What is CVSS
CVSS stands for Common Vulnerability Scoring System. NIAC unveiled it on 23 February 2005. The purpose of CVSS is to provide a universal standard for the severity rating of software vulnerabilities.
CVSS is designed to convey the characteristics and severity of security vulnerability. It was initiated by NIAC but now CVSS is the custodian of the Forum of Incident Response and Security Teams(FIRST)
Introduction to CVSS
CVSS’s goal is to make anyone understand the severity of any software vulnerability. For example, consider the Log4j vulnerability which came to spoil security teams’ Christmas and New Year vacations.
Security teams might understand the severity by understanding what is the vulnerability, and how it can be exploited but laymen might not have the skill set to understand this. Even businesses are not interested in the vulnerability. The only thing vendors and companies look at is how severe is it, how will it impact us and how can it be fixed.
History of CVSS
Why CVSS is needed
All businesses have certain Service Level Agreements (SLA) for functionality bugs. If any client faces any issue on the application level and based on the urgency the issue is fixed like high is 1-3 business days, medium is 1-2 weeks, low is 4 weeks and these durations will be based on client and business agreements. Similarly, for security issues, we have something like CVSS which represents severity and based on these businesses can communicate and understand how severe the vulnerability is. The main focus of CVSS is to standardize software vulnerability severity ratings.
Let’s take a look at how severity is determined as per CVSS score. We will take a look at how CVSS is calculated later in this article.
| CVSS Base Score | CVSS Severity Level |
| 0 | None |
| 0.1 – 3.9 | Low |
| 4.0 – 6.9 | Medium |
| 7.0 – 8.9 | High |
| 9.0 – 10.0 | Critical |
How to generate CVSS?
There are lots of parameters and factors that go into generating CVSS. CVSS score is generated with the help of the CVSS vector. CVSS vector is the textual representation of values used to derive the CVSS score.
Let’s get started with CVSS scoring
Lots of factors go into generating CVSS those are
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
- Scope
- Confidentiality
- Integrity
- Availability
What is Attack Vector
The attack vector has 4 different values that can be assigned to it:
- Network,
- Adjacent,
- Local, or
- Physical.
These represent how the attacker going to access the system. For example, physical is the attacker has to have physical access to the system
Attack Complexity
Attack Complexity represents how hard it is to exploit the vulnerability. Two possible values exist for this, which are:
- Low or
- High.
The low attack complexity will generate the highest score.
Privileges Required
What all the privileges attacker needed to exploit the vulnerability?
- None,
- Low, or
- High.
None is the access privileges are needed. Low is basic user capabilities. High is administrative level privileges are needed.
User Interaction
This represents whether any user interaction is needed. This is like CSRF where the victim has to be enticed to click the link and the targetted website must have a valid logged-in session.
- None
- Required
- Active
- Passive
When no user is required the impact on the CVSS score is highest.
Scope
This represents if the vulnerability can impact items that are outside of the security authority of the affected component. A security authority is something that controls access to objects under its control. Examples of a security authority could be an application (controls how things work inside the application), an operating system (controls how things work within the environment). For an example of RCE the downstream components are also affected meaning, the web server is the application where the vulnerability exists, downstream components mean OS and other apps excluding the webserver
- Unchanged or
- Changed,
A scope change has the largest impact. This has been retarded in CVSS4.0
Confidentiality
Confidentiality is the potential for unauthorized access to sensitive information. The possible values are:
- High,
- Low, or
- None.
The greatest impact comes from the High value, or total confidentially being lost.
Integrity
This component measures the potential for unauthorized modification, a data breach or deletion of data. Potential values are:
- High,
- Low, or
- None.
High is the most severe.
Availability
Availability attempts to measure the potential for denial of access to authorized users. This could be the denial of access to a service or processor cycles. Potential values for Availability are:
- High,
- Low, or
- None.
High is the most severe.
Above all parameters collectively create the CVSS score.
CVSS Nomenclature
| CVSS Nomenclature | CVSS Metrics Used |
| CVSS-B | Base metrics |
| CVSS-BE | Base and Environmental metrics |
| CVSS-BT | Base and Threat metrics |
| CVSS-BTE | Base, Threat, Environmental metrics |
CVSS Metrics
CVSS contains 4 metric groups
- Base
- Threat
- Environmental
- Supplemental(Introduced in CVSS 4.0)
Let me try to explain the definitions of the metrics. Most of the definition content is taken from FIRST as it is self-explanatory but if you have any questions, comment sections are always open and most welcome.
Base metrics: This metric is filled by the supplier. Base metrics reflect the severity of a vulnerability according to intrinsic characters i.e. essential parameters to any vulnerability and these are constant over time.
Supplemental Metrics: This metric is filled by the supplier. The Supplemental metric group includes metrics that provide context as well as describe and measure additional extrinsic attributes of a vulnerability. These metrics are optional and won’t have any impact on the base score of the vulnerability.
Threat Metrics: This metric is filled by the consumer. This is called the Temporal metric group in CVSS 3.1. The threat group reflects the characteristics of vulnerability related to threats that may change over time but not necessarily across user environments.
Example: a vulnerability that is neither exploited nor has a proof of concept available publicly will result in a lower CVSS score.
Environmental Metrics: This metric is filled by the consumer. The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.
CVSS versions
CVSS 3.1 vs CVSS 4.0
The scope has been retired in CVSS4.0
The new Attack requirement parameter, User Interaction has Passive interaction or Active interaction in Base Matric
The temporal Metric group has been renamed to the Threat metric group.
Remediation Level and Report Confidence has been retired from the Temporal metric group.
A new Supplemental metric group has been added to covey more information about vulnerability but these will not affect the CVSS score. The supplemental metric group contains Safety, Automatable, Recovery, Value Density, Vulnerability Response Effort, Provider Urgency
CVSS 4.0 also focuses on OT, ICS safety.
Base Metrics:
Attack Vector represents from where the attack can be performed. These contain following parameters
Adjacent: Attack can be performed via Bluetooth or same network Wifi
Physical: An attack can be performed by accessing the vulnerable component physically
Local: Attack can be performed via local application.
Network: Attack can be performed across the internet
Attack Complexity: This refers to how difficult is the attack. This represents what kind of security protocols the vulnerable component has and how they are interacting with the attacker to stop the attack.
Attack Requirements: This refers to prerequisites deployment and execution conditions of the vulnerable system that enable the attack. It’s like having race conditions.
Privileges Required: This represents what kind of privileges are required for the attacker. Does the attacker not need any access or will he require normal user access or admin access, these details are captured in this parameter.
User Interaction: Does the user need to interact with the system, if yes is it active interaction or passive? For example, CSRF needs user interaction but it’s Active as the user just needs to click the link, and the attack is performed via the victim i.e. another user.
Above all are base metrics, now let’s discuss Impact metrics.
These metrics discuss what is the impact that a vulnerable component will have in a successful attack. These contain 3 parameters Confidentiality, Integrity, and Availability.
Confidentiality: This represents that the successful exploitation will lead to information disclosure
Integrity: This represents that the successful exploitation will hamper the trustworthiness of the information i.e. the information might be tampered with.
Availability: This represents that the successful exploitation will lead to the unavailability of the vulnerable component: for example, disk space consumption, and network bandwidth consumption.
Supplemental metrics
This group conveys additional extrinsic i.e. non-essential parameters for the vulnerability.
Threat metrics: This conveys the current state of exploit techniques available for the vulnerability and often needs updation. For example, currently, a vulnerability has been attacked but there is no PoC that is how the attack has been made and in the future PoC will be released then this parameter has to be updated.
Exploit Maturity: This measures how likely the attacker can exploit the vulnerability and this depends on the threat metric.
Environmental metrics
Confidentiality, Integrity, and Availability Requirements (CR, IR, AR). These are self-explanatory.
Why CVSS is dead
Let’s consider a vulnerability related to the email server. There is Google Mail, and Microsoft Mail which are owned by companies, and Squirrel Mail which is open source. The vulnerability with the same CVSS score and vector has the same severity but the impact is much higher in the case of Google and Microsoft Mail. CVSS is limited to calculating the severity of the vulnerability but cannot calculate the impact.
Many companies use the CVSS score as a risk score i.e. higher the CVSS, the higher the risk which is not true. There problem statement is Microsoft Mail and Gmail are used vastly by most companies but there are few bloggers who use Squirrel Mail which comes as free if you have a Bluehost control panel or any hosting platform.
If Microsoft Mail or Google Mail is compromised the impact of the vulnerability helps to compromise the servers is marginally higher than the vulnerability Squirrel Mail has.
My take is that CVSS is not a risk score and companies must stop doing that.
