CVSS Overview
The Common Vulnerability Scoring System (CVSS) is a risk assessment tool that is designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems. The third revision, CVSS 3.0, is a vendor-neutral, industry standard, open framework for weighting the risks of a vulnerability using a variety of metrics. These weights combine to provide a score of the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability, and the priority of addressing it. The benefits of the CVSS can be summarized as follows:
- It provides standardized vulnerability scores that should be meaningful across organizations.
- It provides an open framework with the meaning of each metric openly available to all users.
- It helps prioritize risk in a way that is meaningful to individual organizations.
The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote its adoption globally. The Version 3 standard was developed with contributions by Cisco and other industry partners. Version 3.1 was released in June of 2019. The figure displays the specification page for the CVSS at the FIRST website.
CVSS Metric Groups
Before performing a CVSS assessment, it is important to know key terms that are used in the assessment instrument.
Many of the metrics address the role of what the CVSS calls an authority. An authority is a computer entity, such as a database, operating system, or virtual sandbox, that grants and manages access and privileges to users.
CVSS Metric Groups
The image displays the CVSS Metric Groups. There are three boxes shown side by side. The first box, on the left, is titled Base Metric Group. Within this box are two columns: Exploitability metrics and Impact metrics. Under the Exploitability column are four items: attack vector, attack complexity, privileges required, and user interaction. Under the Impact column are three items: confidentiality impact, integrity impact and availability impact. Spanning both columns at the bottom is Scope. The second box, in the middle, is titled Temporal Metric Group. This box contains three items: Exploit code maturity, remediation level, and report confidence. The the third box, at the right, are four boxes: Modified Base Metrics, confidentiality requirement, integrity requirement, and availability requirement.
As shown in the figure, the CVSS uses three groups of metrics to assess vulnerability.
Base Metric Group
This represents the characteristics of a vulnerability that are constant over time and across contexts. It has two classes of metrics:
- Exploitability – These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.
- Impact metrics – The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.
Temporal Metric Group
This measures the characteristics of a vulnerability that may change over time, but not across user environments. Over time, the severity of a vulnerability will change as it is detected and measures to counter it are developed. The severity of a new vulnerability may be high, but will decrease as patches, signatures, and other countermeasures are developed.
Environmental Metric Group
This measures the aspects of a vulnerability that are rooted in a specific organization’s environment. These metrics help to rate consequences within an organization and allow adjustment of metrics that are less relevant to what an organization does.
CVSS Base Metric Group
The figure highlights the Base Metric Group.
CVSS Metric Groups
Figure has the same CVSS metric groups figure as before with the base metric group highlighted.
The table lists the criteria for the Base Metric Group Exploitability metrics.
| Criteria | Description |
|---|---|
| Attack vector | This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate. |
| Attack complexity | This is a metric that expresses the number of components, software, hardware, or networks, that are beyond the attacker’s control and that must be present for a vulnerability to be successfully exploited. |
| Privileges required | This is a metric that captures the level of access that is required for a successful exploit of the vulnerability. |
| User interaction | This metric expresses the presence or absence of the requirement for user interaction for an exploit to be successful. |
| Scope | This metric expresses whether multiple authorities must be involved in an exploit. This is expressed as whether the initial authority changes to a second authority during the exploit. |
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component. The table lists the impact metric components.
| Term | Description |
|---|---|
| Confidentiality Impact | This is a metric that measures the impact to confidentiality due to a successfully exploited vulnerability. Confidentiality refers to the limiting of access to only authorized users. |
| Integrity Impact | This is a metric that measures the impact to integrity due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and authenticity of information. |
| Availability Impact | This is a metric that measures the impact to availability due to a successfully exploited vulnerability. Availability refers to the accessibility of information and network resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability. |
The CVSS Process
The CVSS Base Metrics Group is designed as a way to assess security vulnerabilities that are found in software and hardware systems. It describes the severity of a vulnerability based on the characteristics of a successful exploit of the vulnerability. The other metric groups modify the base severity score by accounting for how the base severity rating is affected by time and environmental factors.
The CVSS process uses a tool called the CVSS v3.1 Calculator, shown in the figure.
The calculator is like a questionnaire in which choices are made that describe the vulnerability for each metric group. After all choices are made, a score is generated. Pop-up text that explains each metric and metric value is displayed by hovering the mouse over each. Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.
The CVSS calculator can be accessed on the CVSS portion of the FIRST website.
A detailed user guide that defines metric criteria, examples of assessments of common vulnerabilities, and the relationship of metric values to the final score is available to support the process.
After the Base Metric group is completed, the numeric severity rating is displayed, as shown in the figure.
A vector string is also created that summarizes the choices made. If other metric groups are completed, those values are appended to the vector string. The string consists of the initial(s) for the metric, and an abbreviated value for the selected metric value separated by a colon. The metric-value pairs are separated by slashes. The vector strings allow the results of the assessment to be easily shared and compared.
The table lists the key for the Base Metric group.
| Metric Name | Initials | Possible Values | Values |
|---|---|---|---|
| Attack Vector | AV | [N, A, L, P] | N = Network A = Adjacent L = Local P = Physical |
| Attack Complexity | AC | [L, H] | L = Low H = High |
| Privileges Required | PR | [N, L, H] | N = None L = Low H = High |
| User Interaction | UI | [N, R] | N = None R = Required |
| Scope | S | [U, C] | U = Unchanged C = Changed |
| Confidentiality Impact | C | [H, L, N] | H = High L = Low N = None |
| Integrity Impact | I | [H, L, N] | H = High L = Low N = None |
| Availability Impact | A | [H, L, N] | H = High L = Low N = None |
The values for the numeric severity rating string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N are listed in the table.
| Metric Name | Values |
|---|---|
| Attack Vector, AV | Network |
| Attack Complexity, AC | Low |
| Privileges Required, PR | High |
| User Interaction, UI | None |
| Scope, S | Unchanged |
| Confidentiality Impact, C | Low |
| Integrity Impact, I | Low |
| Availability Impact, A | Low |
In order for a score to be calculated for the Temporal or Environmental metric groups, the Base Metric group must first be completed. The Temporal and Environmental metric values then modify the Base Metric results to provide an overall score. The interaction of the scores for the metric groups is shown in the figure.
Image depicts the interaction of scores for the metric groups. At the top left of the graphic are the Base Metric Group Metrics, set by vendor: once set doesn’t change. An arrow connects the Metrics to a cloud representing the base formula. An arrow points from the cloud to a circle representing the base score. On the left, under the Base Metric Group is the Temporal Metric Group, set by vendor: once set, changes with time. An arrow connects the Temporal Metric Group Metrics to another cloud, representing the temporal formula. The temporal formula uses the Temporal Metrics and the Base Score to create the Temporarily Adjusted Score. On the left, under the Temporal Metric Group, are the Environmental Metric Group Metrics, optionally set by end-users. An arrow connects the Environmental Metric Group metrics to a cloud representing the Environmental Formula. The Environmental Formula uses the Environmental Metric Group Metrics and the Temporarily Adjusted score to create the Environmentally Adjusted Score. Source: www.first.org
CVSS Reports
The ranges of scores and the corresponding qualitative meaning is shown in the table.
| Rating | CVSS Score |
|---|---|
| None | 0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered. The affected organization completes the environmental metric group to tailor the vendor-supplied scoring to the local context.
The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability. The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability. While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.
In general, any vulnerability that exceeds 3.9 should be addressed. The higher the rating level, the greater the urgency for remediation.
Other Vulnerability Information Sources
There are other important vulnerability information sources. These work together with the CVSS to provide a comprehensive assessment of vulnerability severity. There are two systems that operate in the United States:
Common Vulnerabilities and Exposures (CVE)
This is a dictionary of common names, in the form of CVE identifiers, for known cybersecurity vulnerabilities. The CVE identifier provides a standard way to research a reference to vulnerabilities. When a vulnerability has been identified, CVE identifiers can be used to access fixes. In addition, threat intelligence services use CVE identifiers, and they appear in various security system logs. The CVE Details website provides a linkage between CVSS scores and CVE information. It allows browsing of CVE vulnerability records by CVSS severity rating.
Search the internet for Mitre for more information on CVE as shown in the figure.
National Vulnerability Database (NVD)
This utilizes CVE identifiers and supplies additional information on vulnerabilities such as CVSS threat scores, technical details, affected entities, and resources for further investigation. The database was created and is maintained by the U.S. government National Institute of Standards and Technology (NIST) agency.
