CVSS, or the Common Vulnerability Scoring System, is an open and universally-used framework that establishes metrics to communicate the characteristics, impact and severity of vulnerabilities that affect IT security features. The responsible body, the Forum of Incident Response and Security Teams (FIRST), has announced the final update of the standard with version CVSS 3.0.
FIRST started out in 1990 with the aim of filling a gap in terms of security incident response. It became clear that there was a lack in response when the first relevant incident - an Internet worm created at MIT known as Morris , produced significant damage when it spread uncontrollably through the Internet.
This incident gave rise to the creation of FIRST, which since then has been positioned and recognized as the leading organization in incident response management. FIRST is an association formed by teams that provide best practice mechanisms, tools and features to communicate, classify and respond to security incidents. It brings together members from a wide range of sectors such as academic, commerce and manufacturing, government and military, as well as important international CERTs internacionales. Spain currently has 11 active members, including INCIBE-CERT of INCIBE.
Distribution of FIRST members: 70 countries and 321 members
FIRST had been developing the CVSS update for three years until the first drafts were presented at the end of 2014, and the final publication of the third version was made in June 2015. Given the evolution of the IT sector over the past few years, a CVSS update was absolutely necessary. With version 3.0, the system is now more applicable to new technological scenarios as well as to modern concerns.
Common Vulnerability Scoring System
CVSS is a scoring system which offers an open and standardized method for rating the impact of vulnerabilities. It consists of three main metric groups: Base, Temporal and Environmental. In turn, each of these groups consists of a set of metrics.
Base Group: The Base Group encompasses the intrinsic qualities of a vulnerability which are independent of time and the environment. The metrics evaluated in this group are:
- Access Vector (AV). Values: [L,A,N] (Local, Adjacent, Network
- Access Complexity (AC). Values: [H,M,L] (High, Medium, Low)
- Authentication (Au). Values: [M,S,N] (Multiple, Single, None)
- Confidentiality Impact (C) . Values: [N,P,C] (None, Partial, Complete)
- Integrity Impact (I). Values: [N,P,C] (None, Partial, Complete)
- Availability Impact (A). Values: [N,P,C] (None, Partial, Complete)
Each of these metrics takes on a value that it assigns depending on the characteristics of the vulnerability. Each metric will give a base value which will then be complemented by the temporal and environmental group assessments.
Temporal Group: The Temporal Group reflects the characteristics of a vulnerability that change over time. Three metrics are applied:
- Exploitability (E). Values: [U,POC,F,H,ND] (Unproven, Proof-of-Concept, Functional Exploit, High, Not Defined)
- Remediation Level (RL). Values: [OF,TF,W,U,ND] (Official Fix, Temporary Fix, Workaround, Unavailable, Not Defined)
- Report Confidence (RC). Values: [UC,UR,C,ND] (Unconfirmed, Uncorroborated, Confirmed, Not Defined)
Likewise, each of these vectors is assigned a value contingent on the vulnerability.
Environmental Group: The Environmental Group represents the characteristics of a vulnerability that are unique to a user environment. In this case, the factors which are evaluated are:
- Collateral Damage Potential (CDP). Values: [N,L,LM,MH,H,ND] (None, Low, Low Medium, Medium High, High, Not Defined)
- Target Distribution (TD).Values: [N,L,M,H,ND] (None, Low, Medium, High, Not Defined)
- Security Requirements (CR, IR, AR). Values: [L,M,H,ND] (Low, Medium, High, Not Defined)
CVSS metrics. Version 2
The following table gathers all of the metrics and possible parameter/value relationships:
CVSS version 2 metrics and values
Equations and scoring
Once the value of each metric has been assigned, equations from the CVSS specifications will be applied, resulting in a numeric value between 0.0 and 10.0 for each group. This total numeric result both scores and quantitatively assesses the final impact of a vulnerability. The final numeric value is complemented by a chain of text called a vector which is specified with the syntax (metric:[value]) (each group of evaluated metrics).
The base metric is required and the temporal and environmental factors can be evaluated if so desired.
An example of a typical CVSS looks like this:
where the impact is evaluated with a rating of 5.0 and the vector represents the relationship metric:value of base group:
- AV:N Access Vector: Network
- AC:L Access Complexity: Low
- AU:N Authentication: None
- C:P Confidentiality: Partial
- I:N Integrity:None
- A:N Availability:None
Metrics and Equations in CVSS 2
The CVSS rating can be automated with tools that use calculation formulas, such as the NIST calculator:
CVSS version 3.0
The first version of CVSS was launched in 2004 followed by the second version in 2007. In 2012 update development for version 3 began in response to observations made by different organizations which maintain vulnerability reference databases, such as the National Vulnerability Database (NVDB) and the Open Source Vulnerability Database (OSVD).
Proposals for improving CVSS are focused on providing better definitions and obtaining greater ratings accuracy. The Base Metric Group received the most thorough review given that it was suffering from inaccuracies and limitations in some metrics, leading to a certain amount of confusion regarding the attack description. These and other changes that affect the Environmental Group are thoroughly described at the end of this article.
CVSS 3.0. metrics
CVSS 3.0 Scoring
Scoring in version 3.0 essentially follows the same patterns as in version 2: once the values of the Base Metrics have been assigned by an analyst, the equation defined to calculate the score will generate a value between 0.0 and 10.0, derived from two sub-calculations originating from Exploitation and Impact Metrics. Optionally, this calculation can be refined using the Temporal and Environmental Metrics equations.
Similar to the previous version, the vulnerability assessment provides a chain of text called a "vector string" that contains a textual representation of the value assigned to each evaluated metric, apart from the CVSS numerical value given.
CVSS v3.0 metrics and equations
CVSS 3.0 metric/values table
Main changes regarding CVSS version 2
Drawing on the metrics described in version 3 of CVSS, we can highlight the following changes made to the metrics in order to achieve a greater level of detail and consequently a more accurate vulnerability assessment:
Base Group metric:
- The Exploitation subcategory has been redefined with the metrics "Access Attack2, "Attack Complexity", "Privileges Required" and "User Interaction". These new categories substitute the previous categories of: "Access Vector", "Access Complexity" and "Authentication" which created confusion and inaccuracies when describing the attack.
- New Metric: Scope. This property is added to the overall evaluation of the Base Metrics and will lead to a greater or lesser result value depending on which privileges and resources are affected when exploiting the vulnerability. Apart from the Impact and Exploitation subcategories, the Scope subcategory will also be kept in mind. This metric will cause the Base Metric value to either increase or decrease contingent upon which privileges are acquired when exploiting the vulnerability as well as the number of resources that could be affected (software, hardware, operating systems, files, etc).
- Eliminated metrics include "Collateral Damage Potential2 and "Target Distribution". They are replaced by a re-evaluation of the Base Metrics according to mitigation conditions or weaknesses that exist in users environments, as well as those which could affect the impact of a successful vulnerability exploitation.
Qualitative criteria for classification:
Version 2 of CVSS did not provide defined criteria to help assign a relationship between a qualitative scale and a quantitative value. A qualitative description of the impact is given following this relationship:
Relationship between a qualitative scale and a quantitative value