A vulnerability is a weakness in hardware, software, personnel, or procedures. However, not all vulnerabilities are equal. Some vulnerabilities have system administrators scrambling to deploy a patch, while some are not even worth fixing.
To evaluate the severity of each vulnerability, Common Vulnerability Scoring System (CVSS) was created. CVSS is an open standard used to assign a score to each vulnerability based on several metrics. In this article, we are going to talk about what metrics are used in CVSS and explain their meaning.
There are three types of rating: Base, Temporal, and Environmental with numerical scores ranging from 0 to 10, with 10 being the most severe.
Base rating
The base score is used to evaluate specifics of each vulnerability based on eight metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability.
To exploit a vulnerability, an attacker needs a path via which they can access the vulnerable component. Exploitation can be done via:
- network, allowing them to remotely exploit the vulnerability,
- adjacent network, which limits exploitation to the same physical or logical network,
- local access, which requires prior access to the vulnerable system or
- physical access, which requires the attacker to physically manipulate the vulnerable component.
Such paths are called Attack Vectors, with network being the most exposed, thus the most dangerous.
Many vulnerabilities are not easy to exploit. Exposed components usually feature advanced defenses against exploitation, while some vulnerabilities require prior knowledge about target’s configuration. The metric used to evaluate these aspects is called Attack Complexity and features just two values, low and high.
Some vulnerabilities are exploitable without any authentication, some require user capabilities while some require full administrative access to the vulnerable system. This is described by the Privileges Required metric, with none being the most severe, low requiring user privileges and high requiring administrative privileges to exploit the vulnerability. Sometimes, vulnerabilities requiring elevated privileges are used in conjunction with privilege escalation vulnerabilities to ensure successful exploitation.
If a vulnerability requires any user interaction, such as running an installer or allowing an application, is captured by a User Interaction metric with values none and required.
In modern systems, potentially vulnerable components are sandboxed to limit the impact of a vulnerability. For instance, if an attacker exploits a vulnerability in the Chrome’s JavaScript engine, they will not gain access to your filesystem, because the component runs within a constrained sandbox. To measure the impact on other components, a measure Scope is used. If an attacker can gain access to other components after exploitation, the scope is changed, otherwise, the scope is unchanged.
LIFARS uses CVSS to evaluate the severity of vulnerabilities found during Penetration Testing and Vulnerability Scanning engagements. Test the real-world effectiveness of your security controls while achieving compliance and protecting your brand.
To measure the potential impact of a vulnerability on three basic principles of information security, also known as CIA triad, three metrics are used. Confidentiality metric is used to measure the loss of confidentiality, or, in other words a potential access to sensitive information within the same scope. Integrity metric is used to measure the attacker’s ability to modify files within the vulnerable component. After the loss of integrity, exploited systems cannot be trusted without a thorough inspection. And finally, availability metric is evaluating the potential of denying access to the impacted components or to resources managed by the components. For the last three measures, the values are none, low and high, with high being the most severe.
These eight metrics are used in equations to calculate the final base score. There is also a verbal severity rating assigned based on the score:
- None: 0
- Low: 0.1 – 3.9
- Medium: 4.0 – 6.9
- High: 7.0 – 8.9
- Critical: 9.0 – 10
Temporal Rating
Temporal metrics are used to measure qualities that are likely to change over time, as more researchers put effort into the vulnerability and manufacturers release patches.
Exploit Code Maturity metric measures the likelihood of the vulnerability being abused. Unproven means that there is no exploit available, Proof-of-Concept (POC) value denotes the public obtainability of an exploit code and the value is further increasing with the quality of the POC to functional and high.
Remediation Level evaluates the existence of a patch or a mitigation, with unavailable being the most critical, workaround & temporary fix indicating the existence of an unofficial patch or a mitigation before the vulnerability is patch and official patch signifying the existence of a stable patch released directly by the manufacturer.
Report Confidence is representing the credibility of the reports publishing the vulnerability with values unknown, reasonable, and confirmed.
Environmental rating
The severity of each vulnerability may not be equal for each company. The environmental metrics allow security analyst to modify the rating to better fit company’s assets.
CVSS is an important tool for vulnerability management and should be understood to determine whether a vulnerability poses a danger to company and require immediate attention.
