FIRST – the international forum of Incident Response & Security Teams has just announced the release of the latest update to the Common Vulnerability Scoring System (CVSS).
The CVSS is a widely used Industry Standard for assessing and categorising the severity of a security vulnerability by analysing a number of metrics and then giving them a score on a matrix.
By having a matrix, companies can address the most critical vulnerabilities in a managed process, and change process to remediate any foreseeable problems.
A CVSS score is produced via the CVSS calculator, which allows for various data to be added to generate the base metrics for a vulnerability. This data is then refined with supplemental data, environmental data, and then threat data to generate a value ranging from 0 to 10
Calculating the scores
To generate the base score, the metrics include data relating to how an attack could occur, what its severity would be if it were to occur, and whether or not the attack only affects the target system, or if it could affect sub-systems.
So for example, the attack vector (AV) metric looks at whether the vulnerability can be triggered via a network connection, or only by having physical access to the system. The theory being that physical access is typically harder to achieve so would incur a lower rating to that which could be triggered remotely via a network connection. Similarly, the User Interaction (UI) score is greater for a vulnerability that requires no user interaction to one which requires user interaction – Hope fully if a vulnerability requires a human to do something, it would be spotted and stopped.
By working through the calculator for every known vulnerability which could be present in a companies systems, the company ends up with a tangible representation of the issues they need to focus on. This however, is a very laborious process if attempted manually, so software applications such as Tenable’s NESSUS scan, enumerate and grade systems for vulnerabilities and then compare them with CVE data to automatically give a CVSS rating which helps companies quickly understand their issues.
The CVSS v4.0 process
The initial project to build CVSS v4.0 was announced at the 35th annual FIRST conference back in June. The project started in 2022, but now the work has been completed and the new scoring system has gone live.
The drive to produce v4.0 was to address a number of issues with v3.1, but also to include more than just I.T systems. CVSS v4.0 now also includes Operational Technology (O.T.) systems, such as PLC, and SCADA systems, as well as Internet of Things (Io) systems.
Critiques of v3.1
- CVSS Base Score being used as primary input to risk analysis
- Not enough real time threat and supplemental impact details represented
- Only applicable to I.T. systems
- Health, human safety, and industrial control systems not well represented
- Scores published by vendors are often High or Critical (7.0+)
- Insufficient granularity – fewer than 99 discrete CVSS scores in practice
- Temporal Metrics do not effectively impact the final CVSS score
- The math seems overly complicated and counterintuitive
Whats new in CVSS v4.0?
- Finer granularity in Base Metrics
- Attack Requirements (AT) added as Base Metric
- Enhanced User Interaction Granularity (None/Active/Passive)
- Removal of downstream scoring ambiguity (read: Scope)
- C/I/A expanded into separate Vulnerable System C/I/A and Subsequent System C/I/A
- Simplification of Threat metrics and improved scoring impact
- Remediation Level, Report Confidence, and Exploit Code Maturity simplified to Exploit Maturity
- Supplemental attributes for vulnerability response
- Supplemental Metric: Automatable
- Supplemental Metric: Recovery
- Supplemental Metric: Value Density
- Supplemental Metric: Vulnerability Response Effort
- Supplemental Metric: Provider Urgency
- Additional applicability to OT/ICS/IoT
- Safety Metric Values added to Environmental Metrics
- New Nomenclature
- CVSS-B: CVSS Base Score
- CVSS-BT: CVSS Base + Threat Score
- CVSS-BE: CVSS Base + Environmental Score
- CVSS-BTE: CVSS Base + Threat + Environmental Score