Common Vulnerability Scoring System - CVSS

Vulnerabilities abound in their 1000s, with 30,000 being added just in 2021! Each vulnerability reported is assigned a CVE ID by one of a number of numbering authorities, and contains a brief description of the vulnerability, the vendor, the reporter, and most importantly, the impact assessment of the vulnerability on the system. This is described as a CVSS score.

What CVSS does

CVSS is a scale from 0-10 where 10 is the highest score, and indicates the severity of the vulnerability - in essence what the overall impact of the vulnerability would have on the system where it is present if the vulnerability were to be exploited.

What CVSS doesn’t

CVSS can’t predict the likelihood of a compromise. People, for some time - have shied away from relying only on CVSS as a method for prioritizing patching regimens. Instead, sources that include threat data relating to specific vulnerabilities are increasingly used. 

The essence of CVSS is to assign a “severity score” to a vulnerability, and practitioners thus determine priority of patching based on this score, and usually adapt according to other data, such as threat and asset ‘value’.

To do this there are complex weightings and formulae, and the following factors are considered:

CVSS comprises three distinct metric groups: 

Base Score 

Depicts the severity of the vulnerability according to characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments. 

Temporal Metrics 

Adjust the Base severity of a vulnerability based on factors that change with time, such as the availability of exploit code. 

Environmental Metrics 

Adjust the Base and Temporal severities to a specific computing environment. They consider factors such as the presence of mitigations in that environment

 

Calculating the CVSS score

Vendors take an effort to use the CVSS and related metrics to provide an accurate score of the impact of the vulnerability. In doing this, they provide the Vector String containing the relevant observations. This string can be used in a calculator to analyze the connection between parameters and the resultant score:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

 

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post