What is the Common Vulnerability Scoring System and How Does it Work?

CVSS is an important metric used in Vulnerability Management. It is a scoring system used in evaluating security vulnerabilities. The CVSS provides a consistent method of representing the severity of vulnerabilities and further helps in prioritising the vulnerabilities. It helps the security teams treat vulnerabilities based on their severity.

History of CVSS

CVSS was first introduced in 2005 by the National Infrastructure Advisory Council (NIAC). It is currently owned and managed by FIRST (Forum of Incident Response and Security Teams). Developing CVSS was a joint effort by several groups including Microsoft, IBM Internet Security Systems, Cisco, and Symantec. Since being introduced, several other groups have come forward to help refine the CVSS set of standards.

In 2007, CVSS v2 was released. It improved upon the 2005 version by removing inconsistencies and bringing in more accuracy. The second version helped to bring more clarity to IT vulnerabilities. Next, the CVSS v3 was released in 2015 which further enhanced the scoring system by introducing factors such as privileges required to exploit a vulnerability. The latest version is CVSS v3.1 which was released in 2019.

Why do organisations use CVSS?

CVSS is a standardised scoring system that brings consistency to vulnerability evaluation. It is also an open framework that gives complete access to the parameters used by the scoring system. This improves the understanding of how the scoring works and helps security teams holistically interpret the scores.

A CVSS score helps you prioritise vulnerabilities and treat them in the vulnerability management process. It also helps you meet the requirements set out by compliance standards.

Deriving the CVSS score

A CVSS score can be assigned using the below three metrics.

• Base score
• Temporal score
• Environmental metrics

The base score can alone decide the CVSS score, too. However, for a more accurate CVSS, the other two metrics also should be considered.

Base Score

The base score is assigned based on the attributes of the vulnerability that do not change with time or environment. It is composed of the following sub-scores.

Exploitability sub-score

This sub-score takes into account the below metrics.

• Attack Vector (AV): It describes the ease with which the vulnerability can be exploited by bad actors. Lower values indicate that the vulnerability needs to be closer to the system to be exploited whereas a high value indicates that the vulnerability can be exploited remotely.
• Attack Complexity (AC): It describes the conditions under which a vulnerability can be exploited. Lower scores indicate that bad actors need more information to carry out an attack whereas a high score indicates that they can carry out the attack easily.
• Privileges Required (PS): It shows the level of privileges required to exploit the vulnerability. A low score indicates admin privileges are needed whereas a high score indicates that no or minimal privileges are required to exploit the vulnerability.
• User Interaction (UI): This metric tells whether the exploitability of the vulnerability depends on the user's actions, for instance being tricked into downloading a malicious program. This score just tells whether the UI is needed or not.

Impact sub-score

The impact sub-score describes the consequences if a vulnerability is exploited. It measures the difference between the status before and after the vulnerability is exploited. It is made up of the below three elements regarding the information.

• Confidentiality
• Integrity
• Availability

Scope sub-score

This metric helps define the scope of the impact of the vulnerability. The scope can be defined as a set of security components under a single security authority or a set of access controls. When the impact lies within these components, it is within the scope. When other components are also impacted, the scope is outside the vulnerable component. When the scope is wider, the severity of the vulnerability is higher.

Temporal Score

A temporal score describes whether there are any known codes or patches to exploit a vulnerability. It depends on the below metrics.

• Exploit code maturity (E): It shows the availability of tools and techniques that can exploit the vulnerability.
• Remedial level (RL): It represents the availability of remedial methods to address the vulnerability.
• Report Confidence (RC): It represents how accurate the vulnerability reports are.

Environmental Metrics

The environmental metrics help you refine the base score in the context of your organisational environment. Higher scores are given to the most important and critical assets. The categories of the environmental metrics are as below.

• Collateral damage potential (CDP): It indicates the damage to or loss of physical assets and the economic loss associated with productivity and revenue.
•  Target distribution (TD): It shows the proportion of vulnerable systems in the context of the total number of systems in the organisation’s environment.
•  Confidentiality requirement (CR): This metric defines the level of impact on the confidentiality of the asset when its vulnerability is exploited.
•  Integrity requirement (IR): This metric represents the level of impact on an asset’s integrity when its vulnerability is exploited.
•  Availability requirement (AR): It defines the level of impact on an asset’s availability when its vulnerability is exploited.

Bringing it all together

The base score is the foundation of the final CVSS score. It is computed after taking into account the confidentiality, integrity, and availability of the information or system associated with the vulnerability. The base score remains constant.

The temporal score and the environmental metrics modify the base score to arrive at the final CVSS score. However, the base score has the most weightage in the final score.

CVSS qualitative rating

CVSS scores are on a scale from 0.0 to 10.0 as mentioned earlier. To understand what these scores mean and to have a consistent interpretation of these scores, the below qualitative rating is sometimes used.

0.0 - None

0.1 to 3.9 - Low

4.0 to 6.9 - Medium

7.0 to 8.9 - High

9.0 to 10.0 - Very High/Critical

Final thoughts

Publicly available CVSS scores only use the base scores. These scores can tell you how severe a vulnerability is, but they will not tell you how critical it is for your information or systems. Thus, a comprehensive scoring system that also accounts for the temporal scores and the environmental metrics gives you a more accurate CVSS score.

CVSS is not dependent on the vendors and gives a composite score. Hence it is widely used in different assets from operating systems to databases and from web applications to software products.

Also, read about vulnerability management in Understanding Vulnerability Management.