CVSS is a vendor agnostic, industry open standard that is designed to convey vulnerability severity and to help determine urgency and priority of response. This system does not calculate the chances of being attacked, but the chances of being compromised in the event of an attack and potential severity of damage.
The latest version of CVSS is version 3.0. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone. CVSS was commissioned by NIAC and tasked in support of the global VDF. FIRST currently maintains it. The CVSS model is designed to provide the end user with an overall composite score representing the severity and risk of a vulnerability. It is derived from metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured. Base metrics contain qualities that are intrinsic to any given vulnerability that do not change over time or are in different environments. Temporal metrics contain characteristics of a vulnerability that evolve over the lifetime of vulnerability. Environmental metrics contain those characteristics of a vulnerability that are tied to an implementation in a specific user’s environment.
CVSS v3.0 Base Metrics
The base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the exploitability metrics (attack vector, attack complexity, privileges required, user interaction, scope) and the impact metrics (confidentiality, integrity, availability).
- Attack Vector (AV): This metric reflects the context by which vulnerability exploitation is possible. This metric value and the base score will correlate with an attacker’s proximity to a vulnerable component. The score will be higher the more remote (logically and physically) an attacker is from the vulnerable component.
- Local: Exploiting the vulnerability requires either physical access to the target or a local (shell) account on the target.
- Adjacent: Exploiting the vulnerability requires access to the local network of the target, and cannot be performed across an OSI Layer 3 boundary.
- Network: The vulnerability is exploitable from remote networks. Such a vulnerability is often termed “remotely exploitable,” and can be thought of as an attack being exploitable one or more network hops away, such as across Layer 3 boundaries from routers.
- Physical: A vulnerability exploitable with physical access requires the attacker to physically touch or manipulate the vulnerable component.
- Attack Complexity (AC): This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.
- Low: Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.
- High: A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.
- Privileges Required (PR): This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
- None: The attacker is unauthorized before attack, and therefore does not require any access to settings or files to carry out an attack.
- Low: The attacker is authorized with privileges that provide basic user capabilities that could normally affect only settings and files that are owned by a user. Alternatively, an attacker with low privileges may have the ability to cause an impact only to non-sensitive resources only.
- High: The attacker is authorized with privileges that provide significant (e.g., administrative) control over the vulnerable component that could affect component-wide settings and files.
- User Interaction (UI): This metric indicates whether or not a user other than the attacker must participate in order for the exploitation of a vulnerability to succeed.
- None: The vulnerable system can be exploited without interaction from any user.
- Required: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.
- Scope (S): An important property that is captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric authorization scope, or simply scope.
- Unchanged: An exploited vulnerability can only affect resources that are managed by the same authority. In this case, the vulnerable component and the impacted component are the same.
- Changed: An exploited vulnerability can affect resources beyond the authorization privileges that are intended by the vulnerable component. In this case, the vulnerable component and the impacted component are different.
- Confidentiality Impact (C): This metric measures the impact to the confidentiality of the information resources that are managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, preventing access by, or disclosure to, unauthorized ones.
- None: There is no loss of confidentiality within the impacted component.
- Low: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.
- High: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.
- Integrity Impact (I): This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.
- None: There is no loss of integrity within the impacted component.
- Low: Modification of data is possible, but the attacker does not control the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.
- High: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any or all files that are protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.
- Availability Impact (A): This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the confidentiality and integrity impact metrics apply to the loss of confidentiality or integrity of data such as information and files used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service such as web, database, and email. Because availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
- None: There is no impact to availability within the impacted component.
- Low: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
- High: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component such as the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks only a small amount of memory, but after repeated exploitation causes a service to become completely unavailable.
CVSS v3.0 Temporal Metrics
The temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.
- Exploit Code Maturity (E): This metric measures the likelihood of the vulnerability being attacked, and it is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.
- Not Defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric.
- Unproven: No exploit code is available, or an exploit is theoretical.
- Proof-of-Concept: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
- Functional: Functional exploit code is available. The code works in most situations where the vulnerability exists.
- High: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely available, easy-to-use automated tools.
- Remediation Level (RL): A typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final.
- Not Defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric.
- Unavailable: There is either no solution available or it is impossible to apply.
- Workaround: There is an unofficial, non-vendor solution available. Sometimes, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability.
- Temporary fix: There is an official but temporary fix available that includes instances where the vendor issues a temporary hotfix, tool, or workaround.
- Official fix: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
- Report Confidence (RC): This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details.
- Unknown: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences that are described.
- Reasonable: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified which the proof-of-concept exploits may provide.
- Confirmed: Detailed reports exist, or functional reproduction by exploits. Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability.
CVSS v3.0 Environmental Metrics
The environmental metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, which are measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of base metrics and are assigned metrics values that are based on the component placement in organization infrastructure.
- Security Requirements (CR, IR, AR): These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, which are measured in terms of Confidentiality Requirements (CR), Integrity Requirements (IR), and Availability Requirements (AR). That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has four possible values: Not Defined, Low, Medium, or High.
- Low: Loss of security requirements is likely to have only a limited adverse effect on the organization or individuals that are associated with the organization such as employees and customers.
- Medium: Loss of security requirements is likely to have a serious adverse effect on the organization or individuals that are associated with the organization such as employees and customers.
- High: Loss of security requirements is likely to have a catastrophic adverse effect on the organization or individuals that are associated with the organization, such as employees and customers.
- Modified Base Metrics: These metrics enable the analyst to adjust the base metrics according to modifications that exist within the analyst’s environment. That is, if an environment has made general changes for the affected software that differs in a way that would affect its exploitability, scope, or impact, then the environment can earn an appropriately modified,environmental score.
- Modified Attack Vector (MAV)
- Modified Attack Complexity (MAC)
- Modified Privileges Required (MPR)
- Modified User Interaction (MUI)
- Modified Scope (MS)
- Modified Confidentiality (MC)
- Modified Integrity (MI)
- Modified Availability (MA)This content is collected from a post of cisco.com