Back in April, I wrote a blog post about the new version of the Common Vulnerability Scoring System (CVSS). The changes made for CVSSv3 addressed some of the challenges that existed in CVSSv2. For example, CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The CVSSv3 enhancements allow vendors to better analyze security vulnerability impact. The changes in CVSSv3 also help our customers more easily determine the urgency with which they need to respond to vulnerabilities
In my previous blog post, I shared the details of a study that analyzed the differences between CVSSv2 and CVSSv3 scores using scores provided by the National Vulnerability Database (NVD). I have continued to monitor the way vulnerabilities are scored using the new version of CVSS because Cisco will soon begin supporting the new version. In my previous study, back in April, I analyzed 745 vulnerabilities. I recently expanded the data set and this new analysis includes a total of 3862 vulnerabilities. I kept the scores and data vendor neutral and used only NVD’s CVSSv2 and CVSSv3 scores.
If you are not familiar with the CVSS metrics, you can read the CVSSv3 specification at FIRST’s website: https://www.first.org/cvss/specification-document. You can also use the CVSSv3 calculator: https://www.first.org/cvss/calculator/3.0
FIRST has also published several examples of CVSSv2 vs. CVSSv3 scores at: https://www.first.org/cvss/examples
I have included screenshots of the Base, Temporal, and Environmental metrics from FIRST below for your reference.
Figure 1 – CVSSv3 Base Metrics
Figure 2 – CVSSv3 Temporal Metrics
Figure 3 – CVSSv3 Environmental Metrics
The total number of vulnerabilities studied was 3862. These were vulnerabilities disclosed from January 1, 2016 thru October 6, 2016 and the source of the data is NVD.
The average base score increased from 6.5 (CVSSv2) to 7.4 (CVSSv3). This is illustrated in Figure 4.
Figure 4 – Average Base Score
Cisco adopted a Security Impact Rating (SIR) in 2015, which uses basically the same scale as the CVSSv3 qualitative severity rating scale. This was done to help organizations properly assess and prioritize their vulnerability management processes.
Figures 5 and 6 include high-level statistics for the qualitative severity differences between CVSSv2 and CVSSv3 scores for the vulnerabilities assessed in this study.
Figure 5 – Qualitative Metrics Change
Figure 6 – CVSSv2 vs. CVSSv3 Qualitative Metrics Distribution
There were several vulnerabilities whose base score decreased from a higher to a lower QM category when scored with CVSSv3. The following table depicts vulnerabilities for which the QM category increased (not just the score) when going from CVSSv2 to CVSSv3.
However, there were far more vulnerabilities whose CVSSv2 base score increased when scored with CVSSv3.
Seventy-four percent (74%) of the vulnerabilities that scored Low in CVSSv2 increased to Medium when scored with CVSSv3.
Figure 7– Low to Medium Change
The following table summarizes the top 3 Common Weaknesses Enumerators (CWEs) of the vulnerabilities that increased from Low to Medium when scored with CVSSv3.
Forty-four percent (44%) of the vulnerabilities that scored Medium in CVSSv2 increased to High when scored with CVSSv3.
Figure 8– Medium to High Change
The following table summarizes the top 3 CWEs of the vulnerabilities that increased from Medium to High when scored with CVSSv3.
Twenty-eight percent (28%) of the vulnerabilities that scored High in CVSSv2 increased to Critical when scored with CVSSv3.
Figure 9 – High to Critical Change
The following table summarizes the top 3 CWEs of the vulnerabilities that increased from High to Critical when scored with CVSSv3.
Why Should I Care?
One thousand seventy-seven (1077) vulnerabilities moved from Low or Medium to High or Critical. That is a 52% increase in High or Critical vulnerabilities.
As stated in our Security Vulnerability Policy in all of our security advisories:
“Cisco will provide an evaluation of the base vulnerability score, and in some instances, will provide a temporal vulnerability score. End users are encouraged to compute the environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments. In addition, Cisco uses the Security Impact Rating (SIR) as a way to categorize vulnerability severity in a simpler manner. The SIR is based on the CVSS base score, adjusted by PSIRT to account for Cisco-specific variables, and will be included in every Cisco Security Advisory.”
Cisco takes a comprehensive approach to security and trust. Transparency and accountability in vulnerability management through Cisco’s Product Security Incident Response Team (PSIRT) is one of our core principles. This is why I want to share these results with you in anticipation of Cisco PSIRT using CVSSv3 in the first half of 2017.Tags:
This article presents an open framework for scoring IT vulnerabilities— the Common Vulnerability Scoring System (CVSS) Version 2.0. It introduces metric groups, describes base metrics, vector, and scoring. Finally, an example is provided to understand how it works in practice.
2. Metric groups
There are three metric groups:
I. Base (used to describe the fundamental information about the vulnerability—its exploitability and impact).
II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example, the severity decreases when the official patch is available).
III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example, the more systems affected by the vulnerability, the higher severity).
This article is focused on base metrics. Please read A Complete Guide to the Common Vulnerability Scoring System Version 2.0 if you are interested in temporal and environmental metrics .
3. Base metrics
There are exploitability and impact metrics:
a) Access Vector (AV) describes how the vulnerability is exploited:
– Local (L)—exploited only locally
– Adjacent Network (A)—adjacent network access is required to exploit the vulnerability
– Network (N)—remotely exploitable
The more remote the attack, the more severe the vulnerability.
b) Access Complexity (AC) describes how complex the attack is:
– High (H)—a series of steps needed to exploit the vulnerability
– Medium (M)—neither complicated nor easily exploitable
– Low (L)—easily exploitable
The lower the access complexity, the more severe the vulnerability.
c) Authentication (Au) describes the authentication needed to exploit the vulnerability:
– Multiple (M)—the attacker needs to authenticate at least two times
– Single (S)—one-time authentication
– None (N)—no authentication
The lower the number of authentication instances, the more severe the vulnerability.
a) Confidentiality (C) describes the impact of the vulnerability on the confidentiality of the system:
– None (N)—no impact
– Partial (P)—data can be partially read
– Complete (C)—all data can be read
The more affected the confidentiality of the system is, the more severe the vulnerability.
+b) Integrity (I) describes an impact of the vulnerability on integrity of the system:
– None (N)—no impact
– Partial (P)—data can be partially modified
– Complete (C)—all data can be modified
The more affected the integrity of the system is, the more severe the vulnerability.
c) Availability (A) describes an impact of the vulnerability on availability of the system:
– None (N)—no impact
– Partial (P)—interruptions in system’s availability or reduced performance
– Complete (C)—system is completely unavailable
The more affected availability of the system is, the more severe the vulnerability.
Please note the abbreviated metric names and values in parentheses. They are used in base vector description of the vulnerability (explained in the next section).
4. Base vector
Let’s discuss the base vector. It is presented in the following form:
This is an abbreviated description of the vulnerability that brings information about its base metrics together with metric values. The brackets include possible metric values for given base metrics. The evaluator chooses one metric value for every base metric.
The formulas for base score, exploitability, and impact subscores are given in A complete Guide to the Common Vulnerability Scoring System Version 2.0 . However, there in no need to do the calculations manually. There is a Common Vulnerability Scoring System Version 2 Calculator available . The only thing the evaluator has to do is assign metric values to metric names.
6. Severity level
The base score is dependent on exploitability and impact subscores; it ranges from 0 to 10, where 10 means the highest severity. However, CVSS v2 doesn’t transform the score into a severity level. One can use, for example, the FortiGuard severity level to obtain this information :
|FortiGuard severity level||CVSS v2 score|
|Critical||9 – 10|
|High||7 – 8.9|
|Medium||4 – 6.9|
|Low||0.1 – 3.9|
7. Putting all pieces together
An exemplary vulnerability in web application is provided to better understand how Common Vulnerability Scoring System Version 2.0 works in practice. Please keep in mind that this framework is not limited to web application vulnerabilities.
Cross-site request forgery in admin panel allows adding a new user and deleting an existing user or all users.
Let’s analyze first the base metrics together with the resulting base vector:
Access Vector (AV): Network (N)
Access Complexity (AC): Medium (M)
Authentication (Au): None (N)
Confidentiality (C): None (N)
Integrity (I): Partial (P)
Availability (A): Complete (C)
Base vector: (AV:N/AC:M/Au:N/C:N/I:P/A:C)
Explanation: The admin has to visit the attacker’s website for the vulnerability to be exploited. That’s why the access complexity is medium. The website of the attacker is somewhere on the Internet. Thus the access vector is network. No authentication is required to exploit this vulnerability (the admin only has to visit the attacker’s website). The attacker can delete all users, making the system unavailable for them. That’s why the impact of the vulnerability on the system’s availability is complete. Deleting all users doesn’t delete all data in the system. Thus the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system provided that added user doesn’t have read permissions on default.
Let’s use the Common Vulnerability Scoring System Version 2 Calculator to obtain the subscores (exploitability and impact) and base score :
Exploitability subscore: 8.6
Impact subscore: 7.8
Base score: 7.8
Let’s transform the score into a severity level according to FortiGuard severity levels :
FortiGuard severity level: High
This article described an open framework for scoring IT vulnerabilities—Common Vulnerability Scoring System (CVSS) Version 2.0. Base metrics, vector and scoring were presented. An exemplary way of transforming CVSS v2 scores into severity levels was described (FortiGuard severity levels). Finally, an example was discussed to see how all these pieces work in practice.
 A Complete Guide to the Common Vulnerability Scoring System Version 2.0
http://www.first.org/cvss/cvss-guide.html (access date: 8 July 2013)
 Common Vulnerability Scoring System Version 2 Calculator
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 (access date: 8 July 2013)
 FortiGuard Severity Levels
http://www.fortiguard.com/static/intrusion/severity.html (access date: 8 July 2013)