The Common Vulnerability Scoring System (CVSS) is an industry-standard for assessing the severity of potential or actual vulnerabilities in computer systems. We explain how the system works and its limitations.
A scoring system is mainly concerned with assessing the threat posed by a security vulnerability. In some cases, this is easy, but the facts are not always clear and the question is how can the severity of a vulnerability be quantified systematically?
Vulnerability Risk Analysis
Vulnerabilities are usually assessed using the method of risk analysis. In this process, the probability of exploits occurring and the possible damage they may cause are estimated. Assessments can, however, always be interpreted in different ways.
In vulnerability scoring systems, predefined factors are used to help quantify the degree and probability of damage as objectively as possible. The Common Vulnerability Scoring System (CVSS) describes vulnerability characteristics and determines the severity.
With CVSS, vulnerabilities are assessed based on so-called metrics. There are predefined options for each category and these are used to calculate a severity level from 0.0 to 10.0, with 10.0 corresponding to the highest possible severity level.
Based on these numerical values, qualitative categories are then assigned (None, Low, Medium, High, and Critical), which are also familiar from vulnerability reports.
The metrics are divided into three groups: Base Metrics, Temporal Metrics, and Environmental Metrics. Base metrics describe the essential technical and unchanging characteristics of a vulnerability. From these, a so-called “base score” can be calculated, which represents the technical severity of a vulnerability.
It can be readjusted later and adapted to changes over time (temporal metrics) or the environment of the affected system (environmental metrics).
The CVSS metrics are divided into three groups
For vulnerabilities, a CVE ID is usually assigned as a unique vulnerability identifier in the format CVE-YYYY-NNNN. We have a separate detailed article on the CVE System if you want to delve deeper into the topic.
CVSS assigns a severity level to vulnerabilities and CVE assigns a unique identifier.
Basic metrics are used to calculate the probability of an attack (exploitability metrics) and the consequences of exploitation (impact metrics).
The prerequisites include, among others, if an attack can be carried out via the Internet or whether physical access to a system is required (attack vector).
It is also assessed if an attack can be carried out unauthenticated or if an attacker must have a valid user account with certain privileges (privileges required).
The most critical determinant of the consequences of a successful attack is whether data can be extracted from the affected system, changed on the system, or if its availability can be restricted.
In other words, it is determined to what extent the protection goals of confidentiality, integrity, and availability (CIA) are compromised by successful exploitation.
To calculate the base score, the metrics are offset against each other. Most CVSS assessments on the Internet use this score.
The base score can later be adapted to temporal changes (Temporal Metrics) or adjusted to the respective environment of the affected system (Environmental Metrics).
For example, temporal changes occur when there is no longer just a possible description of an abstract vulnerability, but a fully functional exploit appears in the wild (exploit code maturity).
The criticality can also decrease if a workaround or an official manufacturer fix is available for the vulnerability (remediation level).
The Environmental metrics allow the score to be adapted to the specific IT environment within an organization. Depending on the importance of a system, the base score is upgraded or downgraded.
CVSS Metrics and Equations
Base Score, Temporal Score, and Environmental Score are added up to a total score in the end. For each individual score as well as for the total score, a numerical value is obtained.
These values are categorized in severity levels from “None” to “Critical”. This qualitative assignment is optional and primarily intended to support companies in prioritization when doing vulnerability management.
An overview of the CVSS vector structure is provided by the CVSS Calculator. Metrics can easily be calculated via a web interface and scores and vectors are automatically calculated.
Vulnerabilities should be assessed as unbiased as possible. The interests of the person doing the assessment are likely to play a role. Manufacturers argue that they have a better basis of information and sometimes talk down vulnerabilities to avoid bad press. Researchers might benefit from a high rating of a finding.
Fortunately, discussions within the security community usually have a correcting effect on such bias.
Version 4.0 of CVSS is already being actively discussed. The Temporale Metrics are to be improved and the introduction of supplemental metrics like “Mitigation Effort” or “Provider-Specific Urgency” is discussed.
After almost two decades CVSS has become an indispensable part of vulnerability management and helps organizations to prioritize incidents with software and components.