CVSS: The Common Vulnerability Scoring System

Cybersecurity measures have become important in the ever-evolving landscape of digital threats. With organizations increasingly relying on digital technologies to drive their operations, the risk of cyberattacks becomes more likely, with potential consequences ranging from financial losses to reputational damages.

Understanding vulnerabilities within IT systems is key, as not all cybersecurity threats carry the same risks — some pose a higher threat level based on the potential impact or likelihood of exploitation.

To objectively measure and report the potential risks posed by vulnerabilities, security professionals use CVSS (Common Vulnerability Scoring System) to assess security vulnerabilities based on the potential impact and severity rather than relying on subjective measures.

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a framework designed to provide a consistent and objective way to assess the severity of security vulnerabilities in IT systems.

Originally commissioned in 2003/2004 by the National Infrastructure Advisory Council (NIAC), in support of the global Vulnerability Disclosure Framework, CVSS version 1 was released in February 2005. CVSS was designed to be a vendor-agnostic, industry-open standard used to convey vulnerability severity and to help determine the urgency and priority of response to the vulnerability.

CVSS 4.0 was released on November 1, 2023, and is currently maintained and improved upon by the Forum of Incident Response and Security Teams (FIRST).

How does it work?

CVSS evaluates each vulnerability based on a variety of factors, such as exploitability, impact, and remediation level, assigning a numerical score that indicates its severity.

The scoring system ranges from 0 to 10, with higher scores indicating more severe vulnerabilities. 

Security teams use the score while prioritizing their response strategies, ensuring that the most dangerous threats are mitigated first, thus enhancing the overall security posture of an organization.

Components of CVSS: 4 metric groups

CVSS 4.0 uses four metric groups - Base, Threat, Environmental, and Supplemental - to evaluate the risk posed by a vulnerability.

However, no metric or value, as specified, affects the final CVSS score they simply provide additional information about the vulnerability itself. It's up to consumer organizations to determine the importance and impact of each metric or combination of metrics. They can give them more, less, or no effect at all when categorizing, prioritizing, and assessing vulnerabilities.

Base metrics

The Base metrics gives an idea of how severe a vulnerability is based on its intrinsic characteristics. It stays the same over time and assumes the worst-case impact in various environments.

Base metrics look at:

• Exploitability Metrics
  • Attack Vector
  • Attack Complexity
  • Attack Requirements
  • Privileges Required
  • User Interaction
• Impact Metrics
  • Vulnerable System Confidentiality
  • Vulnerable System Integrity
  • Vulnerable System Availability
  • Subsequent System Confidentiality
  • Subsequent System Integrity
  • Subsequent System Availability

Threat metrics

The Threat metrics adjust the severity of a vulnerability based on factors like the availability of proof-of-concept code or active exploitation. It's important to note that the Threat metric group reflects the characteristics of a vulnerability related to threat, which may change over time but not necessarily across user environments.

So it’s important to remember that the values found in this metric group may change over time rather than staying consistent like Base metrics.

Threat Metrics look at:

• Exploit Maturity

Environmental metrics

The Environmental metric group captures the specific vulnerability characteristics in a consumer's environment. It takes into account factors like the presence of security controls that can mitigate the consequences of an attack and the significance of a vulnerable system in a technology infrastructure.

Environmental metrics look at:

• Modified Base Metrics
  • Attack Vectors
  • Attack Complexity
  • Attack Requirements
  • Privileges Required
  • User Interaction
  • Vulnerable System Confidentiality
  • Vulnerable System Integrity
  • Vulnerable System Availability
  • Subsequent System Confidentiality
  • Subsequent System Integrity
  • Subsequent System Availability
• Confidentiality Requirement
• Integrity Requirement
• Availability Requirement

Supplemental metrics

The Supplemental metric group consists of metrics that provide context and describe additional attributes of a vulnerability. The response to each metric in this group is determined by the CVSS consumer, allowing for the usage of an end-user risk analysis system to assign locally significant severity to the metrics and values.

Supplemental Metrics look at:

• Automatable
• Recovery
• Safety
• Value Density
• Vulnerability Response Effort
• Provider Urgency

Each metric group has a different weighting, with Base metrics being the most heavily weighted and Environmental metrics having the least impact on overall score. This allows organizations to customize their CVSS scores to reflect their unique risk profiles.

Limitations of CVSS

Despite its utility, there are a few limitations when using CVSS for vulnerability scoring.

Subjectivity and interpretation

CVSS scores are assigned by analysts based on their interpretation of the vulnerability's characteristics. This subjectivity can lead to variations in scoring, as different analysts may interpret the same information differently.

Limited environmental context. Although CVSS incorporates Environmental Metrics to consider organizational factors, assessing the actual impact in a specific environment can be difficult. Some metrics, due to their generic nature, may not fully capture the uniqueness of each organization's infrastructure.

Scoring may not reflect real-world exploitation. The ease of exploit metrics in CVSS may not always match real-world scenarios. Even vulnerabilities with low ease of exploit scores in CVSS can still be actively exploited if effective exploit tools are available.

Doesn't account for security controls. CVSS does not take into account the effectiveness of security controls in place to mitigate or prevent vulnerability exploitation. An organization with strong security measures may have lower actual risk than what the CVSS score suggests.

While CVSS has its limitations, it's still a crucial part of a comprehensive vulnerability management program. When paired with additional context and ongoing reviews, it can effectively guide organizations in managing and mitigating their cybersecurity risks.

Wrapping up

As cyber threats continue to evolve, the CVSS framework remains a crucial tool in maintaining the security of an organization's technology infrastructure. By understanding how CVSS works and its different components, security professionals can make informed decisions when it comes to mitigating potential risks within their systems and protecting sensitive data.

FIRST is always working on improving and updating the CVSS framework to keep pace with emerging threats and vulnerabilities. Staying up-to-date with the latest version of CVSS is crucial for organizations to ensure the accuracy and effectiveness of their vulnerability management processes.