Breaking Down the Common Vulnerability Scoring System

Jan 12, 2021

Vulnerability is a weakness in software, hardware, procedures or personnel. But, not all vulnerabilities are the same. Some vulnerability has system administrators scrambling to deploy a patch, while some are not worth fixing. 

To evaluate the severity of each vulnerability, Common Vulnerability Scoring System (CVSS) was created. CVSS is an open standard that is used to assign a score to each vulnerability based on different metrics. There are three types of rating they include, Base, Temporal and Environmental numerical scores ranging from 0-10. Number 10 is the most severe score.

Base Rating

Once discovered, evaluated and catalogued, there are some aspects of a vulnerability that does not change, assuming the preliminary information is complete and accurate. These irreversible features will not change over time nor change in different environments. The base metric group captures the access to and impact on the target.

The base score is used in analyzing specifics of each vulnerability based on the following metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity and Availability. 

In order to exploit a vulnerability, an attacker requires a path through which they can access the vulnerable component. Exploitation can be done through the following:

Network: This allows them to remotely exploit the vulnerability,  

Adjacent network: It limits exploitation to the same physical or logical network,   

Local access: This requires prior access to the vulnerable system or  

Physical access: This requires the attacker to physically manipulate the vulnerable component.  

Such paths are known as Attack vectors with the network being the most exposed and it’s the most dangerous. 

Many vulnerabilities are hard to exploit. Exposed components normally feature advanced defenses against exploitation, while some vulnerabilities need prior knowledge about the target’s configuration. The metric used to evaluate these parts is known as Attack Complexity and include two values which are high and low. 

Some vulnerabilities are exploitable without the need for authentication while some need user capabilities while some need full administrative access to the vulnerable system. This is known as Privileges Required metric, with none being the most severe, low requiring user privileges and high which need administrative privileges to exploit the vulnerability. Occasionally, vulnerabilities that need elevated privileges are used in combination with privilege escalation vulnerabilities to ensure successful exploitation. 

In modern systems, potentially vulnerable components are sandboxed to reduce the impact of a vulnerability. For example, if an attacker exploits a vulnerability in Chrome’s JavaScript engine, they will not be able to gain access to your filesystem, because the component runs in a constrained sandbox. To measure the impact on other components, a measure Scope is used. If an attacker can gain access to other components after exploitation, the score is changed, otherwise, the scope is unchanged.  

These metrics are used in equations to calculate the final base score. There is also a verbal severity rating assigned based on the score:

  • None: 0 
  • Low: 0.1 – 3.9 
  • Medium: 4.0 – 6.9 
  • High: 7.0 – 8.9 
  • Critical: 9.0 – 10 
Temporal Rating 

Temporal metrics are used to measure qualities which are likely to change over time as more researchers put more effort into the vulnerability and manufacturers release patches. As vulnerability ages, some fundamental characteristics will change over time. In most cases, when a vulnerability is discovered, the number of vulnerable systems will be at or close to its peak. While the availability of exploited and remedial information will be at its lowest point.  

Exploit Code Maturity metric evaluates the likelihood of the vulnerability being abused. Unproven means that no exploit is available, Proof-Of-Concept (POC) value signifies the public obtainability of an exploit code and the value is further increasing with the quality of the POC to functional to high.

Remediation Level assesses the existence of mitigation or patch, with unavailable being the most vital, temporary fixes showcasing the existence of an unofficial patch or mitigation before the vulnerability is a patch and official patch signifying the existence of a stable patch released by the manufacturer. 

Report Confidence is representing the credibility of the reports publishing the vulnerability with values unknown, reasonable and confirmed. 

Environmental Rating

The severity of each vulnerability may not be the same for each organization. The environmental metrics allow security analysts to change the rating to better fit the assets of the company. CVSS is an essential tool for vulnerability management and must be understood to know whether a vulnerability poses a danger to the company and needs quick attention. 

Different user environments can have a huge bearing on how a vulnerability affects a particular information system and its stakeholders. The CVSS environmental metrics group captures features of vulnerabilities that are connected to system distribution and network environment.

  • Deductions

Manufacturers of medical equipment that are software or contain software must always pay attention to the vulnerability databases such as (NIST). In order to be able to group the messages published there, it’s ideal to know the metrics of the CVSS. 

  • Tasks

This Offers Manufacturers The Following Tasks:

  1. To deduce the IT security requirements of the device and to design system architecture that is as inert against cyber-attacks as possible. In both cases, the free IT security guideline, which has in the meantime been adopted by the notified bodies, will help.
  2. To perfectly set out the clinical context in the intended purpose and accompanying materials. This is also a requirement of the MDR.
  3. Draw up a post-market surveillance plan for every product which sets out how the manufacturer reacts to messages subject to the CVSS.
  4. Choose components in which the manufacturer eliminates the vulnerabilities as quickly as possible.
  5. Use an IT system that automatically compiles messages about vulnerabilities or make use of Post-Market Radar, which also assesses other sources of information and so saves the manufacturer a lot of PMS work.
  6. Draw up and revise an SOP on post-market surveillance (PMS) which, among others, requests or describes these measures. 

Written by

Kent Weigle

Recent Posts

  • 1

    Our Path to Product-Led Growth

    Michael Assraf May 24, 2022
  • 2

    OSINT Basics – What is OSINT and Why Do We Do/Need OSINT?

    Nikola Kundacina May 22, 2022
  • 3

    What is OS Fingerprinting?

    Kent Weigle May 16, 2022
  • 4

    John the Ripper Pt.4

    Nikola Kundacina May 16, 2022
  • 5

    John the Ripper Pt. 3

    Nikola Kundacina May 09, 2022

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial