Vulnerability is a weakness in software, hardware, procedures or personnel. But, not all vulnerabilities are the same. Some vulnerability has system administrators scrambling to deploy a patch, while some are not worth fixing.
To evaluate the severity of each vulnerability, Common Vulnerability Scoring System (CVSS) was created. CVSS is an open standard that is used to assign a score to each vulnerability based on different metrics. There are three types of rating they include, Base, Temporal and Environmental numerical scores ranging from 0-10. Number 10 is the most severe score.
Once discovered, evaluated and catalogued, there are some aspects of a vulnerability that does not change, assuming the preliminary information is complete and accurate. These irreversible features will not change over time nor change in different environments. The base metric group captures the access to and impact on the target.
The base score is used in analyzing specifics of each vulnerability based on the following metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity and Availability.
In order to exploit a vulnerability, an attacker requires a path through which they can access the vulnerable component. Exploitation can be done through the following:
Network: This allows them to remotely exploit the vulnerability,
Adjacent network: It limits exploitation to the same physical or logical network,
Local access: This requires prior access to the vulnerable system or
Physical access: This requires the attacker to physically manipulate the vulnerable component.
Such paths are known as Attack vectors with the network being the most exposed and it’s the most dangerous.
Many vulnerabilities are hard to exploit. Exposed components normally feature advanced defenses against exploitation, while some vulnerabilities need prior knowledge about the target’s configuration. The metric used to evaluate these parts is known as Attack Complexity and include two values which are high and low.
Some vulnerabilities are exploitable without the need for authentication while some need user capabilities while some need full administrative access to the vulnerable system. This is known as Privileges Required metric, with none being the most severe, low requiring user privileges and high which need administrative privileges to exploit the vulnerability. Occasionally, vulnerabilities that need elevated privileges are used in combination with privilege escalation vulnerabilities to ensure successful exploitation.
In modern systems, potentially vulnerable components are sandboxed to reduce the impact of a vulnerability. For example, if an attacker exploits a vulnerability in Chrome’s JavaScript engine, they will not be able to gain access to your filesystem, because the component runs in a constrained sandbox. To measure the impact on other components, a measure Scope is used. If an attacker can gain access to other components after exploitation, the score is changed, otherwise, the scope is unchanged.
These metrics are used in equations to calculate the final base score. There is also a verbal severity rating assigned based on the score:
Temporal metrics are used to measure qualities which are likely to change over time as more researchers put more effort into the vulnerability and manufacturers release patches. As vulnerability ages, some fundamental characteristics will change over time. In most cases, when a vulnerability is discovered, the number of vulnerable systems will be at or close to its peak. While the availability of exploited and remedial information will be at its lowest point.
Exploit Code Maturity metric evaluates the likelihood of the vulnerability being abused. Unproven means that no exploit is available, Proof-Of-Concept (POC) value signifies the public obtainability of an exploit code and the value is further increasing with the quality of the POC to functional to high.
Remediation Level assesses the existence of mitigation or patch, with unavailable being the most vital, temporary fixes showcasing the existence of an unofficial patch or mitigation before the vulnerability is a patch and official patch signifying the existence of a stable patch released by the manufacturer.
Report Confidence is representing the credibility of the reports publishing the vulnerability with values unknown, reasonable and confirmed.
The severity of each vulnerability may not be the same for each organization. The environmental metrics allow security analysts to change the rating to better fit the assets of the company. CVSS is an essential tool for vulnerability management and must be understood to know whether a vulnerability poses a danger to the company and needs quick attention.
Different user environments can have a huge bearing on how a vulnerability affects a particular information system and its stakeholders. The CVSS environmental metrics group captures features of vulnerabilities that are connected to system distribution and network environment.
Manufacturers of medical equipment that are software or contain software must always pay attention to the vulnerability databases such as (NIST). In order to be able to group the messages published there, it’s ideal to know the metrics of the CVSS.
This Offers Manufacturers The Following Tasks:
February 2021 Patch Tuesday Rundown
Kent Weigle March 02, 2021Could the Vulnerability Fujiwhara Effect Be the New Normal?
Kent Weigle January 18, 2021Six Ways to Improve Your Patch Management Practices
Kent Weigle January 05, 2021Top Trending CVEs of January 2021
Kent Weigle February 01, 2021So I Really Have to Update Chrome?
Kent Weigle February 08, 2021