CVE and CVSS: What's the Difference?

CVE and CVSS are some of the most commonly misunderstood features of patching. In this article, we will explore the differences and showcase how they can affect your patching technique. Although many IT managers are familiar with these terms CVE and CVSS, some IT professionals still don’t understand the difference between them. CVE and CVSS are synonymous with software vulnerabilities, patching and operating systems. 

What is CVE?

The CVE is known as Common Vulnerabilities and Exposures. It’s a special identifier that is used by vendors such as Adobe, Microsoft and others to catalog individual security vulnerabilities where patches are provided as a resolution. For instance, every page of a book has a distinctive number and this helps to find a solution to the problem of finding the information on each page of a book quickly.

Generally, all CVE numbers appear in this form: CVE-nnnn-nnnn. With this, you will see scope for millions of vulnerabilities. Since CVE number is not owned by any specific software vendor, clients should be assured of complete protection. It’s an independent and unbiased database for all vendors to publish their vulnerabilities. 

It also means that vendors must publish transparent content to these databases. This will offer some assurance to the data accuracy. Every company that wants to publish its vulnerability announcement must become a CNA (CVE Numbering Authority) before its participation is considered dependable. 

Vendors will include necessary and relevant information within each CVE record. For instance, 

• Description of vulnerability.
• Severity.
• CVE number.
• References to other CVE records.
• Publish Date.
• Change History.

What’s a CVSS Score?

The CVSS (Common Vulnerability Scoring System) is an independently assigned score that is based on different factors to know the importance of vulnerability. To compare CVSS scores, we will take a look at how Microsoft scores their vulnerabilities. 

Microsoft Rating System:

1. Critical: A vulnerability that can allow remote code execution without any user interaction or where code executes without notification.
2. Important: Vulnerabilities where the client is compromised with warnings and whose exploitation may result in data compromise. 
3. Moderate: The impact is eased by different factors such as non-default applications being affected. 
4. Low: The impact is systematically mitigated by the features of the mitigated component. 
5. NA: Not available.

Note: Microsoft approach self-certifies vulnerabilities in its products. 

Generating the CVSS scores is complex. However, it takes into consideration the following vital questions:

1. Can you exploit over the internet or do you need physical access?
2. How easy is the vulnerability to be exploited? 
3. Do you need network or physical access and do you need elevated privileges?
4. How much end-user interaction is needed?
5. Is specific software or configuration of software needed? Does it impact everything?

Each of the above or more are arranged in a subscore that’s calculated together. The CVSS score will then be calculated out of 10. Industry professionals believe this offers a way to know the priority of how quickly you must take action if any of these vulnerabilities exist in your environment.

CVSS calculation:    

Rating CVSS Score

None 0.0

Low 0.1-3.9                                                

Medium 4.0-6.9

High 7.0-8.9

Critical 9.0-10.0

If a vulnerability is detected and it’s left unpatched, it will cause a big risk of having it exploited by attackers. The attacks against known vulnerabilities spike within hours and days after the patches are released. Therefore, it’s important to know how vital the vulnerability is.

CVSS Solution

Take any vulnerability scores likely and start searching for independently assessed ratings, such as the Common Vulnerability Scoring System (CVSS). Every month NIST/US-CERT makes use of CVSS to rate most patch updates the day they are released. This offers a good idea of the risk level for a particular vulnerability to your business.

Downtime for businesses can be costly. A unique approach to patching is to have a special window of downtime each month to update systems. If there is any issue with patch, compatibility and systems need to be rolled back and this prolongs the downtime and can affect a business. 

Common Vulnerabilities and Exposures (CVE) Glossary

CVE is a term that classifies vulnerabilities. The glossary evaluates vulnerabilities and makes use of the CVSS to analyze the threat level of a vulnerability. CVSS is most often used for ranking the severity of vulnerabilities. 

The CVE glossary is a project devoted to tracking and cataloging vulnerabilities in consumer hardware and software. It’s maintained by the MITRE Corporation with funding from the United States Division of Homeland Security. Vulnerabilities are collected and grouped using SCAP (Security Content Automation Protocol). SCAP assesses vulnerability information and assigns each vulnerability a special identifier. 

Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After the listing is done, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All analysis information and vulnerability will be listed in NIST’s National Vulnerability Database (NVD).

The CVE glossary was made as a model of communication and source of dialogue for the tech and security industries. CVE identifiers offer standardized vulnerability information and unify communication among security experts. 

Defining CVE, CVSS and NVD

• CVE: Common Vulnerabilities and Exposure is a list of publicly disclosed vulnerabilities and exposures that’s maintained by MITRE.
• CVSS: The Common Vulnerability Scoring System (CVSS) is a system generally used in vulnerability management programs. It indicates the severity of information security vulnerability and is an essential part of many vulnerability scanning tools. 
• NVD: The National Vulnerability Database (NVD) is a database that is maintained by NIST. 

Differences between CVSS and CVE

CVSS is the total score assigned to a vulnerability while CVE is a list of all publicly disclosed vulnerabilities that include the CVE ID, dates, comments and description. The CVSS score is not reported in the CVE listing. You must use the NVD to find assigned CVSS scores. 

Differences between CVE and NVD

The CVE list feeds into the NVD. Therefore, the two are synchronized at all times. The NVD offers enhanced information that’s beyond what’s in the CVE list, which includes severity scores and patches availability. NVD also provides easy tools that can be used to search for a wide range of variables. NVD and CVE are both sponsored by the Government of the United States and are available for free.