Common Vulnerability Scoring System (SVSS) version 3.0 framework was the last one that was published by the organization responsible for creating it. It was created by the Forum of Incident Response and Security Teams (FIRST).
This open reference framework creates metrics for the communication of the impact, characteristics and severity of vulnerabilities that affect elements of the IT security environment. In this article, we will review the changes to the recently published version 3.1 compared to its predecessor.
Version 3.1 does not introduce new values, metrics or make vital modifications to existing formulas with respect to the older version. However, it focuses on enhancing and clarifying the existing standard. The most important changes are explained below:
This version highlights that the CVSS is created to measure the severity of a vulnerability and may not be used as the only tool needed to evaluate risk. The CVSS v3.1 specification document clearly states that the CVSS Base Score represents only the fundamental characteristics of a vulnerability that are constant over time and are common to different user environments.
To carry out a systematic analysis, this base score must be complemented with a contextual analysis by taking advantage of the temporal and environmental metrics. Other external factors will not be considered by the CVSS as threats and exposure.
The description of the values (Adjacent, Network, Local and Physical) of the attack vector (AV) metric are reformulated to make them more known to CVSS general consumers and suppliers, avoiding references to the OSI model. A guide section for the use of this metric is also included when resources are behind a firewall.
The value adjacent (A) of the attack vector (AV) metric, of the base score group of metrics, as defined in CVSS 3.0 caused uncertainty in the case of logically adjacent or trusted networks (VPN, MPLS, etc.). To address this inaccuracy, the definition of adjacent is extended, including these limited-access networks.
The specification document and the user guide have been updated to assist CVSS analysts to perform defensible and consistent scores in different situations that could be ambiguous before which include:
The Environmental Metrics Group includes three security requirement metrics:
When scoring the attack vector metric, the network or adjacent value must be used, suitably, whenever a network connection is needed for an attack to succeed, even if the attack is not launched through a network.
Vulnerabilities in which malicious data is received through a network by a component and then passed to another separate component with a vulnerability must be scored with a local attack vector. For instance, a browser that downloads a malicious office document stores it on disk and starts an office application that reads it.
In cases where vulnerable functionality is part of the component that receives malicious data, the attack vector must be classified as network. For example, a browser with its own vulnerability that starts when it receives malicious data.
The formulas used to calculate the Base, Temporary and Environmental scores have been modified through the following ways:
Since its initial launch in 2004, CVSS has enjoyed wide acceptance. In September 2007, CVSS v2.0 was adopted as part of the PCI DSS (Payment Card Industry Data Security Standard). In 2007, the National Institute of Standards and Technology (NIST) included CVSS v2.0 as part of its Security Content Automation Protocol (SCAP). In March 2016, CVSS v3.0 was formally adopted as an international standard for rating vulnerabilities.
February 2021 Patch Tuesday Rundown
Kent Weigle March 03, 2021Could the Vulnerability Fujiwhara Effect Be the New Normal?
Kent Weigle January 18, 2021Six Ways to Improve Your Patch Management Practices
Kent Weigle January 05, 2021Top Trending CVEs of January 2021
Kent Weigle February 01, 2021So I Really Have to Update Chrome?
Kent Weigle February 08, 2021