Understanding CVSS: Your Essential Guide to Cybersecurity Risk Assessment

Siddhesh
11 min readSep 13, 2023

--

Caution: Long Blog Ahead! Get ready for an in-depth dive into our topic :-).

Introduction:

In the world of cybersecurity, staying ahead of potential threats is crucial. This is where CVSS, or the Common Vulnerability Scoring System, comes into play. CVSS is a standardized method for assessing and prioritizing security vulnerabilities. But what exactly is CVSS, and why is it so essential for organizations and security professionals? In this blog post, we’ll break down the basics of CVSS, explain the CVSS calculator, and shed light on why it’s a vital tool in the realm of cybersecurity.

What is CVSS?

CVSS, short for Common Vulnerability Scoring System, is a framework for measuring and assessing the severity of security vulnerabilities in computer systems, applications, and networks. It provides a structured and consistent way to evaluate the potential impact and risk associated with a vulnerability.

Why is CVSS Required?

1. Consistency: CVSS provides a common language for security professionals to communicate the severity of vulnerabilities consistently. This is crucial when dealing with diverse systems, applications, and devices.

2. Prioritization: With countless vulnerabilities reported daily, it’s essential to prioritize which ones to address first. CVSS helps organizations prioritize by quantifying the potential impact.

3. Risk Mitigation: CVSS helps organizations make informed decisions about resource allocation for vulnerability mitigation. It aids in determining the appropriate level of response and resources required.

4. Reporting: CVSS scores are often included in vulnerability reports and databases, making it easier for security teams to assess and respond to threats effectively.

Understanding CVSS Scores: Base, Temporal, and Environmental

CVSS scores consist of three components: Base, Temporal, and Environmental. Let’s break down these components with simple examples:

· Base Score:

Base Score represents the intrinsic qualities of a vulnerability, including its impact if successfully exploited. It consists of several submetrics, including: Attack Vector (AV), Attack complexity, Privileges required and more which we will discuss in later section of blog in detail.

Example: Consider a remote code execution vulnerability in a widely used web server software. The CVSS Base Score for this vulnerability might be high, indicating that it can be exploited remotely with low complexity and without user interaction, potentially leading to a significant compromise of the system.

source: www.first.org

· Temporal Score:

Temporal Score takes into account factors that change over time, such as the availability of patches or the current level of exploitation in the wild. It provides a more up-to-date assessment of the vulnerability’s risk.

Example: If a critical software vulnerability is discovered but a patch is readily available, the Temporal Score would consider this as lower risk because it can be quickly mitigated.

source: www.first.org

· Environmental Score:

Environmental Score considers the unique characteristics of an organization’s environment. It accounts for factors like the value of the vulnerable asset, the impact of a successful attack on the organization, and the effectiveness of existing security controls.

Example: An organization may have additional security measures in place that reduce the impact of a vulnerability. The Environmental Score helps tailor the CVSS rating to the organization’s unique circumstances.

source: www.first.org

Moving ahead we will discuss more about the Base score as it is the most useful component while reporting the vulnerability.

Base score consist of 8 sub metrics as follows:

1. Attack vector (AV): It refers to the path or method that an attacker would use to exploit a vulnerability in a system, application, or network. It describes how an attacker gains access to the target and carries out the attack. Attack vectors are categorized into different types based on the means an attacker employs. Here’s an explanation of common attack vectors:

a. Network (N): Use this when evaluating vulnerabilities in web applications accessible over the internet. It helps assess the risk of remote attackers exploiting the vulnerability. It also applies for the vulnerabilities in network devices like routers, firewalls, or VPN servers that are exposed to the internet.

Example: Exploiting a software vulnerability over the internet, such as compromising a web server or exploiting a network service remotely.

b. Adjacent (A): Use this when we are able to assess vulnerabilities in applications or services on a local network (intranet) where attackers need to gain access to the internal network before exploiting the vulnerability.

Example: Attacker gaining access to a corporate local/Wi-Fi network and exploiting vulnerabilities in locally connected devices or systems.

c. Local (L): Use this when assessing vulnerabilities in vulnerable system or device (laptop apps/Mobile apps etc.) where an attacker needs physical access to the device or interaction with it to exploit the flaw i.e., attackers must interact directly with the hardware or software on the target, which can involve manipulating physical components or exploiting software weaknesses.

Example: A malicious user gaining physical access to a computer and using it to exploit vulnerabilities, or inserting a malware-infected USB drive into a system.

d. Physical (P): Use this if attack vector involves physical manipulation of the hardware or infrastructure itself, rather than exploiting software vulnerabilities i.e., when assessing the risk of physical access breaches in data centers, server rooms, or critical infrastructure facilities. Also, when evaluating vulnerabilities in physical hardware, such as servers, embedded systems, or industrial control systems. Attackers need physical access to exploit these vulnerabilities.

Example: Tampering with server hardware, physically cutting network cables, or bypassing physical security controls in a data center.

2. Attack Complexity (AC): It assesses the level of difficulty for an attacker to exploit a vulnerability. It helps in understanding how easy or difficult it is for an attacker to carry out an exploit. Attack Complexity is scored on a scale of “Low” and “High.” Here’s an explanation of these two levels:

a. Low (L): Use this when the attack is relatively straightforward to execute and typically requires minimal technical expertise or resources. In many cases, vulnerabilities with low attack complexity can be exploited remotely over a network, such as through the internet. Some low-complexity vulnerabilities can be easily exploited using automated tools or scripts and these vulnerabilities may be more likely to be exploited in the wild because they are relatively easy for attackers to leverage.

Example: A web server vulnerability that can be remotely exploited with a simple HTTP request and doesn’t require any advanced skills.

b. High (H): Use this when an attack is difficult to execute and usually requires significant technical expertise, specialized tools, or extensive resources. In some cases, high-complexity vulnerabilities may necessitate physical access to the target system or device. Attackers may need to carry out complex, manual steps to exploit these vulnerabilities. Since the vulnerabilities with high attack complexity are challenging to leverage that’s why they likely to be exploited.

Example: A server vulnerability that requires a combination of advanced techniques, custom-written exploits, and insider knowledge to exploit successfully.

2. Privileges Required(PR): It assesses the level of privileges or access rights an attacker must possess to exploit a vulnerability. This metric helps in understanding whether the attacker needs special permissions or credentials to take advantage of the vulnerability. Privileges Required is scored on a scale of “None,” “Low,” and “High.” Here’s an explanation of these privilege levels:

a. None (N): Use this when an attacker can exploit the vulnerability without needing any specific access rights or privileges. The vulnerability can be exploited by anyone, including unauthenticated users. Vulnerabilities with “None” as the privilege required score are typically more severe because they can be exploited by a broader range of attackers.

Example: An open FTP server that allows anonymous access and has a security vulnerability accessible to anyone on the internet.

b. Low (L): Use this when an attacker needs some level of access or permissions, but these are relatively common or easy to obtain. It might require authentication but not necessarily elevated or administrative privileges. Vulnerabilities with “Low” privilege requirements are somewhat less severe than those with “None,” as they may require some initial effort to gain access.

Example: A web application vulnerability that can be exploited by a logged-in user but doesn’t require administrator rights.

c. High (H): Use this when an attacker needs elevated or administrative privileges to exploit the vulnerability. This usually means the attacker must already have control over a user account with special access rights. Vulnerabilities with “High” privilege requirements are often less severe because they are more challenging for attackers to exploit, as they need to gain significant access rights first.

Example: A vulnerability in an operating system that can only be exploited by an attacker who has gained administrative control over the system.

3. User Interaction (UI): It assesses whether a vulnerability can be exploited without any user interaction or if it requires some form of user engagement. This metric helps in understanding whether an attacker can carry out an exploit without the victim’s participation. User Interaction Required is scored as either “None” or “Required.” Here’s an explanation of these user interaction levels:

a. None (N): Use this when an attacker can exploit the vulnerability without any action from the user or victim. The exploit can occur automatically, often through network-based attacks or code execution without user interaction. Vulnerabilities with “None” user interaction required are typically more severe because they can be exploited without relying on a user to take any action.

Example: A remotely exploitable vulnerability in a network service that doesn’t require any user interaction.

b. Required (R): Use this when an attacker needs the user or victim to perform some action, such as clicking on a malicious link, opening a file, or providing specific input. The vulnerability cannot be exploited automatically. Vulnerabilities with “Required” user interaction are often less severe because they rely on user actions, which can be unpredictable and harder for attackers to orchestrate.

Example: A phishing email containing a malicious link that requires the user to click on it to trigger the exploit.

4. Scope(S): It assesses whether the impact of a vulnerability is limited to the vulnerable component (unchanged) or extends beyond it, potentially affecting other components or systems (changed). This metric helps in understanding whether a vulnerability has the potential to escalate and compromise a broader range of resources. Scope is scored as either “Unchanged” or “Changed.” Here’s an explanation of these scope levels:

a. Unchanged(U): Use this if the impact of the vulnerability is confined to the vulnerable component itself. Exploiting the vulnerability does not result in a broader compromise of other components or systems. Vulnerabilities with “Unchanged” scope are often less severe because they do not lead to the escalation of privileges or the compromise of additional resources.

Example: A software vulnerability in an application that, when exploited, only affects the operation of that specific application and does not impact other parts of the system.

b. Changed(C): Use this if the exploitation of the vulnerability can lead to changes or compromises in other components or systems beyond the vulnerable one. It can potentially result in broader system compromise or privilege escalation. Vulnerabilities with “Changed” scope are typically more severe because they have the potential to impact a wider range of resources and systems.

Example: A vulnerability in a network service that, when exploited, allows an attacker to gain unauthorized access to other network services and systems on the same network.

5. Confidentiality(C): It is one of the metrics used to assess the impact of a security vulnerability. It measures the degree to which the confidentiality of sensitive information may be compromised if the vulnerability is exploited. Confidentiality is scored as either “None”, “Low,” or “High”. Here’s an explanation of these confidentiality levels:

a. None(N): Use this when the confidentiality is not impacted or compromised in any way. The vulnerability does not result in unauthorized access to sensitive information or data.

Example: Suppose there’s a web application vulnerability that allows an attacker to change the color of a non-sensitive banner on a website. This doesn’t affect the confidentiality of any data, so the confidentiality impact would be “None.”

b. Low(L): Use this if some level of confidentiality is compromised, but the impact is limited i.e., if the vulnerability exposes some non-critical information or data with minimal sensitivity.

Example: An email system vulnerability allows an attacker to view email subject lines but not the actual email content. While this exposes some information, it’s not highly sensitive, so the confidentiality impact is rated as “Low.”

c. High(H): Use this if the significant confidentiality breach or compromise occurs i.e., if the vulnerability leads to unauthorized access to highly sensitive information, such as personal user data, financial records, or confidential business documents.

Example: A database server vulnerability allows an attacker to extract customer credit card information. This represents a severe breach of confidentiality, and the confidentiality impact would be rated as “High.”

6. Integrity(I): It is another metric used to assess the impact of a security vulnerability. It measures the degree to which the integrity of data or systems may be compromised if the vulnerability is exploited. Integrity is scored as either “None”, “Low,” or “High”. Here’s an explanation of these integrity levels:

a. None(N): Use this if the integrity is not impacted or compromised in any way i.e., if the vulnerability does not allow for the unauthorized modification or alteration of data or system components.

Example: A website vulnerability allows an attacker to view publicly available information on the site but does not allow them to change or tamper with any data. In this case, the integrity impact would be “None.”

b. Low(L): Use this if some level of integrity is compromised, but the impact is limited i.e., if the vulnerability might allow for minor modifications or alterations to non-critical data or system components.

Example: An application vulnerability allows an attacker to change the background color of a webpage to a different color but does not allow them to deface the website or manipulate more critical content. This represents a low integrity impact.

c. High(H): Use this if the significant integrity breach or compromise occurs i.e., if the vulnerability leads to unauthorized modifications or alterations to highly critical data or system components, potentially causing serious damage or harm.

Example: An authentication system vulnerability allows an attacker to change the bank account details of a user, resulting in unauthorized fund transfers. This represents a high integrity impact because it can lead to financial loss and damage to the integrity of the data.

7. Availability(A): It is a metric used to assess the impact of a security vulnerability on the availability of systems and services. It measures the degree to which the availability of a resource may be compromised if the vulnerability is exploited. Availability is scored as either “None”, “Low,” or “High”. Here’s an explanation of these availability levels:

a. None(N): Use this if the availability is not impacted or compromised in any way i.e., if the vulnerability does not result in any disruption of the system or service’s availability.

Example: A software vulnerability allows an attacker to view information on a website, but it does not cause any downtime or service disruption. In this case, the availability impact would be “None.”

b. Low(L): Use this if some level of availability is compromised, but the impact is limited i.e., if the vulnerability might lead to minor disruptions or reduced availability of non-critical services or data.

Example: An application vulnerability results in occasional brief outages of a non-critical internal tool, affecting a small number of users. This represents a low availability impact because it doesn’t significantly disrupt essential services.

c. High(H): Use this if the significant availability breach or compromise occurs i.e., if the vulnerability leads to prolonged and severe disruptions or unavailability of critical systems or services, causing substantial harm or loss.

Example: A Distributed Denial of Service (DDoS) attack vulnerability in a web service allows an attacker to flood the system with traffic, rendering it inaccessible for an extended period. This represents a high availability impact because it results in a severe service outage.

Conclusion

In conclusion, the Common Vulnerability Scoring System (CVSS) and the CVSS calculator are critical tools for cybersecurity professionals. They provide a standardized way to assess and prioritize vulnerabilities, enabling organizations to allocate their resources effectively and reduce the risk of cyberattacks. Understanding the Base, Temporal, and Environmental scores within CVSS helps organizations tailor their vulnerability management strategies to their specific needs and risk profiles.

--

--

No responses yet