Common Vulnerability Scoring System (CVSS)

Security professionals often keep an eye on news about Common Vulnerabilities and Exposures (CVEs) to remain aware of emerging cyber threats. However, in recent years, we’ve seen over 25,000 CVEs reported each year. After a DevSecOps team has determined that a CVE is relevant to their computing environment, how can they determine the level of risk posed by that vulnerability? That’s where the Common Vulnerability Scoring System (CVSS) comes into play.

The CVSS is a standardized way to calculate the severity of security vulnerabilities. By working according to this standard, security professionals can compare vulnerabilities to prioritize their responses to potential threats, ensuring that the highest-severity vulnerabilities are addressed first.

In this post, we’ll break down what the CVSS is — where it comes from, how to interpret its scores, and how it fits into your cybersecurity strategy. Let’s dive right in.

What is the CVSS?

The CVSS is a framework used globally to assess and communicate the severity of security vulnerabilities. This standardization is valuable because it allows for a common rating of vulnerabilities across different systems and organizations.

The CVSS is owned and managed by the Forum of Incident Response and Security Teams (FIRST). The first version of the CVSS began as a project of the National Infrastructure Advisory Council (NIAC) in 2005. CVSS v3.1 has been in use since 2019, and CVSS v4 was officially launched in November 2023.

Before we dive deeper into the CVSS, let’s cover some key terms that often come up in discussions about this system:

• Common Vulnerability Scoring System: A standardized framework for rating the severity of security vulnerabilities.
• Common Vulnerabilities and Exposures database: This is a database of known security vulnerabilities managed by the MITRE Corporation. Each vulnerability listed in the CVE database is given a unique identifier, making it easier to share information about specific vulnerabilities.
• National Vulnerability Database (NVD): This U.S. government database includes all the vulnerabilities listed in the CVE database. These vulnerabilities are enhanced with additional information, including CVSS severity scoring.

These terms are interrelated in the process of identifying and managing cybersecurity risks: CVSS provides the scoring framework, the CVE database offers a standardized list of known vulnerabilities, and the NVD enriches this information with additional analysis and context. Together, they form a comprehensive approach to understanding and addressing cybersecurity vulnerabilities.

Understanding metric groups in the CVSS

The CVSS framework consists of three distinct metric groups: base, temporal, and environmental. Metric groups help categorize different aspects of a vulnerability for increased clarity in assessing severity. Each metric group plays a unique role in determining the overall severity score of a vulnerability.

Base group metrics assess the “intrinsic qualities of a vulnerability that are constant over time and across user environments.” They focus on aspects such as:

• How the vulnerability is exploited
• The complexity of the exploit
• The level of access required to exploit the vulnerability
• The vulnerability’s impact on confidentiality, integrity, and availability

This base score does not change over time. It functions like a snapshot of how serious the vulnerability is from the start. The NVD includes the base score for each CVE listed.

Temporal group metrics focus on what is changing with the vulnerability over time. It considers questions such as:

• Has someone created a fix for it?
• Is there a new tool available that makes this vulnerability easier for malicious attackers to exploit?

As new information comes in and conditions change, temporal metrics can go up or down.

Environmental group metrics focus on the specific characteristics of a user’s environment that might affect the impact of the vulnerability. They consider factors like potential loss to an organization or the prevalence of a vulnerable system in the user’s environment. For example, maybe your systems are set up in a way that makes the vulnerability more serious, or maybe you have additional security that reduces the risk of an exploit. This score is tailored to your specific circumstances and can vary greatly between different environments.

Understanding these metric groups is key to accurately assessing the severity of vulnerabilities for a given environment. Each group contributes to the final score, which guides an organization in prioritizing its response to different threats.

Understanding the scoring scale in the CVSS

The CVSS scoring scale ranges from 0 to 10, indicating the severity of a vulnerability. A higher score indicates a more severe vulnerability that demands immediate attention, and a lower score suggests a less critical issue. Let’s break down what this scoring scale represents and how it’s applied in real-world scenarios.

• Low severity (0 to 3.9): Poses minimal risk and often requires specific conditions to be exploited. An example of a vulnerability that scores 2.0 might be a low-impact information disclosure flaw that requires high-level privileges to exploit.
• Medium severity (4.0 to 6.9): More common and might be easier to exploit but typically don’t lead to severe consequences. For example, a score of 5.5 might be given to a cross-site scripting issue that could be exploited more easily but doesn’t compromise an entire system.
• High severity (7.0 to 8.9): A significant threat, often allowing unauthorized access or control over affected systems.
• Critical severity (9.0 to 10): The most dangerous vulnerabilities, usually allowing widespread exploitation with severe impacts like data loss, system downtime, or complete system takeover. As an example, a widespread ransomware exploit might have a score of 9.5.

By knowing what each range of scores represents and seeing examples of how they apply to real vulnerabilities, professionals can make more informed decisions about their cybersecurity strategies.

Various tools are available to calculate CVSS scores based upon the framework, such as the NVD Calculator or the CVSS Calculator from FIRST. Some cybersecurity firms also offer proprietary tools for CVSS score calculation. These tools often allow users to input specific details about a vulnerability to assess the temporal and environmental scores, which are then combined with the base score to generate a precise CVSS score for a specific user.

How to use vulnerability scoring to manage your risk

Even with the detail in a CVSSv4 score, there can still be environmental details about your own systems that would cause you to consider the impact differently between two similarly scored vulnerabilities. How can you be prepared to start using this additional information when it comes available? Start by looking at your vulnerability management strategy.

Here are a few tips to get you started:

• Make an inventory of your asset and attack surface (the systems and applications you are protecting) so that you can better understand impact on your specific environment using the new data when it is available.
• Whether we like it or not, at some point we all have competing priorities and need to make hard decisions about where to spend our time. To be prepared for this, look at the inventory of your systems and consider which areas bear more risk, or less. Which assets are the most critical, and the least. Which assets have the highest exposure to attack, and which are the most protected by other compensating controls.
• Here at CrowdStrike we strongly recommend our ExPRT.AI model to our customers as a better way of prioritizing two “equally scored” vulnerabilities against each other. Whether you are using our AI model, a CVSSv4 score, or some other mechanism, put a plan together for responding to vulnerabilities.This plan should have detail about risk levels, potential impacts, common mitigation strategies (such as patching, compensating controls, or even disabling non critical systems), and set up a time period to review this plan regularly. The ecosystem of software is constantly changing, as is your environment. Being prepared with a strong plan will allow you to make the most headway in your own fight against the adversaries.

What is the difference between CVSSv3.1 and CVSSv4?

CVSSv3.1 has several gaps that needed to be addressed in order to provide more usefulness in the scoring system. These were addressed in the 4.0 version that is now coming into effect, however there are still improvements to be made in understanding risk. The most notable improvement is that CVSSv3.1 didn’t account for the impact of a vulnerability to additional systems, but CVSSv4 has added a set of metrics for impact to Subsequent Systems. Further, CVSSv4 also includes a group of new non-scoring metrics that can help provide additional context, known as Supplemental Metrics, about a vulnerability that will help an end-user relate the score to their own environment.

Subsequent Systems

Subsequent Systems are any system that can be impacted by an exploit of the vulnerability, while not being the vulnerable system itself. To illustrate this, consider an example: A web server is running a site which allows users to login, make payments, and see their account data. A Cross Site Scripting (XSS) vulnerability on the web site would be considered a vulnerability on the site/server. A subsequent system could be the users’ machine and their web browser. Though the vulnerability exists in the web server, successful exploitation could allow an attacker to gain access to a wealth of information on the users’ system or even run commands on it, unbeknownst to the user. For this example, the “subsequent system impact” would mean that the end users’ web browser may further compromise private information, or worse, turn their machine into a host for further attacks across the internet.

Given the new classification metrics in CVSSv4, the vulnerability in this example should receive a higher score than another vulnerability which does not have a subsequent system impact involved. By considering downstream impact from the initial point of exploit, the new scoring system is attempting to reflect a more realistic view of the potential impact for a vulnerability.

Supplemental Metrics

Supplemental Metrics are a non-scoring metric that have been added to the CVSSv4 from the 3.1 version. These are additional details that may be informative and helpful to someone reviewing a vulnerability while they try to understand how the potential impact would relate to their own environment. While the data here can be helpful with metrics such as Automatable, Vulnerability Response Effort, and Provider Urgency, these and other metrics were included as information only and do not impact the overall scoring of a vulnerability.

Not scoring these is obvious in some cases, such as Provider Urgency. What is urgent from the perspective of one software vendor may not be seen as urgently by another. If vendors were allowed to place low urgency on all of their CVEs and get a lower output score, this would be incentivizing them to game the system. The intent of having this data available is to help end users to better understand what other factors may be relevant to their environment. Thus, to maintain the best comparison between CVEs, these supplemental metrics are not factored into the output score from a CVSSv4 calculation.

What is the benefit of CVSSv4 to you?

The most obvious benefit with CVSSv4 is that the expansion of metrics regarding impact to an environment, subsequent systems, and information to help with mitigation helps provide more granular detail in the score of any particular vulnerability. These were all considered as welcome additions by many in the Vulnerability Management community. CrowdStrike had already seen the need to have a vulnerability score based on impact and risk, and thus developed our own ExPRT.AI rating. Our rating is focused on predicting the likelihood that a vulnerability will be exploited which includes a combination of factors such as our own adversarial intelligence data, which does not rely on vendor (of vulnerable application) self reporting.

This measurement of exploit is one area where the CVSS process in general is still lacking much detail, but the supplemental metrics and additional criteria are a welcome addition in providing uniformity and clarity in areas that will help end-users understand the relative risk for vulnerabilities they have in their environment.

When will CVSSv4 be adopted?

There are a few reliable and vendor agnostic sources of information about vulnerabilities. Most in the community look towards the NIST National Vulnerability Database (NVD) as a provider of information about CVEs. At this time, NVD has not started publishing the CVSSv4 scores, but CrowdStrike plans to incorporate this information when adoption begins in 2024.

Looking back at CVSSv3 or v3.1 scores for some CVEs may help provide valuable historical context that some users want when planning how to address new vulnerabilities. When 4.0 is more widely adopted, it is likely that NVD will continue to publish the CVSSv3.1 scores.

Integrating the CVSS into your cybersecurity practices

Familiarity with the CVSS equips security professionals with a foundation that can significantly influence their cybersecurity strategy. This knowledge is vital in prioritizing and tackling security vulnerabilities effectively.

However, it’s important to remember that a CVSS score alone does not present a comprehensive picture of a vulnerability’s threat to your organization. This important data needs to be coupled with threat intelligence and context. That’s why tools like CrowdStrike Falcon® Exposure Management and CrowdStrike Falcon® Spotlight are essential.

Falcon Spotlight adds insight to your vulnerability management, providing fast, accurate, and actionable information to keep your systems secure without impacting their performance. Falcon Exposure Management builds upon this with deep insights into your exposure to weaknesses and vulnerabilities, enhancing your ability to identify and prioritize risks based on real-time data.

By combining the standardized data from the CVSS with the advanced capabilities of the CrowdStrike Falcon® platform, you can create a more resilient and responsive cybersecurity posture. To learn more about the Falcon platform, try it for free or contact our team of experts today.