How is CVSS Calculated?

CVSS (Common Vulnerability Scoring System) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. The CVSS is used to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat. The scores are calculated based on a formula that takes into account the impact of the vulnerability, its exploitability, and other factors.

Understanding CVSS is important for security professionals who need to assess the risk associated with vulnerabilities. The CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. The Base Score Metrics take into account the impact of the vulnerability on confidentiality, integrity, and availability. The Temporal Score Metrics take into account the exploitability of the vulnerability and the remediation level. The Environmental Score Metrics take into account the impact of the vulnerability in a specific environment.

Key Takeaways

  • The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
  • The CVSS consists of three metric groups: Base, Temporal, and Environmental.
  • The Base Score Metrics take into account the impact of the vulnerability on confidentiality, integrity, and availability.

Understanding CVSS

The Common Vulnerability Scoring System (CVSS) is a widely used framework for assessing the severity of security vulnerabilities. It provides a standardized and repeatable way to evaluate and rank reported vulnerabilities.

CVSS uses a scoring system that ranges from 0 to 10, with 10 being the most severe. The score is based on three metric groups: Base, Temporal, and Environmental.

Base Score

The Base Score reflects the core characteristics of a vulnerability, or those that remain constant throughout time and operating environments. It is calculated using six metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Confidentiality, Integrity, and Availability (CIA) Impact.

Each metric is assigned a value from 0 to 10, with 10 being the most severe. The values are then combined using a formula to generate the Base Score.

Temporal Score

The Temporal Score reflects the characteristics of a vulnerability that may change over time. It is calculated using four metrics: Exploit Code Maturity, Remediation Level, Report Confidence, and Confirmed.

Each metric is assigned a value from 0 to 10, with 10 being the most severe. The values are then combined using a formula to generate the Temporal Score.

Environmental Score

The Environmental Score reflects the characteristics of a vulnerability in a specific environment. It is calculated using three metrics: Collateral Damage Potential, Target Distribution, and Security Requirements.

Each metric is assigned a value from 0 to 10, with 10 being the most severe. The values are then combined using a formula to generate the Environmental Score.

CVSS scores can be used to prioritize vulnerability remediation activities and to calculate the severity of vulnerabilities discovered on one’s systems. CVSS scores should not be the only factor used in decision-making, as they do not take into account the specific context of an organization’s systems and infrastructure.

Base Score Metrics

The Base Score Metrics is the first group of metrics that make up the Common Vulnerability Scoring System (CVSS). It is used to provide a qualitative measure of the severity of a vulnerability. The Base Score Metrics produces a score ranging from 0 to 10, with 10 being the most severe.

The Base Score Metrics consists of three submetrics: Attack Vector (AV), Attack Complexity (AC), and Privileges Required (PR). These submetrics are used to determine the ease of exploitability of the vulnerability.

  • Attack Vector (AV): This submetric describes how the vulnerability can be exploited. It takes into account whether an attacker needs to be physically present or can exploit the vulnerability over a network. The possible values for this submetric are Network (N), Adjacent Network (A), Local (L), and Physical (P).
  • Attack Complexity (AC): This submetric describes how difficult it is to exploit the vulnerability. It takes into account the level of skill required by an attacker to exploit the vulnerability. The possible values for this submetric are Low (L), High (H), and Undefined (U).
  • Privileges Required (PR): This submetric describes the level of privileges an attacker needs to exploit the vulnerability. It takes into account whether an attacker needs to be authenticated or has access to sensitive information. The possible values for this submetric are None (N), Low (L), and High (H).

The combination of these submetrics produces a Base Score that ranges from 0 to 10. A Base Score of 0 means that the vulnerability is not exploitable, while a Base Score of 10 means that the vulnerability is highly exploitable and can be used to compromise the entire system.

Temporal Score Metrics

The Temporal Score Metrics is a subset of the CVSS scoring system, which measures the characteristics of a vulnerability that change over time. These metrics are used to calculate the Temporal Score of a vulnerability, which is added to the Base Score to determine the overall CVSS score.

The Temporal Score Metrics consists of three metrics:

  1. Exploitability: This metric measures the likelihood that an attacker will be able to exploit the vulnerability. It takes into account factors such as the availability of exploit code, the ease of exploitation, and the required privileges to exploit the vulnerability.
  2. Remediation Level: This metric measures the availability of a solution to the vulnerability. It takes into account factors such as the availability of a patch or a workaround, and the time required to implement the solution.
  3. Report Confidence: This metric measures the confidence in the existence of the vulnerability. It takes into account factors such as the quality of the information available about the vulnerability, and the level of testing performed to confirm the vulnerability.

Each of these metrics is assigned a value ranging from “Not Defined” to “High”. The values are then used to calculate the Temporal Score, which ranges from 0 to 10.

The Temporal Score is calculated using the following formula:

Temporal Score = Base Score × Exploitability × Remediation Level × Report Confidence

In general, vulnerabilities with a higher Temporal Score are considered more severe than vulnerabilities with a lower Temporal Score. Therefore, it is important to consider the Temporal Score when assessing the severity of a vulnerability.

Environmental Score Metrics

The Environmental Score Metrics group is the third metric group that makes up every CVSS score. This group takes into account the unique characteristics of the environment in which the vulnerability is being scored. These metrics allow for a more accurate and tailored assessment of the risk posed by a vulnerability to a specific organization.

The Environmental Score Metrics group consists of three subcomponents: Confidentiality Requirement (CR), Integrity Requirement (IR), and Availability Requirement (AR). These subcomponents are used to evaluate the impact of the vulnerability on the organization’s confidentiality, integrity, and availability requirements.

The Confidentiality Requirement (CR) subcomponent measures the impact of a vulnerability on the confidentiality of the organization’s information. It takes into account the sensitivity of the information that could be disclosed if the vulnerability is exploited. The CR subcomponent is scored on a scale of None, Low, High, or Not Defined.

The Integrity Requirement (IR) subcomponent measures the impact of a vulnerability on the integrity of the organization’s information. It takes into account the potential for unauthorized modification or destruction of information if the vulnerability is exploited. The IR subcomponent is scored on a scale of None, Low, High, or Not Defined.

The Availability Requirement (AR) subcomponent measures the impact of a vulnerability on the availability of the organization’s information or systems. It takes into account the potential for denial of service or other disruptions if the vulnerability is exploited. The AR subcomponent is scored on a scale of None, Low, High, or Not Defined.

The Environmental Score Metrics group is used to modify the Base Score, which is the score that reflects the intrinsic characteristics of the vulnerability itself. The modified score takes into account the unique characteristics of the environment in which the vulnerability is being scored. This allows for a more accurate and tailored assessment of the risk posed by a vulnerability to a specific organization.

Challenges in CVSS Calculation

Calculating the CVSS score is not a straightforward process and can be challenging due to various factors. Here are some of the challenges in CVSS calculation:

Subjectivity in scoring

CVSS scoring is subjective and can vary depending on the person scoring the vulnerability. Different individuals may have different opinions on the severity of a vulnerability, which can lead to inconsistent scores. The CVSS scoring system tries to minimize this subjectivity by providing clear guidelines on how to score vulnerabilities, but there is still room for interpretation.

Complexity of the scoring system

The CVSS scoring system is complex and consists of multiple components that need to be scored separately. This complexity can make it difficult for some individuals to understand and accurately score vulnerabilities. Additionally, the scoring system has evolved over time, which has led to different versions of the system being used. This can cause confusion and inconsistencies in scoring.

Lack of context

CVSS scoring is based solely on the characteristics of a vulnerability and does not take into account the context in which the vulnerability is being exploited. This lack of context can lead to inaccurate scores, as the severity of a vulnerability can vary depending on the environment in which it is being exploited. For example, a vulnerability that is easily exploitable in a controlled lab environment may not be as severe in a real-world scenario.

Limited scope

CVSS scoring only takes into account the technical impact of a vulnerability and does not consider other factors such as business impact or the likelihood of exploitation. This limited scope can lead to inaccurate scores, as the severity of a vulnerability can be influenced by factors outside of its technical impact. For example, a vulnerability that affects a critical system may be more severe than a vulnerability that affects a less critical system, even if both vulnerabilities have the same technical impact.

Despite these challenges, CVSS scoring remains a valuable tool for assessing the severity of vulnerabilities and prioritizing remediation efforts. By understanding the limitations of the system, individuals can make more informed decisions when scoring vulnerabilities.

Improving CVSS Calculation Accuracy

There are some limitations to the system that can affect the accuracy of the scores. Here are some ways to improve the accuracy of CVSS calculations:

1. Use the latest version of CVSS

The latest version of CVSS is version 4.0. This version includes improvements to the scoring system, such as the addition of new metrics and the ability to account for the impact of different attack vectors. Using the latest version of CVSS can help to ensure that scores are as accurate as possible.

2. Take into account the context of the vulnerability

CVSS scores are based on a set of metrics that are designed to assess the severity of a vulnerability. However, it’s important to take into account the context of the vulnerability when calculating the score. For example, a vulnerability that affects a critical system may be more severe than a vulnerability that affects a less critical system.

3. Use expert judgment

CVSS scores are based on objective metrics, but there may be cases where expert judgment is required to accurately assess the severity of a vulnerability. For example, an experienced security analyst may be able to provide insights into the potential impact of a vulnerability that are not captured by the CVSS metrics.

4. Regularly review and update CVSS scores

CVSS scores should be regularly reviewed and updated as new information becomes available. For example, if a vulnerability is discovered to be more severe than originally thought, the CVSS score should be updated accordingly. Regularly reviewing and updating CVSS scores can help to ensure that they remain accurate over time.

By following these tips, it’s possible to improve the accuracy of CVSS scores and ensure that vulnerabilities are assessed as accurately as possible.

Conclusion

The Common Vulnerability Scoring System (CVSS) is a standardized and repeatable way to evaluate and rank reported vulnerabilities. The CVSS Base Score Equation takes into account the impact and exploitability of the vulnerability, as well as the access complexity, authentication, and access vector. The Impact is calculated based on the Confidentiality, Integrity, and Availability (CIA) triad, with each component weighted differently.

CVSS v4 was launched in 2023, and it includes several improvements over previous versions. One notable change is the addition of a new metric, Scope, which takes into account whether the vulnerability affects only a single component or has the potential to impact multiple components. Another change is the introduction of a temporal score, which reflects the likelihood that a vulnerability will be exploited in the near future.

It’s important to note that while CVSS provides a standardized way to evaluate vulnerabilities, it should not be the only factor considered when assessing risk. Organizations should also take into account their specific environment and the potential impact of a vulnerability on their systems and data.

Additionally, CVSS should be used as a starting point for vulnerability management, with additional testing and analysis conducted as necessary.

CVSS is a valuable tool for assessing and prioritizing vulnerabilities, but it should be used in conjunction with other risk management strategies to ensure that organizations are adequately protected.

Frequently Asked Questions

What is the range of CVSS 3.1 score?

The CVSS 3.1 score ranges from 0.0 to 10.0, with 10.0 being the highest possible score. The score is calculated based on the impact and exploitability of a vulnerability.

What are the metrics used in CVSS?

CVSS uses four metric groups: Base, Temporal, Environmental, and Modified. The Base group represents the intrinsic qualities of a vulnerability, while the Temporal group represents the characteristics of a vulnerability that change over time.

The Environmental group represents the characteristics of a vulnerability that are specific to a particular environment, and the Modified group represents the characteristics of a vulnerability that have been modified by a user.

How can I calculate CVSS 4.0 score?

CVSS 4.0 score can be calculated using the CVSS calculator provided by FIRST. The calculator takes into account the Base, Threat, Environmental, and Supplemental metrics to calculate the score.

Where can I find a CVSS calculator?

The CVSS calculator is available on the FIRST website. The calculator provides a user-friendly interface for calculating the CVSS score of a vulnerability.

What is the impact metric based on in CVSS?

The impact metric in CVSS is based on the consequences of a successful exploit of the vulnerability. The impact metric takes into account the confidentiality, integrity, and availability of the affected system.

Who determines the CVSS score of a CVE?

The CVSS score of a CVE is determined by the Common Vulnerability Scoring System Special Interest Group (CVSS SIG). The group consists of security experts from industry, academia, and government who are responsible for maintaining and updating the CVSS standard.