infosec – TechKranti https://techkranti.com CyberSecurity Revolution Sun, 24 Nov 2019 14:07:12 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 169658937 What The Heck is CVSS – Part I https://techkranti.com/what-is-cvss-part-1/ Sun, 24 Nov 2019 12:31:54 +0000 http://techkranti.com///?p=18

We have all seen the CVSS score for vulnerabilities listed on the National Vulnerability Database (NVD) when researching vulnerabilities. It is a numeric value between 0 to 10 and comes with a qualitative description of the score such as Low, Medium, High Or Critical. Because of the qualitative description of the score, I never bothered to dig deeper into how this was calculated.

TL;DR:

  • The Common Vulnerability Scoring System (CVSS) captures the principal technical characteristics of software, hardware and firmware vulnerabilities.
  • Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities
  • Rest is Mathematics. You cannot tl;dr Mathematics. ?

So, what exactly is CVSS?

The organization maintaining the specification for CVSS is the Forum of Incident Response and Security Teams (FIRST). FIRST defines CVSS as follows:

The Common Vulnerability Scoring System (CVSS) captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities

first.org

Corporations, organisations and individuals interacting with Technology are dealing with vulnerabilities on a daily basis. With so many different minds looking at vulnerabilities subjectively, there are bound to be inconsistencies in the way severity of the vulnerabilities is perceived. CVSS eliminates the need of this subjectivity and defines clear, unambiguous parameters to quantify the severity of a vulnerability that all can agree upon. Other than providing a framework to calculate the intrinsic severity of the vulnerability (Base Metrics), it also provides an optional scoring system to gauge how severity modifies with time (Temporal Metrics) and environment of the organization (Environmental Metrics) that is assessing the vulnerability.

Why Should You Understand CVSS?

Well, what’s the practical use of understanding the methodology to derive CVSS score? I too had this notion until I read the actual specification myself and came to appreciate the beauty of this scoring system. I reckon that every security researcher, information security personnel or IT personnel should understand this scoring system well because this scoring system not only helps you understand the intrinsic severity of the vulnerability but it also provides a way to modify the severity level specific to your environment. Based on your organisation or application environment, the score might go higher or lower than the intrinsic score. This will help you to better prioritise remediation actions.

Let’s Dig Deeper into CVSS

CVSS parameters are broadly classified in the following three groups:

Base Metrics: represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments. The score derived from these metrics is called the Base Score and this is the score displayed on vulnerability publishing websites such as NVD.

Temporal Metrics: reflect the characteristics of a vulnerability that may change over time but not across user environments. The score derived from these metrics is called the Temporal Score.

Environmental Metrics: represent the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. The score derived from these metrics is called the Environmental Score.

I am going to cover Base Metrics in this part and leave Temporal and Environment Metrics for another day.

Understanding Base Metrics:

The Base Metric group is further classified into three sub-groups:

  1. Exploitability
  2. Impact
  3. Scope

The four metrics available within the Exploitability sub-group are:

1. Attack Vector (abbreviated AV)

This metric describes how remote or local an attacker should be in order to exploit this vulnerability.

The below table indicates the possible values for this metric, its abbreviation, description and the numeric value that is used while calculating the CVSS score.

ValueAbbreviatedDescriptionNumeric Value
NetworkNCan be exploited over the network and beyond the local area network0.85
AdjacentACan be exploited over local area network0.62
LocalLCan be exploited only if attacker has logical access to the vulnerable system or component0.55
PhysicalPCan be exploited only if the attacker has physical access to the vulnerable system0.2

2. Attack Complexity (abbreviated AC)

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

ValueAbbreviatedDescriptionNumeric Value
LowLSpecialized conditions are not required to exist or attacker can exploit default installation of the component or system0.77
HighHOne or more special conditions should be met for the attacker to exploit this vulnerability0.44

3. Privileges Required (abbreviated PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

ValueAbbreviatedDescriptionNumeric Value
NoneNAttacker requires no privileges on the vulnerable system or component0.85
LowLAttacker requires non-administrative user capabilities on the vulnerable system or component0.62
HighHAttacker requires administrative privileges over the vulnerable system or component0.27

4. User Interaction (abbreviated UI)

This metric describes whether a victim or any benign user other than the attacker should interact with the system to successfully exploit the vulnerability.

ValueAbbreviatedDescriptionNumeric Value
NoneNThe vulnerable system can be exploited without interaction from any user.0.85
RequiredRSuccessful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. 0.62

The Exploitability sub-group provides an Exploitability sub-score (ESS) which is calculated as follows:

ESS = 8.22 × Attack Vector × Attack Complexity × Privileges Required × User Interaction

Next, we move on to the Impact sub-group.

The three metrics available within the Impact sub-group are:

1. Confidentiality (abbreviated C)

This metric measures the impact to the confidentiality of the information resources managed by the vulnerability component due to a successfully exploited vulnerability.

ValueAbbreviatedDescriptionNumeric Value
HighHAll information is disclosed and/or some information that is disclosed is critical and/or attacker has complete control over what information can be disclosed.0.56
LowLSome information is disclosed to the attacker and/or information that is disclosed is not critical and/or attacker has no control over what information can be disclosed.0.22
NoneNNo information is disclosed to the attacker.0
2. Integrity (abbreviated I)

This metric measures the impact to integrity of information that resides on a successfully exploited system.

ValueAbbreviatedDescriptionNumeric Value
HighHThere is a total loss of integrity, or a complete loss of protection.0.56
LowLModification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited.0.22
NoneNNo information can be modified by the attacker.0
3. Availability (abbreviated A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability

ValueAbbreviatedDescriptionNumeric Value
HighHThere is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component.0.56
LowLPerformance is reduced or there are interruptions in resource availability. Attacker does not have the ability to completely deny service to legitimate users.0.22
NoneNThere is no impact to availability within the impacted component.0

The Impcat sub-group provides an Impact sub-score (ISS) which is calculated as follows:

ISS = 1 - [(1 - Confidentiality) × (1 - Integrity) × (1 - Availability)]

Scope Metric (Abbreviated S)

Scope is not a sub-group but a metric in itself with no numeric value.

Scope describes whether the attacker can access or impact resources, components or systems beyond the vulnerable component or system after successful exploitation of the vulnerability.

ValueAbbreviatedDescriptionNumeric Value
ChangedCAn exploited vulnerability can only affect resources managed by the vulnerable component or system.See Below
UnchangedUAn exploited vulnerability can affect resources other than those managed by the vulnerable component or system.See Below

Scope metric does not have a direct numeric value. It rather causes changes to the Impact & Exploitability sub-scores as follows:

  1. Changes to ESS
    • If Scope is defined as Changed, ‘Privileges Required’ metric’s numeric value are changed as follows:
      • Low: 0.62 → 0.68
      • High: 0.27 → 0.5
    • No changes are made to ESS if Scope is Unchanged
  1. Changes to ISS
    • If Scope is defined as Changed:
      Updated ISS = 7.52 ×(ISS- 0.029) – 3.25 ×(ISS- 0.02)15
    • If Scope is defined as Unchanged:
      Updated ISS = 6.42 × ISS

Now that we have got the ESS & ISS, let’s understand the base score calculation. The final Base Score calculation formula differs based on Scope values and is as follows:

If Scope is Unchanged:

Base Score = Roundup(Minimum[(ISS + ESS), 10])

If Scope is Changed:

Base Score = Roundup(Minimum[1.08 ×(ISS + ESS), 10])

where Roundup( ) returns the smallest number, specified to 1 decimal place, that is equal to or higher than its input. For example, Roundup (4.02) returns 4.1; and Roundup (4.00) returns 4.0.

As you can see, a lot of information goes into calculating the Base Score. Hence, there needs to be a concise way of representing this information for the sake of brevity. That’s where the vector string notation comes into play.

Vector String Notation:

Excerpt From NVD

Let us look at an example of a CVSS vector string to understand it:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A vector notation starts with the words ‘CVSS’ followed by a colon and the version number of the specification, the latest being 3.1.

Following this are tuples containing the metric abbreviation for all base metrics and their corresponding value abbreviation separated by colons ( : ). Tuples are separated by slashes (/). For a vector string to be valid, it should contain all the base metrics. So, let’s decode the above string based on what we learnt earlier about the Base Metrics.

CVSS:3.1 = CVSS version is 3.1
AV:N = Attack Vector is Network
AC:L = Attack Complexity is Low
PR:N = Privileges Required is None
UI:N = User Interaction is None
S:U = Scope is Unchanged
C:H = Confidentiality Impact is High
I:H = Integrity Impact is High
A:H = Availability Impact is High

Let’s Calculate The Base Score For The Above Vector String

First, The Exploitability Sub-score:

ESS = 8.22 × Attack Vector × Attack Complexity × Privileges Required × User Interaction

First, let’s replace the variables with the metric value tuples from the vector string:
ESS = 8.22 × AV:N × AC:L × PR:N × UI:N

Now, let’s enter the numeric values for these metrics:
ESS = 8.22 × 0.85 x 0.77 x 0.85 x 0.85

ESS = 3.887042775

Now, for The Impact Sub-score:

ISS = 1 - [(1 - Confidentiality) × (1 - Integrity) × (1 - Availability)]

Replacing the variables:
ISS = 1 - [(1 - C:H) × (1 - I:H) × (1 - A:H)]

Entering the numeric values:
ISS = 1 - [(1 - 0.56) × (1 - 0.56) × (1 - 0.56)]

ISS = 0.914816

Now, let’s go for scope adjustment:

Scope = Unchanged
Hence, ESS remains the same.

And ISS
= 6.42 × ISS
= 6.42 × 0.914816
= 5.87311872

Now, finally, the Base Score:

Since Scope = Unchanged,

Base Score
= Roundup(Minimum[(ISS+ ESS), 10])
= Roundup(Minimum[(5.87311872+3.887042775), 10])
= Roundup(Minimum[9.760161495,10])
= Roundup(9.760161495)
= 9.8

So, that’s it. We have got the CVSS for our vulnerability.

Base Score = 9.8

The Vector String mentioned above was taken from CVE-2019-15107. Check out this NVD link to see if our numbers match.

Understanding The Qualitative Severity Rating Scale

CVSS provides the following qualitative rating scale to have a textual representation of the numeric values:

CVSS ScoreQualitative Rating
0.0None
0.1 – 3.9Low
4.0 – 6.9Medium
7.0 – 8.9High
9.0 – 10.0Critical

Now, you may be wondering, how on earth are you going to perform this calculation manually for every vulnerability that you are assessing. Don’t worry. FIRST team has put up an awesome calculator on their website for you: https://www.first.org/cvss/calculator/3.1

Go ahead and give it a try.

The next time you look up a vulnerability on NVD, you would be better equipped to understand the severity of the same and would be in a position to gauge which vulnerability should be a priority to for you.

I will cover the Temporal Metrics & Environmental Metrics in a later article.

See Also:

]]>
18