What is CVSS, and why is 4.0 Important?
The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess and quantify the severity of security vulnerabilities in software or systems. It assigns a numerical score to vulnerabilities based on a range of factors, including exploitability, impact, privileges required, and access complexity. This score helps organizations prioritize and manage their efforts to address security weaknesses, with higher scores typically indicating more severe vulnerabilities.
Version 4.0 of CVSS was officially released on November 1, 2023, by FIRST. Forum of Incident Response and Security Teams (FIRST) is an international nonprofit organization that focuses on incident response and coordination. For more information on FIRST, check out their website.
According to FIRST:
CVSS provides a way to capture the principal characteristics of a security vulnerability and produces a numerical score reflecting its technical severity to inform and provide guidance to businesses, service providers, government, and the public.
As a cybersecurity professional, CVSS is one important aspect for determining which vulnerabilities to remediate first — hence why the release of CVSS 4.0 is significant for our industry.
Unveiling CVSS 3.1 vs. CVSS 4.0: Enhanced Security Metrics and Threat Assessment
CVSS 3.1 was released in June 2019. The goal of CVSS version 3.1 was to supersede, clarify, and improve upon the existing version 3.0 — which was released 4 years prior in June 2015. Despite 3.1 being an updated version, it was far from perfect. Let us cover some of the challenges and critique of CVSS 3.1:
- CVSS Base Score being used as the primary input to risk analysis — As cybersecurity professionals — especially those with vulnerability management experience — the CVSS Base Score should not have this much power. While the CVSS Base Score is a pivotal element in gauging vulnerability severity, it should not be the sole determinant. This score primarily focuses on the technical aspect, overlooking crucial factors such as business context, asset criticality, and the evolving threat landscape, all of which play an equally vital role in comprehensive risk analysis.
- Not enough real-time threat and supplemental impact details are represented — The CVSS model does not incorporate real-time alterations in the threat landscape, like the active exploitation of a specific in the wild. Typically, this critical information, which can significantly impact a vulnerability’s risk profile can be obtained from external sources.
- Only applicable to I.T. systems — CVSS was originally developed with a primary focus on software and hardware IT systems. Consequently, it may not fully encompass certain intricacies specific to non-IT systems or operational technologies which can exhibit distinct risk profiles and potential consequences in the event of a compromise.
- Health, human safety, and industrial control systems not well represented — CVSS explicitly does not account for the potential impact on human life or safety. In sectors where these aspects are of paramount importance, such as healthcare or industrial control systems, CVSS scores may not comprehensively reflect the true severity of a vulnerability.
- Scores published by vendors are often High or Critical (7.0+) — This can indeed become problematic if vendors exaggerate the severity of vulnerabilities, which can contribute to alarm fatigue. Nevertheless, this concern primarily stems from the vendor’s interpretation and application of the CVSS, rather than any inherent flaws within the system itself.
- Insufficient granularity — fewer than 99 discrete CVSS scores in practice — Despite CVSS providing a scoring system based on decimals, its practical application frequently leads to a reduced number of distinct scores, constraining granularity. A more finely-grained system could potentially provide enhanced differentiation among vulnerabilities.
- Temporal Metrics do not effectively impact the final CVSS score — The temporal within CVSS, encompassing aspects like the current exploit state and remediation status, do indeed tend to carry less weight in determining the final score. While their incorporation holds significance, their influence may not be as substantial as intended.
- The math seems overly complicated and counterintuitive — Firstly it’s important to note that the CVSS scoring system was developed by a diverse team of experts and is rooted in extensive research and analysis. CVSS scoring employs intricate mathematical equations to achieve a balanced representation of diverse factors. However, this complexity may overwhelm non-technical users and appear counterintuitive. Streamlining the system, while preserving accuracy has the potential to enhance usability and comprehension.
Introducing a Fresh Base Metric: Attack Prerequisites
Wow, that was a lot! Let us look at an overview of what’s new in CVSS 4.0. This information can be found in the 35th Annual FIRST Conference slide deck.
- Final granularity in Base Metrics — “Attack Requirements (AT) added as Base Metric, and Enhanced User Interaction Granularity (None/Active/Passive)” — FIRST
- Removal of downstream scoring ambiguity — “C/I/A expanded into separate Vulnerable System C/I/A and Subsequent System C/I/A” — FIRST
- Simplification of Threat metrics and improved scoring impact — “Remediation Level, Report Confidence, and Exploit Code Maturity simplified to Exploit Maturity” — FIRST
- Supplemental attributes for vulnerability response — “Supplemental Metric: Automatable, Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency.” — FIRST
- Additional applicability to OT/ICS/IoT — “Safety metric Values added to Environmental Metrics” — FIRST
Challenge: The “low” and “high” Attack Complexity (AC) values do not reflect the significant differences between conditions currently compressed in the definition of “high” complexity. For example, the evasion of security mitigation techniques such as ASLR or crypto objectively requires significantly higher exploit complexity than iterating an attack to win a race condition; yet both conditions currently result in the same “penalty” to the final severity score.
Resolution: CVSS v4 current proposal aims at addressing this by splitting the current AC definition into two metrics, called AC and “Attack Requirements” (AT) that respectively convey the following:
- Attack Complexity — Reflect the exploit engineering complexity required to evade or circumvent defensive or security-enhancing technologies. (defensive measures)
- Attack Requirements — Reflect the prerequisite conditions of the vulnerable component that make the attack possible.
Enhanced Base Metric: User Interaction
Enable greater granularity when assessing user interaction with a vulnerable component. The specifics are outlined below:
- None (N): The vulnerable system can be exploited without interaction from any human user, other than the attacker.
- Passive (P): Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable component and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable component.
- Active (A): Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable component and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability.
Retired Base Metric: Scope — A Farewell to an Aspect of CVSS
Challenge: Scope has often been the least appreciated and least comprehended CVSS metric.
- Caused inconsistent scoring between product providers
Implied “lossy compression” of impacts of vulnerable and impacted systems
Resolution: Impact Metrics Split into Two Sets:
- Vulnerable System; Confidentiality (VC), Integrity (VI), Availability (VA).
- Subsequent System(s); Confidentiality (SC), Integrity (SI), Availability (SA).
- “Modified” Environmental Metrics updated accordingly.
Temporal Metrics Renamed to Threat Metric Group
Challenge: Needlessly intricate threat metrics.
Resolution: Simplified Remediation Level, Report Confidence, and Exploit Code Maturity to Exploit Maturity:
- Remediation Level (usually O) and Report Confidence (usually C) retired.
- Exploit Code Maturity was renamed Exploit Maturity.
- Enhanced impact for Threat Metric values.
- Adjusts “reasonable worst case” base score by using threat intelligence to reduce the CVSS-BTE score, addressing concerns that many CVSS (Base) scores are too high.
New in Version 4: Supplemental Metrics
Supplemental Metrics offer the capability to introduce novel metrics for describing and quantifying additional external attributes of a vulnerability. These Supplemental Metrics enable information consumers to make informed decisions based on these values, allowing them to assign local significance to these metrics and values as desired.
No single metric will directly determine the numerical impact on the final calculated CVSS score (e.g., CVSS-BTE). Instead, organizations have the flexibility to ascribe importance and/or effective impact to each metric, or to specific combinations of metrics, granting them varying degrees of influence on the final risk analysis. Metrics and values serve the purpose of conveying additional external characteristics of the vulnerability itself.
Note: All Supplemental Metrics supplied by the information provider are optional. For a complete break of each respective metric, view the 35th Annual FIRST Conference slide deck.
- Supplemental Metric: Automatable
- Supplemental Metric: Recovery
- Supplemental Metric: Value Density
- Supplemental Metric: Vulnerability Response Effort
- Supplemental Metric: Provider Urgency
New in Version 4: A Emphasis on Operational Technology (OT)
Today, numerous vulnerabilities extend beyond the conventional C/I/A (Confidentiality, Integrity, Availability) framework’s logical impacts. An emerging concern is the potential for tangible harm to individuals resulting from a vulnerability exploit, even if logical impacts are not immediately evident on the affected system.
Sectors like IoT, Industrial Control Systems (ICS), and healthcare are especially invested in recognizing and addressing such impacts within the CVSS framework. This inclusion assists in prioritizing issues that align with their increasing concerns and underscores the importance of holistic risk assessment.
OT: Consumer Supplied Environmental Safety
When a system lacks a designated safety-focused purpose but may still have safety-related implications due to its deployment, the exploitation of a vulnerability within that system can potentially result in safety-related impacts, which can be reflected in the Environmental Metrics group.
The Safety metric value gauges the extent of harm to the safety of a human actor or participant who could be predictably injured as a consequence of the vulnerability’s exploitation. Unlike other impact metric values, Safety is exclusively associated with the Subsequent System(s) impact category and should be taken into account alongside the N/L/H (None/Low/High) impact values for Availability and Integrity metrics.
OT: Consumer Supplied Environmental Safety
Modified Integrity of Subsequent System: Safety (MSI:S)
Successful exploitation compromises the integrity of the vulnerable system, for instance, altering the dosage settings of a medication infusion pump, with potential consequences for human health and safety, potentially leading to injury.
Modified Availability of Subsequent System: Safety (MSA: S)
Successful exploitation undermines the availability of the vulnerable system, as seen in scenarios where a car’s brake system becomes inoperative, leading to a potential impact on human health and safety, including the risk of injury.
OT: Provider Supplied Supplemental Safety
If a system is explicitly designed with a safety-oriented purpose or fitness of use, the exploitation of a vulnerability within that system can result in a Safety impact, which can be incorporated within the Supplemental Metrics group.
The possible values for the Safety Supplemental Metric are as follows:
- Present (P): Consequences of the vulnerability meet the definition of IEC 61508 consequence categories of “marginal,” “critical,” or “catastrophic.”
- Negligible (N): Consequences of the vulnerability meet the definition of the IEC 61508 consequence category “negligible.”
- Not Defined (X): The value of this metric has not been defined for this vulnerability.
Note: Providers are not required to supply Supplemental Metrics. They can be supplied as needed, based solely on what the provider chooses to convey on a case-by-case basis.
Conclusion
The power of CVSS 4.0 compared to 3.1 is undeniable. To see a complete list of new features, check out the 35th Annual FIRST Conference slide deck.
If you found this topic interesting and you don’t have any exposure to vulnerability management, why not take a look at our entry-level free course, Introduction to Vulnerability Management?