Tens of thousands of new computer system security vulnerabilities have been discovered in each of the last few years.  In 2020 and 2021 alone, the number of annual new vulnerabilities surpassed 18,000.

These infosec vulnerabilities come in a variety of different shapes and sizes.  While software vulnerabilities commonly boil down to making the same few types of mistakes again and again, these different types of vulnerabilities have varying impacts, and their effects depend on the software in question.

Many companies struggle to keep up with their computer security vulnerability management, and often attempt to prioritize their patching programs to maximize the impact of their efforts.  The Common Vulnerability Scoring System (CVSS) makes this possible.

What Is the CVSS?

The CVSS is a framework designed to facilitate discussions of how vulnerabilities work and the severity of different vulnerabilities.  Without a common standard, each security researcher or vendor might use their own nomenclature or taxonomy for vulnerabilities that they disclose, making it difficult to understand and compare vulnerability information across various organizations.

The CVSS scores computer system vulnerabilities in a range of 0.0-10.0.  These scores are mapped to severity ratings:

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

The National Vulnerability Database (NVD) lists CVSS scores for all of its vulnerabilities.  Common Vulnerability Enumeration (CVE) listings also include CVSS scores or include links to the NVD and its CVSS scores.

How Are CVSS Scores Calculated?

The CVSS provides a single score that describes how bad a particular vulnerability is.  This score is calculated using three different values:

  • Base Score: This score represents static attributes of a vulnerability that do not evolve over time or across different user groups.  This includes the exploitability and impact of the vulnerability.
  • Temporal Score: The temporal score captures aspects of the vulnerability that can change over time.  For example, exploit code may become more mature and available over time, and the vendor may release a patch for the vulnerability.
  • Environmental Score: The environmental score is based on aspects of a vulnerability that may be unique to a particular environment.  These include attributes of an enterprise environment that might make the impact of a vulnerability greater or less.

Each of these three scores is calculated based upon a set of different factors.  For example, impact subscores under the Base and Temporal scores are calculated as the combination of impacts on confidentiality, integrity, and availability.

CVSS scores can be calculated using a calculator hosted on the NVD or FIRST websites.  To calculate a CVSS score, only the Base Score needs to be calculated.  The Temporal and Environmental scores are optional and can modify the overall score to better reflect the actual risk that a vulnerability currently poses to an organization.

Leveraging CVSS Scores to Improve Your Security

A CVSS score provides a single value describing the impact of a computer system security vulnerability in isolation.  However, when using it for vulnerability remediation and incident response, it is also important to take into account contextual factors.

A CVSS score can’t take into account details of an organization’s internal environment that affect the impact and severity of a vulnerability.  For example, a Medium severity vulnerability on the CVSS scale on a critical system may have a greater business impact than a Critical severity one on a less important system.
The CVSS scale is only useful for ranking vulnerabilities if you know that the vulnerabilities exist, which requires a vulnerability assessment or penetration test.  To discuss how you can find potential vulnerabilities in your environment, or to find out more about our advanced penetration testing services, reach out to Halborn’s cybersecurity experts at halborn@protonmail.com.

Rob Behnke