How to Calculate the CVSS Score of a Vulnerability?

As a security professional, being able to accurately assess and communicate the severity of vulnerabilities is a critical skill. One of the most widely used standards for this is the Common Vulnerability Scoring System (CVSS).

CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as Low, Medium, High, and Critical) to help organizations properly assess and prioritize vulnerabilities.

In this blog post, I’ll provide an overview of CVSS and how to use it to evaluate vulnerabilities in your environment.

Why CVSS Matters for Security Professionals?

With new vulnerabilities constantly being discovered and disclosed, it’s impossible for organizations to fix every single one. That means security professionals need to be able to determine which flaws pose the greatest risk so they can prioritize remediation efforts.

According to one study, over 26,000 new vulnerabilities were disclosed in 2023 alone. And research from Qualys shows an average of around 76 new vulnerabilities per day in 2023.

Simply put, there are too many vulnerabilities and not enough resources to address them all. By scoring vulnerabilities consistently using CVSS, you gain insight into the ones that are most threatening to your organization. This allows you to focus efforts on the vulnerabilities likeliest to be exploited.

Standardizing on CVSS also provides the following benefits:

  • Common Language– CVSS scores provide a common language for communicating risk across teams. Rather than relying on vague or inconsistent qualitative ratings.

  • Improved Reporting– Centralized reporting on vulnerabilities becomes easier when CVSS is standard across tools and systems.

  • Better Prioritization– Consistent scoring leads to better prioritization of patching and remediation efforts.

In short, CVSS is vital for modern security programs to intelligently manage vulnerabilities.

Overview of CVSSv3.1 Scores and Metrics

CVSS organizes vulnerabilities characteristics into three groups:

  1. Base

  2. Temporal

  3. Environmental

Metrics are defined within each group as follows:

Base – Inherent and unchanging characteristics, including:

Temporal – Characteristics that change over time, including:

  • Exploit Code Maturity (Not Defined, High, Functional, Proof of Concept, Unproven)

  • Remediation Level (Not Defined, Unavailable, Workaround, Temporary Fix, Official Fix)

  • Report Confidence (Not Defined, Confirmed, Reasonable, Unknown)

Environmental – Characteristics that depend on a vulnerability’s context, including:

  • Confidentiality Requirement (High, Medium, Low)

  • Integrity Requirement (High, Medium, Low)

  • Availability Requirement (High, Medium, Low)

  • Modified Base Metrics (Values overridden from Base group)

CVSS scores range from 0 to 10, with 10 being the most severe. Typically, critical vulnerabilities score between 9-10, while medium severity flaws score between 4-6.9.

Let’s look at how to calculate scores.

Calculating CVSS Scores Step-By-Step

The overall CVSS score is computed by combining the Base, Temporal, and Environmental metrics. However, most vulnerabilities are initially assigned a Base score which you can then further refine by adding Temporal and Environmental factors.

Here is the process to follow:

Step 1: Analyze Factors to Determine Base Metrics

First, you need to analyze the inherent characteristics of a vulnerability to determine appropriate Base metrics and values.

For example, consider an SQL injection vulnerability:

  • The flaw allows remote, unauthenticated attackers to execute malicious SQL payloads via an HTTP request.

  • Successful exploitation grants administrative control over the database.

  • No special conditions are required to exploit this vulnerability reliably.

Based on this, the relevant Base factors would be:

  • Attack Vector: Network (exploit possible remotely over IP network)

  • Attack Complexity: Low (attack straightforward to execute)

  • Privileges Required: None (no privileges needed for exploitation)

  • User Interaction: None (no user interaction required for attack)

  • Scope: Unchanged (impact contained within vulnerable component)

  • Confidentiality Impact: High (full database exposed)

  • Integrity Impact: High (attacker can modify database)

  • Availability Impact: High (attacker could corrupt or crash database)

Step 2: Represent as a Vector String

Once you’ve determined the metrics and values accurately reflecting the vulnerability, these can be encoded as a vector string.

See also  A New Improved Workaround to Mitigate the ProxyNotShell Vulnerability

The vector string serves as shorthand for the Base metrics. Here’s the format:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Breaking this down:

  • AV:Attack Vector (Nfor Network)

  • AC:Attack Complexity (Lfor Low)

  • PR:Privileges Required (Nfor None)

  • UI:User Interaction (Nfor None)

  • S:Scope (Ufor Unchanged)

  • C:Confidentiality Impact (Hfor High)

  • I:Integrity Impact (Hfor High)

  • A:Availability Impact (Hfor High)

So based on our SQL injection factors, the vector string would be:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Step 3. Calculate the Base Score

With the vector string defined, you can calculate the Base score using the standard CVSS v3.1 equations.

In this example, the equation yields a Base score of 9.8 out of 10, indicating the SQL injection vulnerability is critical severity.

So with just the inherent characteristics, you already have a standardized severity rating for the vulnerability that communicates the principal risks.

Step 4. Add Temporal and Environmental Factors

The Base score provides a solid starting point. But you may need to refine the score further to account for Temporal and Environmental factors.

Temporal factors directly impact the exploitability of a vulnerability. For example, you’d want to increase the score if exploit code was freely available or decrease it if an official patch exists.

Environmental factors relate to the vulnerability’s context in your systems and environment. If the affected database contains highly sensitive data, the confidentiality impact likely heightens. But if it only stored public data, confidentiality may actually be low for your situation.

Adding Temporal and Environmental metrics allows tuning the score to more precisely represent the risk to your organization.

Putting CVSS to Work

Now that you grasp CVSS scoring, let’s discuss ways to put it into practice:

Prioritizing Vulnerabilities for Remediation

The most obvious application is prioritizing remediation efforts based on CVSS scores. Critical and high-severity vulnerabilities should be addressed first.

That said, it’s important to combine scores with business context to focus on vulnerabilities in truly sensitive systems and data flows first.

For example, a high-severity vulnerability in a test environment likely poses less immediate risk than a medium-severity one affecting production Internet-facing systems.

See also  How to Fix CVE-2023-37476- A Zip Slip Vulnerability in OpenRefine?

But over the long-run, consistently remediating vulnerabilities with higher CVSS scores will methodically reduce your organization’s exposure.

Tracking Progress

Another idea is to track your vulnerability status over time using CVSS. Sets of systems can be tracked independently to quantify hardening efforts.

For example, you may find the average Base score for vulnerabilities in DMZ servers is slowly declining quarter to quarter. This shows that while new flaws are reported, addressing higher severity ones first is steadily improving security.

Conversely, spots where the average score increases may show technical debt and legacy systems you need to enhance.

Building Models for Simulation

For organizations with deep security teams, CVSS can be used to model and simulate cyber risk. Threat models accounting for vulnerabilities and controls can be tied to potential business impacts.

By simulating attacks based on CVSS scores, you can estimate losses from vulnerabilities in monetary terms – providing hard ROI data for security investments targeting higher severity flaws.

The bottom line is standardizing on CVSS gives you a consistent language to base measurements and models around vulnerabilities upon.

Closing Thoughts

I hope this overview gives you a better understanding of how to leverage CVSS to strengthen vulnerability management as a security professional. Consistently scoring and tracking vulnerabilities using CVSS provides tangible visibility into risk exposure. It also allows accurately focusing remediation efforts on the most potentially impactful vulnerabilities.

To learn more about putting CVSS into practice, check out these additional resources:

Now get out there, start scoring vulnerabilities in your environment, and start driving risk reduction with CVSS!

Leave a Reply

Your email address will not be published. Required fields are marked *