icon-carat-right menu search cmu-wordmark

Vulnerability Severity Using CVSS

Art Manion

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.

In step with the March 2012 release of a new design for the US-CERT website, Vulnerability Notes now include CVSS metrics. The CVSS specification is managed by a special interest group within the Forum of Incident Response and Security Teams (FIRST). You can read all about CVSS on the CVSS-SIG website. I particularly recommend the Complete Guide documentation.

Along with announcing the availability of CVSS metrics in Vulnerability Notes, I'd like to explain a few important points about our usage of CVSS:

First, and most important, Vulnerability Notes will provide base, environmental, and temporal metrics. The CVSS documentation recommends that CVSS producers specify base and temporal metrics:

Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have more pertinent information about the characteristics of a vulnerability than users do. The environmental metrics are specified by users, because users are best able to assess the potential impact of a vulnerability within their own environments.

In practice, I've observed that most CVSS sources only specify the base metric. While this practice is understandable--temporal metrics require effort to maintain over time, and environmental metrics are specific to the CVSS consumer--it creates a serious potential for misuse; or perhaps better stated, misapplication.

It is too easy to look at freely-provided CVSS base metric scores from the National Vulnerability Database (NVD) at NIST or your favorite vulnerability scanner and stop: Severity rating obtained, mission accomplished. Don't do this, you'll likely make a suboptimal vulnerability response decision based on an inaccurate severity rating. Why? The base metrics don't include two very important vectors: Exploitability (which speaks to threat) and Target Distribution (a proxy, if a poor one, for asset value or expected loss). Follow the CVSS documentation and score the temporal and environmental metrics using current information about your environment.

To this end, Vulnerability Notes will provide CVSS temporal and environmental metrics based on information available at the time of publication, with an environment of "the entire internet." You can discard our environmental metrics and provide your own. Please do the same for temporal metrics if you have more recent information.

On to other issues: Multiple vulnerabilities and CVSS metric conflicts.

One Vulnerability Note may cover multiple vulnerabilities. For example VU#913483 lists four distinct vulnerabilities (four CVE IDs) in tape library web interfaces. In such cases, the CVSS metrics will be based on the vulnerability with the highest base metric score. For VU#913483, this would be the default password issues identified by CVE-2012-1844.

Concerning CVSS metric conflicts: we're in close contact with the NVD personnel at NIST, and we're working with them to synchronize the way we score CVSS metrics. The lines of communication are open so that we can resolve any discrepancies quickly and easily. If you have questions about, or disagree with, the CVSS metrics in a Vulnerability Note, you can send email to <cert@cert.org> with the appropriate VU# identifier in the subject.

Lastly, some more information about our use of CVSS is available in the Vulnerability Notes help page.

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed