Q&A Monday: What is CVSS?
I am a recent graduate, who just got a job working in IT at a company. During a meeting today, someone mentioned a CVSS score on a system that needed to be patched. I was afraid to ask during the meeting, but what is CVSS?
Kenneth M. Ponce
Before I get to the answer to your question, if this is your first job in Information Technology, I hope those that work with you would understand if you asked that question. If I can be honest with you, I try to keep that honesty part of who I am, I’ll ask for clarification if I don’t understand. It’s the only way that I can learn more, once the concept is explained, sometimes I just never heard that term, but knew what it was, just different places use different words.
As to answer your question on what CVSS is, it stands for Common Vulnerability Scoring System. There are tons of vulnerabilities found every year in applications and those vulnerabilities come in all shapes and sizes. The CVSS framework was designed as a way to classify how the vulnerabilities work and their severity. This framework sets a standard, which all researchers or vendors can utilize to give a consistent picture of the severity of the vulnerability.
The CVSS Framework scores system vulnerabilities in a range of 0.0-10.0 and then these scores are mapped to severity ratings (as seen below)
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
The CVSS provides a score that describes how bad a particular vulnerability is. CVSS scores can be calculated using a calculator hosted on the NVD (personal favorite) or FIRST websites. When you calculate a CVSS score, only the Base Score needs to be calculated. Now there are optional modifiers for Temporal and Environmental scores which can modify the overall score to better reflect the actual risk of that vulnerability currently poses to an organization. It breaks the score into 3 parts and then combines those scores for a total score:
- Base Score: Base Factors represent characteristics of the vulnerability itself. These characteristics do not change over time, and are not dependent on real world exploitability or on compensating factors that an enterprise has put into place to prohibit exploit.
- [MODIFIER] Temporal Score: These are exactly like they sound – metrics related to a vulnerability that change over time. These metrics measure the current exploitability of the vulnerability, as well as the availability of remediating controls, such as a patch. Subcomponents of Temporal Metrics include Exploit Code Maturity, Remediation Level, and Report Confidence.
- [MODIFIER] Environmental Score: Is based on the aspects of a vulnerability that may be unique to a particular environment. These include attributes of an enterprise environment that might make the impact of a vulnerability greater or less.
You may hear CVSS used in conjunction with CVE (Common Vulnerability Enumeration), which is a unique identifier for vulnerabilities. CVSS is used in CVE’s to idicate the severity of the CVE mentioned. So for example, the CVE for the Heartbleed vulnerability is CVE-2014-0160 and it had a base CVSS Score of 7.5, which makes is severity High.
I hope that this helped you get a better idea of the CVSS score is, and how you can use it to better understand severity of vulnerabilities and the modifiers you can use to determine how it impacts your organization specifically. If you have more questions, feel free to email me at me-at-jimguckin.com. If anyone else has any other questions, you can email there as well.