The Common Vulnerability Scoring System (CVSS) is an open standard for assessing the severity of security vulnerabilities, designed in such a way that makes it independent from any vendor or industry.
In our previous blog post, we discussed CVSS v3 and how Acunetix provides support for it. In this post, we will be exploring CVSS in more depth while taking a look at what the latest version brings to the table in terms of web application security.
Why Use CVSS?
A large number of vulnerabilities are identified each day. Software vendors and users require a common way to assess the severity for the vulnerabilities identified. Because CVSS is vendor agnostic, users may use the same CVSS scores across various systems without having to go through a series of proprietary scoring systems that is inconsistent, possibly inaccurate and more troublesome to maintain. Instead, scores are calculated through a series of metrics and equations in such a way that is clear, consistent and easy to use.
Features added in CVSS version 3
The newer version of CVSS introduces a number of changes in the scoring system that reflect more accurately vulnerabilities that fall under the web application domain.
While all three metric groups, the Base Score, the Temporal Score and the Environmental Score remained the same, new metrics such as Scope (S) and User Interaction (UI) were added including old metrics such as Authentication (Au) being changed to newer ones such as Privileges Required (PR).
The Environmental Metrics group also saw an new addition with the Modified Base Metrics—allowing analysts to customize CVSS scores based on the host that has been affected in the analyst’s organisation, making it contextual when required to be.
How does this affect vulnerabilities?
CVSS by nature does not account for chained vulnerabilities—that is, a series of vulnerabilities that when combined are capable of compromising a system. Because of this, certain CVSS scores may not always accurately reflect the severity of a particular vulnerability due to the context of the vulnerability within an organisation. However, CVSS v3 handles this a bit better with the new base metric, Scope (S) which specifies whether the vulnerability is able to compromise a component other than the originally vulnerable component. If it is indeed the case, not only is the Base Score increased, but the Confidentiality, Integrity and Availability impact is evaluated according to the impacted component (e.g. a web browser being impacted by a vulnerability in the web server).
Take for instance a Reflected Cross-site Scripting vulnerability in phpMyAdmin (CVE-2013-1937). Previously having a CVSS v2 Base Score of 4.3 out of 10 saw an increase in CVSS v3 with a Base Score of 6.1 out of 10. The table below shows an evaluation comparison between CVSS v2 and CVSS v3.
|Metric||CVSS v2 Value||CVSS v3 Value||Comment|
|Attack Vector*||Network||Network||Vulnerability is significantly bound the the network stack|
|Attack Complexity*||Medium||Low||Medium has been removed in CVSS v3. Value set to Low as the attacker can repeatedly exploit the vulnerable target with little effort.|
|Privileges Required*||None||None||Both set to None, as the attacker does not require any form of authentication to exploit the vulnerability.|
|User Interaction||N/A||Required||New in CVSS v3. Successful exploit requires a user to take some action to be exploited.|
|Scope||N/A||Changed||New in CVSS v3. The web server is vulnerable however the end-user’s browser is impacted by the vulnerability, therefore the scope is set to Changed.|
|Confidentiality Impact||None||Low||Upgraded from None to Low due to the changed scope. The score is now reflected against the end-user’s browser rather than the web server. Information can be read from the browser and sent back to the victim.|
|Integrity Impact||Partial||Low||Attacker has limited control as to what data or files may be modified.|
|Availability Impact||None||None||Both scores set to None. This can cause the browser to run slowly however it is usually resolved by terminating the browser tab (or window).|
* Different name in CVSS v2
The changing factor in this example is the Scope metric. If the scope were to be unchanged, the confidentiality impact would have been evaluated against the web server rather than the web browser, setting the value to None rather than Low.
When changing the Scope value to Unchanged and Confidentiality value to None we can see the CVSS Base Score drop down to 4.3 out of 10, which is the same score that it was assigned in CVSS v2.