The Common Vulnerability Scoring System, or CVSS for short, is the first and only open framework for scoring the risk associated with vulnerabilities. CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. CVSS was created by The National Infrastructure Advisory Council (NIAC). Over the years it has become a very widely adopted scoring system and is used by such heavy hitters as the Department of Homeland Security, CERT, Cisco, Union Pacific, and Symantec to name but a few. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:
Cisco uses the CVSS system for its IPS signatures and IntelliShield reports. See last weeks blog on more info on IntelliShield.
What does a score mean?
A CVSS score is made up of three possible metric groups. Each group receives a score from 0 to 10, with 10 being the most severe. The three groups are:
Each group is made up of multiple separate categories. The sum of these categories make up the 0-10 final value for the group.
The base group is made up of six categories as shown in the figure below:
The Temporal group is made up of only three values, as shown in the figure below:
And finally, the end-user controlled Environmental group is made up of five categories, as shown in the figure below:
For detailed info on the possible values in each category see either the CVSS calculator here.
or the FIRST CVSS guide here:
Let’s take a look at an example CVSS score using a Cisco IntelliShield report.
This Sun Java vulnerability has a CVSS Base score of 9.3 and a Temporal score of 6.9. If you click on the CVSS calculator link then you’re given the break down of the different categories within each base score type. Here is the calculator screen shot showing the base score categories for this vulnerability.
Using this CVSS calculator the end-user can enter parameters for the environmental group. This allows the end-user to receive a 0-10 score of the risk posed by a particular vulnerability in their specific environment.
Well that’s a brief overview of the CVSS scoring system. For more info I highly suggest you read the CVSS guide by the FIRST group I mentioned previously. It is the definitely guide to CVSS. So my questions for you are; do you pay any attention to CVSS, do you use it, what do you think of it?
The opinions and information presented here are my personal views not those of my employeer.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.