Understanding the Common Vulnerability Scoring System (CVSS)
By michaeljmorris on Sun, 06/08/08 - 9:51pm.You may have noticed over the last couple years that Cisco has been sending out its PSIRT e-mails with a Common Vulnerability Scoring System (CVSS) score included. Despite being a tad cryptic, this is a very useful tool and scoring system for quickly assessing security vulnerabilities.
CVSS scores are derived from three scores: a "base" score, a "temporal" score, and an "environmental" score. These can better be described as "fixed" score, "variable" score, and "your" score.
The base score is fixed at the time the vulnerability is found and its properties do not change. The base score includes the following metrics:
- Access Vector (AV) - how the vulnerability is exploited; either locally on the machine or via a network.
- Access Complexity (AC) - how difficult it is to exploit the vulnerability once the attacker has access.
- Authentication (Au) - does the attacker have to authenticate?
- Confidentiality Impact (C) - when the vulnerability is exploited, is the information on the machine available to the attacker.
- Integrity Impact (I) - can the attacker change the system once it is exploited?
- Availability Impact (A) - does the exploit take the system down or limit its resources?
Each of these metrics are chosen from a pre-determined list of options. Each option has a value. The values are then fed into a formula to produce the base score.
Next comes the temporal score. The temporal score changes the base score, up or down. The temporal score can also change over time (thus, why it is "tempora-ry"). For example, one of the component metrics of the temporal score is Remediation Level (RL). This means is there a fix out there, maybe from a vendor or a workaround. If, when the vulnerability is first released, there is no fix, then the temporal score will be higher. But when a fix is released, then the score goes down. Again, it was temporary. There are three metrics that make up the temporal score. This score is multiplied by the base score to produce a new score. This score is what Cisco will produce when it sends PSIRTs.
The final part is the environmental score. This is how the vulnerability affects you. So, you get to determine how this vulnerability might affect your organization. If the vulnerability has to do with Cisco IOS XR and you don't have any GSRs or CSRs, then this score will be very, very low (like zero). There are five metrics that affect the environmental score. This score is combined with the base/temporal score to produce your score. This is on a scale of 1-10. If it's 2, don't be too worried. An 8, and well, you might be working this weekend.
Cisco has provided a nice calculator to figure the CVSS for a vulnerability. Let's do an example. Last month Cisco released PSIRT "Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities". The metrics for the SSHv2 spurious memory access vulnerability were as follows:
Base
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
Score - 7.8 (pretty bad)
Temporal
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Score - 6.4 (getting better)
So, overall a base of 7.8 (bad) that is slightly mitigated to 6.4 by the temporal metrics. Still, 6.4 is not great. It's still a decent risk. But, this is where the environmental score comes in. How bad is it for your organization? Let's say the environmental metrics work out this way for your organization:
Environmental
Collateral Damage Potential - Medium-High
Target Distribution - High
Confidentiality Requirement - High
Integrity Requirement - Medium
Availability Requirement - Medium
Plug those into the Cisco CVSS calculator and it produces an environmental score of 7.8. So, you're probably canceling your golf plans this weekend. But, this is a very good way to determine what your risk is.
CVSS is a great tool to determine your risk for each Cisco PSIRT.
More >From the Field blog entries:
Someone is Hiring a Performance Engineer
Burning Down Your VPN with Super Broadband
SpeedsThe Best Way to Get the Message Across....
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
- About From the Field
Michael Morris is a communications engineering manager at a $3-billion high-tech company. His background is in enterprise WANs working with telcos and developing large-scale routing designs. He has worked on networks at government and corporate organizations, including networks at two Fortune 10 companies. In his current role, he leads a team of 10 engineers responsible for large-scale IT networking projects and architectural standards for data networks, storage area networks, IP telephony, contact centers, and security. Michael is CCIE #11733 and recently became one of the first three Cisco Certified Design Experts (CCDE) ever (#20080002). He has 11 years experience in networking and communications, including four years as a paratrooper in the U.S. Army. He has a bachelor's degree in MIS from the University at Buffalo and is working on his MBA from NC State University. In 2008, he was awarded the Network Professional Association (NPA) Professional Excellence and Innovation Award for his work on network architecture, templates and enterprise MPLS design.
Michael Morris's From the Field blog is also featured on the Cisco Learning Network. See it there, along with the blogs of other Cisco Experts.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise