Understanding the Common Vulnerability Scoring System (CVSS)

You may have noticed over the last couple years that Cisco has been sending out its PSIRT e-mails with a Common Vulnerability Scoring System (CVSS) score included. Despite being a tad cryptic, this is a very useful tool and scoring system for quickly assessing security vulnerabilities. CVSS scores are derived from three scores: a "base" score, a "temporal" score, and an "environmental" score. These can better be described as "fixed" score, "variable" score, and "your" score. The base score is fixed at the time the vulnerability is found and its properties do not change. The base score includes the following metrics:

  • Access Vector (AV) - how the vulnerability is exploited; either locally on the machine or via a network.
  • Access Complexity (AC) - how difficult it is to exploit the vulnerability once the attacker has access.
  • Authentication (Au) - does the attacker have to authenticate?
  • Confidentiality Impact (C) - when the vulnerability is exploited, is the information on the machine available to the attacker.
  • Integrity Impact (I) - can the attacker change the system once it is exploited?
  • Availability Impact (A) - does the exploit take the system down or limit its resources?

Each of these metrics are chosen from a pre-determined list of options. Each option has a value. The values are then fed into a formula to produce the base score. Next comes the temporal score. The temporal score changes the base score, up or down. The temporal score can also change over time (thus, why it is "tempora-ry"). For example, one of the component metrics of the temporal score is Remediation Level (RL). This means is there a fix out there, maybe from a vendor or a workaround. If, when the vulnerability is first released, there is no fix, then the temporal score will be higher. But when a fix is released, then the score goes down. Again, it was temporary. There are three metrics that make up the temporal score. This score is multiplied by the base score to produce a new score. This score is what Cisco will produce when it sends PSIRTs. The final part is the environmental score. This is how the vulnerability affects you. So, you get to determine how this vulnerability might affect your organization. If the vulnerability has to do with Cisco IOS XR and you don't have any GSRs or CSRs, then this score will be very, very low (like zero). There are five metrics that affect the environmental score. This score is combined with the base/temporal score to produce your score. This is on a scale of 1-10. If it's 2, don't be too worried. An 8, and well, you might be working this weekend. Cisco has provided a nice calculator to figure the CVSS for a vulnerability. Let's do an example. Last month Cisco released PSIRT "Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities". The metrics for the SSHv2 spurious memory access vulnerability were as follows: Base Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete Score - 7.8 (pretty bad) Temporal Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Score - 6.4 (getting better) So, overall a base of 7.8 (bad) that is slightly mitigated to 6.4 by the temporal metrics. Still, 6.4 is not great. It's still a decent risk. But, this is where the environmental score comes in. How bad is it for your organization? Let's say the environmental metrics work out this way for your organization: Environmental Collateral Damage Potential - Medium-High Target Distribution - High Confidentiality Requirement - High Integrity Requirement - Medium Availability Requirement - Medium Plug those into the Cisco CVSS calculator and it produces an environmental score of 7.8. So, you're probably canceling your golf plans this weekend. But, this is a very good way to determine what your risk is. CVSS is a great tool to determine your risk for each Cisco PSIRT.

More >From the Field blog entries:

The Cisco Learning Network

Someone is Hiring a Performance Engineer

Ok, Ok, I Need a Real Phone

Burning Down Your VPN with Super Broadband Speeds

The Best Way to Get the Message Across....

Is BUN Chewing Up Your LAN?

The 2008 NPA Award Winner

  Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022