The Common Vulnerability Scoring System, or CVSS for short, is the first and only open framework for scoring the risk associated with vulnerabilities. CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. CVSS was created by The National Infrastructure Advisory Council (NIAC). Over the years it has become a very widely adopted scoring system and is used by such heavy hitters as the Department of Homeland Security, CERT, Cisco, Union Pacific, and Symantec to name but a few. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:
- CERT/CC
- Cisco Systems
- eBay
- Internet Security Systems
- Microsoft
- DHS/MITRE
- Qualys
- Symantec
What does a score mean? A CVSS score is made up of three possible metric groups. Each group receives a score from 0 to 10, with 10 being the most severe. The three groups are:
Cisco uses the CVSS system for its IPS signatures and IntelliShield reports. See last weeks blog on more info on IntelliShield.
- Base Group – Mandatory Score by vendor or analyst
- Temporal Group – Optional score by vendor or analyst
- Environmental Group – Optional score by end-user
Each group is made up of multiple separate categories. The sum of these categories make up the 0-10 final value for the group. The base group is made up of six categories as shown in the figure below: [img=450x300]http://www.jheary.com/basegroup.gif[/img] The Temporal group is made up of only three values, as shown in the figure below: [img=450x300]http://www.jheary.com/temporalgroup.gif[/img] And finally, the end-user controlled Environmental group is made up of five categories, as shown in the figure below: [img=450x300]http://www.jheary.com/environmentgroup.gif[/img] For detailed info on the possible values in each category see either the CVSS calculator [url=https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C&version=2.0] here.[/url] or the FIRST CVSS guide here: http://www.first.org/cvss/cvss-guide.html Let’s take a look at an example CVSS score using a Cisco IntelliShield report. [img=500x450]http://www.jheary.com/cvssexample.gif[/img]
This Sun Java vulnerability has a CVSS Base score of 9.3 and a Temporal score of 6.9. If you click on the CVSS calculator link then you’re given the break down of the different categories within each base score type. Here is the calculator screen shot showing the base score categories for this vulnerability. [img]http://www.jheary.com/cvsscalc.jpg[/img] Using this CVSS calculator the end-user can enter parameters for the environmental group. This allows the end-user to receive a 0-10 score of the risk posed by a particular vulnerability in their specific environment. Well that’s a brief overview of the CVSS scoring system. For more info I highly suggest you read the CVSS guide by the FIRST group I mentioned previously. It is the definitely guide to CVSS. So my questions for you are; do you pay any attention to CVSS, do you use it, what do you think of it? The opinions and information presented here are my personal views not those of my employeer.