Introduction

‍

For cybersecurity professionals, the Common Vulnerability Scoring System (CVSS) plays a critical role by providing a standardized method to measure the impact and exploitability of security flaws in technology systems.

Since its inception, CVSS has undergone several modifications and updates over the years. With the upcoming release of CVSS 4.0 being so highly anticipated, it is important to outline some major changes. VikingCloud will transition from CVSS 3.1 and 2.0 to CVSS 4.0 and 3.1 as its standardized vulnerability scoring frameworks for all future penetration testing and reporting beginning November 1, 2023.

‍

Understanding CVSS

‍

CVSS is a framework designed to provide a qualitative measure of severity. CVSS is not a measure of risk. It assists security professionals in prioritizing and effectively managing organizational vulnerabilities. Currently, all versions up to CVSS 3.1 consist of three metric groups: Base, Temporal, and Environmental.

‍

1. Base Metrics: These metrics measure the inherent characteristics of a vulnerability and include factors such as attack vectors, attack complexity, and impact metrics such as confidentiality, integrity, and availability.
2. Temporal Metrics: These metrics provide additional information that might change over time, such as the exploitability of the vulnerability, remediation level, and report confidence.
3. Environmental Metrics: These metrics allow organizations to customize the CVSS scores based on their unique environments, considering factors like the impact on availability, confidentiality, and integrity specific to their systems.

‍

CVSS scores range from 0 to 10, with a higher score indicating a more severe vulnerability. This numerical assignment represents a qualitative representation assigned to either a critical, high, medium, or low rating. These scores help security teams prioritize their remediation efforts, focusing on vulnerabilities that pose the greatest risk to their systems.

‍

Criticism related to CVSS versions 3.1 and prior includes:

‍

• The CVSS Base Score was traditionally utilized by organizations as the primary metric for risk analysis. The CVSS Base Score is a metric that does not change value over time. CVSS 3.1 users have utilized the Base Score as their primary means of risk analysis without considering additional factors.
• CVSS 3.1 has limitations by offering minimal real-time threat and supplemental impact details. CVSS 3.1 fails to provide consumers with granular detail, which often results in inflated scoring of vulnerabilities. Organizations Vulnerability Management teams can now utilize these metrics to refine CVSS-BTE for their own internal risk management and vulnerability management programs.
• CVSS 3.1 and prior is only applicable to IT environments. CVSS 3.1 and below does not consider the impact of OT, ICS, and safety systems variables when it comes to vulnerability management specifically, the impact on those environments and how it differentiates from traditional IT networks and systems.

‍

Upcoming Changes with CVSS 4.0

‍

CVSS 4.0 has just concluded its public preview comment period and is slated for an official target publication date of October 31, 2023. CVSS 4.0 is expected to introduce significant enhancements to improve the accuracy and effectiveness of vulnerability scoring. The following are the 5 critical areas of change and improvement.

‍

1. Nomenclature: CVSS is not just the base score. To reinforce this concept, new nomenclature has been created with the following combinations: Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE).
2. Base Metric: Attack Complexity is now divided into two categories: Attack Complexity and Attack Requirements. The Base Metric now provides integration of User Interaction as a scoring metric for greater granularity. The scope has been retired and replaced with Vulnerable System and Subsequent System, with individual analysis based on the Confidentiality, Integrity, and Availability (CIA) triad. This change addresses the issues with downstream scoring ambiguity subsequently impacting systems in/adjacent to an environment.
3. Threat Metric Group: Adjusts reasonable worst case base score by using threat intelligence to reduce the CVSS-BTE score, addressing concerns that many CVSS (Base) scores are too high.
4. Supplemental Metrics: This does not impact the overall final CVSS score, but they do offer additional attributes to a vulnerability, especially when addressing vulnerability response in an OT/ICS/Safety environment.
5. User Flexibility: CVSS 4.0 is expected to introduce improvements that offer users greater flexibility in customizing scores based on their specific environments. This customization will allow organizations to incorporate their unique risk management strategies and the characteristics of their systems into the vulnerability assessment process.

‍

Conclusion

‍

CVSS has been a valuable tool in the cybersecurity landscape, aiding professionals in prioritizing and addressing vulnerabilities effectively. With updates such as expanded base metrics, threat metrics, supplemental metrics, and the consideration of OT/ICS/Safety environments, CVSS 4.0 aims to provide a more comprehensive and precise evaluation of an organization's vulnerabilities during an assessment. As the new version is finalized and released, it will undoubtedly play a vital role in strengthening the security posture of institutions worldwide. VikingCloud will introduce CVSS 4.0 into its vulnerability scanning solutions beginning November 1, 2023, to take advantage of the enhanced accuracy and usefulness of its vulnerability scoring and help further strengthen the security posture of its clients.

Have questions? Need to baseline your security posture or want to discuss the right testing model for your business? Contact us today.

Additional Reference Information

‍

First. (2023). Common vulnerability scoring system. Common Vulnerability Scoring System Version 4.0. https://www.first.org/cvss/v4-0/

NVD. (n.d.). Vulnerability Metrics. National Vulnerability Database (NVD). https://nvd.nist.gov/vuln-metrics/cvss