Introduction to CVSS

Abstract

Nowadays companies are dealing with huge and complex infrastructures. Infrastructures are complexe because they are composed of different technologies, and the more your infrastructure is complexe the more you're expanding the attack surface.

In this article we will talk about CVSS (Common Vulnerability Scoring System), used to evaluate the risk potential of a vulnerability.

Pre requisite

For a better understanding it'll be required to have notion on Network, Cryptography, System Administration.

Weakness and Vulnerability

For this part we will use the standard definition developped by the ENISA in their documentation "Security aspects of virtualization".

So, according to the ENISA a weakness is defined as :

A type of mistake in software, in operations and in the infrastructure that, in the right conditions, could contribute to introducing vulnerabilities. This term applies to mistakes in software,regardless of whether they occur in implementation, design or other phases of the software-development life cycle.

Now, let's grab their definition of a vulnerability :

An occurrence of a weakness (or multiple weaknesses) within software, operations or infrastructure, in which the weakness can be used by a party to perform actions that were not specifically granted to the party who takes advantage of the weakness.

Where CVSS are used ?

This scoring system is used in most of CVEs (Common Vulnerabilities and Exposures). So when an article talks about security breachs, you will surely find a CVSS between 2 lines.

Let's take a recent example which is a security article chosen in The Register named "Oracle splats 300 vulns in MySQL, Database, Fusion, etc, pours fresh brew of Java SE terms"[5].

Here is a fisrt quotation of the article :

"While Oracle did not say exactly what each flaw would allow, the maximum CVSS is 9.0, generally a score reserved for remote code execution without any user interaction."

At this point you need to know that for a vulnerability you can get a score between 0 and 10, and if you get 10 it's a really bad news.

Now let's go deeper in detail and check out a CVE. We will describe the CVE-2019-2426, which is a vulnerability found in Java SE component of Oracle Java SE[6]. You will get a description, and you may also get the CVSS score associated. This one has a base score that reach 3.7 and the severity is considerated as low.

Here is the differents ranges :

None        0.0
Low         0.1-3.9
Medium      4.0-6.9
High        7.0-8.9
Critical    9.0-10.0

One thing you can do when you have a CVE identifiant, is to use this URL : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=[CVE_ID]. Actually according to where you found the CVE it may no be obvious to find the score since differents entities decided to do the same job ...

For our study case let's check https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-2426

Figure 1 : Score

Then, because the NIST does things properly you will find the caracteristics that have been used to compute this score.

  • Attack Vector (AV): Network
    • Here we can suggest that the attack can be done remotly, maybe from home.
  • Attack Complexity (AC): High
    • The attack will ask lot of ressources and a certain amount of time.
  • Privileges Required (PR): None
    • No privilege escalation will be required.
  • User Interaction (UI): None
    • You can perform your attack alone ! Nobody is required on the otherside.
  • Scope (S): Unchanged
    • The attack won't give you further access than expected.
  • Confidentiality (C): Low
    • You may have access to restricted data which won't make a serious impact.
  • Integrity (I): None
    • You won't change anything, sort of only read access.
  • Availability (A): None
    • And for this last point, you won't DDoS the system.

If you subscibed to some security advisories, you will also find CVSS !

Figure 2 : Cisco

2019-04 Security Bulletin: QFX5000 Series, EX4300, EX4600:
A stack buffer overflow vulnerability in Packet Forwarding Engine manager (FXPC) process (CVE-2019-0008) [JSA10930] Show Article Properties
Product Affected: This issue affects Junos OS 14.1X53, 15.1X53, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3 on QFX5000 series, EX4300, EX4600. [...]
CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: Critical

Figure 3 : Juniper CVE

Use it for your own

Now if you discover a vulnerability in your project, you can evaluate its potential and decide to apply a patch to solve the issue !

Calculator is here : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

CVSS a good tool

The scoring system is standard used by many companies and organisations. If you use CISCO or Juniper hardware you won't be lost.

This huge work around CVEs, CVSS, CWEs ... is maintened by the FIRST, the NIST, the MITRE ...

Go further

Of course this article was just an introduction, and I hope it demistify this notion.

There is a lot to read, official manuals and blogs.

Stay tuned

Another article highly related to CVSS will be released soon, it'll be about CWEs and CWSS (Common Weakness Scoring System).

Ressources

[1] https://fr.wikipedia.org/wiki/Common_Vulnerability_Scoring_System

[2] https://www.first.org/cvss/

[3] https://nvd.nist.gov/vuln-metrics/cvss

[5] https://www.theregister.co.uk/2019/04/16/oracle_bug_fixes/

[6] https://nvd.nist.gov/vuln/detail/CVE-2019-2426