One framework that penetration testing organisations and security tools widely utilise is the Common Vulnerability Scoring System (CVSS). CVSS scores are numerical values that are assigned to score a vulnerability in a software or system. The lower the score, the lower the severity of the vulnerability. This scoring system is used by organisations worldwide, and with the release of the newest version, CVSS 4.0 soon approaching, how vulnerability assessments are assessed is set to change.
The release of CVSS 4.0 has been estimated for October 1st 2023, with as many as 900 industry leaders from around the world testing version 4.0 before the public launch.
In 2019, CVSS 3.1 was released to clarify and improve the existing CVSS version 3.0 standard, although it did not introduce any new metrics or values. To enhance this even further, version 4.0 is poised to improve the cyber security landscape further.
A CVSS score is made up of three metric groups, base metrics, temporal metrics, and environmental metrics. Each metric is assigned a value, and the combined values are used to calculate the CVSS base score, which ranges from 0 to 10. The below are the base metrics that are going to be used in version 4.0.
Base Metrics
These metrics focus on the inherent characteristics of a vulnerability and include factors such as:
• Attack Vector (AV): Describes how a vulnerability can be exploited (e.g., local, adjacent, network).
• Attack Complexity (AC): Indicates the level of expertise required to exploit the vulnerability.
• Attack Requirements (AT): This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.
• Privileges Required (PR): Represents the privileges an attacker needs to exploit the vulnerability.
• User Interaction (UI): Reflects whether user interaction is required for the vulnerability to be exploited.
Vulnerable System Impact Metrics
• Confidentiality (VC) - This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability.
• Integrity (VI) - Measures the impact to integrity of a successfully exploited vulnerability.
• Availability (VA) – looks to measure the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.
Subsequent System Impact Metrics
• Confidentiality (SC) – Similar to the VC, this measures the effect to the confidentiality of the information that is on the system.
• Integrity (SI) – Gauges the extent of integrity compromise resulting from a successfully exploited vulnerability.
• Availability (SA) - Seeks to quantify the availability repercussions on the affected system caused by a successfully exploited vulnerability.
The latest update offers a more comprehensive, precise, and context-sensitive framework for evaluating and prioritising security vulnerabilities and improving the scoring system's overall effectiveness.
Higher clarity
The goal of CVSS 4.0 is to streamline the scoring process, reducing subjectivity through clearer metric guidance and definitions. This update makes assessing vulnerabilities more accurate and promotes consistency across organisations. A significant focus is on refining the concepts of "Attack Complexity" and "Attack Requirements," clarifying the scoring process.
More flexibility
CVSS 4.0 introduces detailed metrics, allowing organisations to customise the scoring system for their specific needs and environments. This adaptability provides a more precise risk assessment of vulnerabilities tailored to each organisation. The updated framework includes operational technology and safety metrics, as well as differentiation between active and passive user interaction, enabling precise vulnerability assessment in diverse scenarios.
Enhanced Depiction of Real-World Risk
CVSS 4.0 aims to better capture the actual risk posed by a vulnerability. This is achieved by considering additional elements, such as the likelihood of exploitation and the potential consequences of a successful attack. The latest version emphasises integrating threat intelligence and environmental metrics into scoring, resulting in a more realistic risk assessment. This is bolstered by the inclusion of concepts like "Automatable," "Recovery," and "Mitigation Effort," enriching the understanding of each vulnerability.
The framework is set to see a few different changes, for example, the Temporal metric group being replaced with the Threat metric group and removing the Remediation level and report confidence metrics.
Remediation Level (RL) and Report Confidence (RC) have been phased out, while Exploit "Code" Maturity is now known as Exploit Maturity (E) with more distinct values. The update also introduces new combinations such as Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE), featuring a fresh, explicit naming convention and the addition of a new Supplemental metric group. These and other alterations collectively enhance the standard's accuracy, precision, and user-friendliness.
• The new release of CVSS 4.0 is set to launch on October 1st 2023.
• New improvements and enhancements have been added to tackle the criticisms and limitations tied to 3.1
• CVSS 4.0 aims to boast improved clarity, flexibility, and a heightened depiction of real-world risk
While CVSS remains a widely embraced scoring system, organisations can utilise additional resources like Exploit Prediction Scoring System (EPSS). Factors such as accuracy, adaptability, and compatibility with their specific requirements and environments should be carefully considered.
The choice of the appropriate scoring system can influence an organisation's capacity to handle vulnerabilities and uphold a robust security stance.
To find out more about the newest scoring system, click here.