Severity and the Common Vulnerability Scoring System (CVSS) - Part 1
What is CVSS?
CVSS, or the Common Vulnerability Scoring System, is a standardized rating system for software vulnerabilities. Since its creation in 2005, CVSS has become a widely used standard across programming ecosystems. It employs quantitative measures to assess the severity of security flaws in software.
How CVSS Works
CVSS utilizes multiple metrics divided into three primary groups, with scores ranging from 0 to 10 (10 being the highest):
- Base Score Metrics: These metrics evaluate inherent vulnerability characteristics, such as exploitation techniques, required access, and resultant impacts.
- Temporal Score Metrics: These metrics consider factors like the ease of exploiting a vulnerability or the availability of solutions.
- Environmental Score Metrics: These metrics focus on specific environmental features, such as system susceptibility or the business impact of a vulnerability.
Example:
Let's analyze a CVE (Common Vulnerabilities and Exposures) and examine the CVSS details associated with it:
CVE-2019-0708
This vulnerability in Microsoft Windows Remote Desktop Service allowed for remote code execution. In simpler terms, an attacker could gain control of the system without any user interaction.
CVSS Score: 9.8 (Critical)
Base Score Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- User Interaction: None
In this example, the CVSS score indicates that the vulnerability is severe, posing a high risk of network-based attacks without requiring user action.
The Role of Developers, Maintainers, and CNAs
CVSS relies on various groups within the software development community to ensure its effectiveness. These include:
- Developers: Developers and end users are often the first to discover vulnerabilities. By identifying these flaws, developers contribute to the broader community by swiftly enabling software maintainers to implement workarounds and patches. This collaborative approach is fundamental in the Open Source Software community.
- Maintainers: Developers responsible for creating and maintaining impacted software use CVSS scores to prioritize vulnerability fixes and release appropriate updates. CVSS holds maintainers accountable as vulnerabilities are publicly available.
- CNAs (CVE Numbering Authorities) are organizations authorized to assign identifiers to new vulnerabilities. This process can take time, often leading to erroneous data being gathered and documented about the CVE. As you’ll see, Safety vets every CVE that we track to ensure accuracy.
- National Vulnerability Database (NVD): The NVD serves as the US government's vulnerability management data repository. It provides comprehensive information about vulnerabilities, including their associated CVSS scores. New vulnerabilities receive a CVE identifier and are cataloged in the NVD.
The Pros and Cons of Using CVSS
Pros:
- Universal, Standardized Metrics: CVSS provides a globally recognized scale, fostering a unified security dialogue.
- Prioritization: Scores can help facilitate the identification of immediate threat areas based on severity (although CVSS severity is not the best way to triage or prioritize vulnerabilities, more on this later)
- Transparency: Publicly accessible CVSS scores enlighten users and developers about software safety.
Cons:
- Speed of Identification and Updates: CVSS scores are only available for registered CVEs, and the accuracy of the data depends on the community's information gathering and submission. Therefore, many vulnerabilities remain undocumented for weeks or even months, and others contain outdated information.
- Inaccuracies: Despite everyone’s best efforts, the CVSS scoring system is under strain and cannot keep up with the volume of vulnerabilities across the global software ecosystem. As a result, CVEs and their CVSS scores can sometimes be incorrect or inaccurate.
- Lack of Context: CVSS scores alone overlook many important vulnerability aspects. And they are not the best way for organizations to triage and prioritize vulnerabilities. High or critical CVSS severity scores are not good predictors for those vulnerabilities that actually impact security at most organizations. An overemphasis on quantifiable measures neglects other crucial considerations, such as project context and exploitability, which will be explored in Part 2 of this series.
- Complexity: CVSS may appear overwhelming at first due to the abundance of data, advisories, and impacted configurations. The example above demonstrates the significant effort required to understand how each vulnerability affects a project, especially when dealing with large numbers of vulnerabilities across multiple dependencies.
CVSS severity is not a good predictor of which vulnerabilities that actually impact security
Safety adopts a unique approach to utilizing and applying CVSS data for vulnerability assessment. Our dedicated team of cybersecurity analysts manually verifies every vulnerability in our industry-leading vulnerability database to ensure the accuracy and completeness of severity information, including CVEs.
Additionally, Safety employs machine learning and proprietary research techniques to identify new vulnerabilities in over 550,000 Python packages that are not CVEs yet or would not be covered by the CVE system. These vulnerabilities are then assessed for severity using the same criteria as CVSS. There are multiple times more vulnerabilities in the open source software ecosystem than those listed as CVEs, and at Safety we track and index these using a variety of techniques.
The result is our Safety DB, which tracks eight times more vulnerabilities than other platforms like Dependabot, OSV, and PipAudit. This comprehensive database provides Safety customers with unparalleled protection and insights into vulnerabilities that may impact their projects.
Beyond CVSS and Reducing Vulnerability Noise
In this post, we delved into the workings of CVSS, its pros and cons, and how Safety leverages CVSS data for comprehensive vulnerability assessment.
Although CVSS data can be used for assessing vulnerabilities based on severity alone, it has many downsides and limitations. In the next part of this series, we will delve further into Safety's approach to mitigating the limitations of CVSS and reducing vulnerability noise. We will explore how we combine CVSS severity data with additional vulnerability data, such as project context, exploitability, and reachability.
If you have any questions or would like to learn more about Safety's services, please don't hesitate to reach out to us at info@safetycli.com or through our contact form.