Comments on: CVSS – Vulnerability Scoring Gone Wrong

By: Gaurav

Gaurav — Sat, 23 Feb 2013 20:53:59 +0000

It is given in CVSS that Environmental_Score should be less than the Temporal_Score. But why in most of the vulnerability scoring, Environmental_Score is higher than the Temporal_Score.
e.g. CVE-2003-0818, CVE-2002-0392.

Can anyone answer my question????

By: Kevin Partridge

Kevin Partridge — Tue, 08 May 2012 20:30:38 +0000

This point was mentioned above but not so explicitly. All of the metrics used in CVSS have origin in another tool or by the user. CVSS is a way of relating them. What CVSS brings to the table is that it allows one to take a rating of (what I call) fragility, a vulnerability severity, and relate it to the criticality of your technology and the mission it performs. It is actually a very broad stroke. Try reading MORDA or other risk scoring methods.

The environmental group is a key part of CVSS. It is impossible to relate a CVSS score without reference to the the individual mission or service. One could give a score for the components of a CVSS score i.e. the temporal scores or exploitability but not an actual CVSS score. That would be the final computation of all groups.

Regarding temporal scores, they are temporal because they are likely to change with time. Existence of exploit code will change with time. Knowledge of the existence of exploit code may also be dependent upon your own intelligence assets.

In full disclosure, I championed use of CVSS in the Navy, I work at CMU, and know one of the authors.

Thierry Zoller makes some good observations in his article but I’ll address them over there.

By: Patrick Toomey

Patrick Toomey — Sat, 05 May 2012 19:45:01 +0000

Excellent writeup. I definitely wouldn’t consider myself a security metrics expert, but I think some of my observations, along with your detailed analysis, hint that CVSS doesn’t feel quite right. I often feel that as the complexity of the scoring system increases the more likely I am to feel like it doesn’t match my gut. I am sure there is valid research behind how CVSS calculations are performed, but it always seems like metrics that involve multiplication of magic numbers have edge cases that just don’t make sense. Again, good writeup. I look forward to your future thoughts on the topic.

By: Thierry Zoller

Thierry Zoller — Sat, 05 May 2012 14:49:45 +0000

It seems it’s CVSS critique time, here’s mine for what matters :
http://blog.zoller.lu/2012/03/cvss-common-vulnerability-scoring.html

It comes to similar conclusions in terms of distribution and goes a bit more into detail about I believe is wrong with some specifics.

By: Patrick Toomey

Patrick Toomey — Fri, 04 May 2012 19:39:40 +0000

That’s a good point. Temporal metrics do kind of imply it varies over time Without some “real time” update that information is probably not very useful. And as it relates to my experience with internal teams doing vulnerability scoring, I have mostly seen temporal used as fudge factors more than time based factors into the calculation.

By: Patrick Toomey

Patrick Toomey — Fri, 04 May 2012 19:16:42 +0000

Thanks for some insight into the CVSS process. Related to your comment, CVSS obviously has different goals than Google. As a result, no vulnerability risk ranking scheme can have criteria as specific as Google’s if the intent is to calculate risk across a broad array of software/operating systems/etc. But, the part that central difficulty I have is figuring out how 100 point scale is useful. Obviously a 1000 point scale would be useless, as it conveys no extra information. I guess I have a gut feeling that 100 points is similarly overreaching, as I don’t know what I am supposed to do with a 7.2 vs. 7.4. Conceptually, from a macro perspective, I could see some utility in measuring the score with such precision, as it might give you some keen insight into vulnerability metrics/trending/etc. But, as shown in the post, there are so few scores actually being used I think we aren’t actually capturing any real extra information. Again, thanks for the comment.

By: @RobertWinkel

@RobertWinkel — Wed, 02 May 2012 04:23:14 +0000

As far as I can tell, the rankings of Low, Medium and High (for scores 0.0-3.9, 4.0-6.9, and 7.0-10.0, respectively) is not part of the CVSS. Instead, it is part of the NVD Vulnerability Severity Ratings (see http://nvd.nist.gov/cvss.cfm).
The CVSS generates the score from between 0.0 and 10.0, and you are free to apply whatever rating system you want, including Google’s Chrome project rating system.
You do provide a good arguement for a four rating system. Going by your cluster graphs, a natural grouping would be Low for CVSS scores of 0.0-2.9, Medium for 3.0-5.9, High for 6.0-7.9 and Critical for 8.0-10.0.

By: cmlh

cmlh — Wed, 02 May 2012 02:26:48 +0000

I have researched CVSS since the publication of CVSSv2, including the CVSS-SIG minutes published at http://www.first.org/cvss and have published a number of related links to http://www.delicious.com/cmlh/

In relation to the post (not comment) above:

1. The NVD is independent (within reason) of any vendor hence their is scoring is objective. It would be of value to explore if their severity score is different to that of each vendor and by what margin?

2. The CVSS score is dependent on the environmental metrics and hence the end user is the most influential in determining the priority of implementing patches and/or workarounds based on the scoring of each vuln when considered in context of the attack surface i.e. number of hosts x affected software, cost to repair, if the residual risk is accepted, etc i.e. the end user can create new environmental metrics specific to their context.

3. The selection of values was sampled based on those most common with *all* software and attack vector(s). Hence it is possible to compare Cisco to Microsoft to Oracle as an example.

4. Sampling based on severity is irrelevant if I have a single host with a high severity compared to several with medium severity since the attack surface is larger (i.e. number of hosts) or the value of the temporal metrics increase or decrease, etc (you referenced the second point in your post above).

The major issue with CVSS from the perspective of an end user is there is no “real time” feed of the temporal metrics from FIRST members, vendors, etc.

By: Karen Scarfone

Karen Scarfone — Mon, 30 Apr 2012 23:32:31 +0000

CVSS doesn’t have low, moderate, and high categories. That’s a proprietary convention introduced by the National Vulnerability Database (nvd.nist.gov). You can use whatever categories you want with CVSS scores. If you like your four categories, use them. That’s in no way contradicting the CVSS specification.

There’s a CVSS History document posted at http://www.first.org/cvss/history that explains how the scores themselves were developed. The most important thing to point out from that document is that any score differences less than 0.5 are intended to be statistically insignificant. So a 7.3 can’t be considered more severe than a 7.2, but would be considered more severe than a 6.2.

I’d be happy to answer any other questions or concerns you have about CVSS. I’m one of the co-authors of the CVSS v2 documentation, and I’ve done some rather extensive research into CVSS scoring.

Karen Scarfone
karen dot scarfone at cox dot net

By: Seth Hanford

Seth Hanford — Mon, 30 Apr 2012 18:23:54 +0000

Looks like the URL was stripped for the Call for Participants and Call for Subjects news release.

http://www.first.org/newsroom/releases/20120322

First dot org, newsroom, releases, 20120322 (you can see it from first dot org’s frontpage, in the right-hand news column).