Last Updated on 12 July 2023 by Alastair Digby
Infosec teams rely on metrics and frameworks to prioritize vulnerabilities and understand their potential impact as part of their vulnerability management programs. These metrics are crucial for organizations to assess the impact of any vulnerabilities identified during any type of vulnerability assessment.
One such framework widely used by penetration testing organizations and security tools is the Common Vulnerability Scoring System (CVSS). CVSS scores assign a numerical value (0–10) to the severity of a vulnerability in information security. The recently proposed release of CVSS 4.0, with a target date of October 1st 2023, will bring significant implications for cybersecurity.
This article explores the implications of the new CVSS 4.0 standard and its potential impact on vulnerability management.
What you’ll learn about CVSS 4.0
Before delving into CVSS 4.0, it’s important to understand the foundation of the Common Vulnerability Scoring System. The original CVSS framework was released by the National Infrastructure Advisory Council (NIAC) in 2005.
Since that point, it’s evolved to adapt to the rapid rate of technological change to help provide meaningful vulnerability intelligence for security team. The Forum of Incident Response and Security Teams (FIRST), a US-based nonprofit organization with more than 500 member organisations worldwide, now maintains CVSS as an open platform.
CVSS provides a standardized method for rating the severity of vulnerabilities in information systems. It assesses factors such as exploitability, impact, and complexity to determine a vulnerability’s overall score. This score helps organizations prioritize their remediation efforts effectively.
CVSS 4.0: An Overview
CVSS 4.0 represents a significant update to the previous version, CVSS 3.1. It introduces various changes and refinements aimed at improving the accuracy and relevance of vulnerability assessments. The new version aims to address the limitations of CVSS 3.1 and provide a more comprehensive and flexible scoring system.
Changes in CVSS 4.0
CVSS 4.0 introduces several new metrics that enhance the granularity and precision of the final vulnerability score. These metrics include:
The attack vector metric takes into account the proximity of the attacker to the vulnerable system. It measures whether an attacker needs physical access to the target system, if they need to be in the same network, or if they can launch an attack remotely over the internet.
In general, vulnerabilities that can be exploited over the network are seen as more severe, as they can be taken advantage of by any attacker worldwide without the need for physical proximity or access to a specific local or wide area network.
In contrast, vulnerabilities that require physical access to a system to be exploited are seen as less severe, as the potential pool of attackers is significantly smaller.
The attack complexity metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. The conditions are primarily designed to enhance security or complicate the development of an exploit.
For example, a vulnerability that can be exploited without needing target-specific information is considered less complex than a vulnerability requiring significant customisation.
The metric is intended to account for the security measures deployed by the system under attack, not the time or attempts an attacker might require to successfully breach the system. If an attacker is not able to bypass the conditions in place, exploit attempts will fail.
This metric outlines the degree of access rights an attacker needs to have in their possession before they can carry out a successful exploit of the vulnerability. The technique the attacker employs to acquire these elevated permissions before the attack, such as using free trial accounts, is not considered within the purview of this metric.
In CVSS version 4.0, the User Interaction metric gauges whether an attacker’s successful exploitation of a vulnerability requires human interaction, such as someone doing something beyond just using the vulnerable system in a normal way.
For instance, a vulnerability that could be exploited by sending a phishing email and tricking the victim into clicking on a malicious link or opening a malicious file would require user interaction. On the other hand, a vulnerability that could be exploited by simply sending specially-crafted network packets to a vulnerable system would not require any user interaction.
The metric’s value has a direct impact on the CVSS score. Vulnerabilities that can be exploited without user interaction are generally considered more severe because they can be exploited automatically or at scale, without requiring any human intervention.
This metric captures whether a vulnerability in one component impacts resources beyond its security scope, i.e., impacts an entirely different component. If an exploited vulnerability affects only resources managed by the same security authority, the ‘Scope’ is ‘Unchanged’. If it impacts resources beyond its security scope, it’s ‘Changed’. Whilst this existed within CVSS versions 3.0 and 3.1, this has now been removed as a base metric in CVSS version 4.
Impact metrics register the consequences of a vulnerability that has been exploited successfully. This is divided into three metrics: Confidentiality, Integrity, and Availability. These measure the impact on the “Vulnerable System” if the vulnerability is exploited. For example, if an attacker was able to modify read-only data by obtaining write access, this would impact the integrity of the data. If an attacker was to escalate privileges within an application and observe sensitive data, this would affect the confidentiality metric. Moreover, the availability metric would be impacted if a malicious adversary could directly affect the operation of a system by causing a denial-of-service (DoS) situation, whereby legitimate users are not able to access the affected component.
CVSS version 4 introduces new “Subsequent System” impact metrics, which are designed to capture the confidentiality, Integrity and Availability effects on any systems that are affected outside of the “Vulnerable System”. For instance, if a separate application and database could be compromised from the initial vulnerable system, the “Subsequent System” impact metrics would be changed. However, if access was solely obtained to components belonging to the “Vulnerable System” the rating for the “Subsequent System” impact metrics would be “None”. This way
Exploit Code Maturity
Exploit Maturity is a threat metric that evaluates the probability of an attacker utilising the vulnerability and takes into account existing exploit strategies, accessibility of exploit code or active exploitation in real-time using threat intelligence.
An exploit that is readily available and is actively reported as being targeted against systems would define the metric as “Attacked”. Moreover, if only a Proof-of-Concept (PoC) is available, but there is no threat intelligence to suggest widespread exploitation, the metric would be “PoC”. If no threat intelligence or PoC exists for the vulnerability, the exploit maturity metric would be classed as “Unreported”.
CVSS 4.0 has implemented a new optional metric group named “Supplemental Metrics”, which contains several additional metrics that can be used to characterize and assess extra external properties of a vulnerability, which can add additional context to a vulnerability. The following metrics are included:
- Safety: As defined in IEC 61508, this supplemental metric value shows how much a vulnerability’s exploitation can harm a human’s safety, indicating the potential for predictable injury.
- Automatable: This metric defines if an attacker could fully automate the vulnerability kill chain in order to compromise systems with one click or convert the code into a worm to autonomously exploit systems on a network.
- Recovery: The “Recovery” metric refers to the system’s ability to restore its functionality and availability after an attack has taken place.
- Value Density: This refers to the scope of resources that can fall under the attacker’s command through one instance of successful exploitation. It can be categorized in two ways: diffused and concentrated. Diffused relates to compromising relatively few systems with one exploit attempt, where conversely concentrated is defined as a system rich in resources..
- Vulnerability Response Effort: Offers additional insights into the challenge faced by users when initially responding to the effects of vulnerabilities in their deployed products and services. Users can then incorporate this extra information on required effort when planning and scheduling risk reduction measures and fixes.
- Provider Urgency: Several suppliers today share extra severity assessments with users through security alerts for their products. Some also include Qualitative Severity Ratings from the CVSS v3.x Specification Document in these notices. A standardized approach to include these extra assessments given by providers is available through an optional Supplemental Metric known as Provider Urgency, which has now been introduced in CVSS 4.0.
The scoring system in CVSS 4.0 has undergone significant modifications. It now incorporates the temporal and environmental aspects of vulnerabilities, enabling organizations to assess risks more accurately. The changes in scoring aim to align the severity rating with the actual impact on specific systems and environments.
One of the criticisms of CVSS has been it solely provides Base Scores, indicating the seriousness of a vulnerability, without accurately reflecting the level of risk that the vulnerability imposes on your specific environment. The new changes introduced aim to help address this issue.
CVSS 4.0 introduces additional metrics related to exploitability. These metrics help evaluate the likelihood of successful exploitation and enable organizations to prioritize vulnerabilities accordingly. By considering factors such as exploit code maturity and remediation level, security teams can better allocate their resources and focus on critical vulnerabilities.
Remediation Level Metrics
Another notable change in CVSS 4.0 is the inclusion of remediation-level metrics. These metrics assess the ease and availability of solutions to mitigate vulnerabilities. By considering remediation level, organizations can make informed decisions about the urgency and feasibility of remediation actions.
Advantages of CVSS 4.0
The introduction of CVSS 4.0 brings several advantages to the field of cybersecurity. These advantages include:
CVSS 4.0 improves the accuracy of vulnerability assessments by considering a broader range of factors. The refined metrics and scoring system provide a more precise understanding of the potential impact and exploitability of vulnerabilities. This accuracy helps organizations prioritize their remediation efforts more effectively.
This new version of CVSS offers improved flexibility in tailoring vulnerability assessments to specific environments. With the inclusion of environmental metrics, organizations can assess the impact of vulnerabilities on their unique systems and prioritize accordingly. This flexibility allows for more nuanced decision-making in vulnerability management.
CVSS 4.0 allows security professionals to customize the scoring system based on their organization’s risk appetite and priorities. By tailoring the metrics and weights, organizations can align the scoring system with their specific needs and context. This customization enhances the relevance and usefulness of vulnerability assessments
Implementing CVSS 4.0
To effectively implement CVSS 4.0 in an organization, several considerations come into play:
Training and Familiarization
Security and IT professionals need to familiarize themselves with the new metrics and scoring system introduced in CVSS 4.0. Training programs and resources can help them understand the changes and adapt their vulnerability management processes accordingly.
Integration with Existing Systems
Organizations should assess how CVSS 4.0 can integrate with their existing vulnerability management systems. This integration ensures a seamless transition and allows for the effective utilization of the enhanced scoring system. A notary point here is the lack of one-to-one translation between CVSS V3.1 and V4.0.
Collaboration and Knowledge Sharing
CVSS 4.0 encourages collaboration and knowledge sharing among security professionals. Organizations should foster an environment where insights and experiences related to CVSS 4.0 can be shared. This collaborative approach promotes continuous improvement in vulnerability management practices.
Challenges of Adopting CVSS 4.0
While CVSS 4.0 offers significant benefits, it also presents some challenges during adoption:
Transitioning from CVSS 3.1 to CVSS 4.0 requires security professionals to familiarize themselves with the new metrics and changes. This learning curve may initially slow down vulnerability management processes as teams adapt to the new system.
Updating Vulnerability Management Processes
Organizations need to update their vulnerability management processes and tools to align with CVSS 4.0. This update may require adjustments to reporting mechanisms, risk assessment workflows, and resource allocation. Proper planning and coordination are essential to ensure a smooth transition.
Adopting CVSS 4.0 may require obtaining buy-in from various stakeholders within an organization. Convincing decision-makers and stakeholders about the benefits of the new scoring system and its relevance to the organization’s specific context can be a challenge.
The introduction of CVSS 4.0 has significant implications for the field of cybersecurity. With enhanced accuracy, improved flexibility, and better tailoring, CVSS 4.0 provides security professionals with a more comprehensive framework for vulnerability management. While challenges exist during adoption, the benefits outweigh the initial hurdles, making CVSS 4.0 a valuable tool in assessing and prioritizing vulnerabilities.
At Informer we’ve been busy planning how we adopt the new metrics into our penetration testing and external attack surface management platform. We certainly feel that this is a big step forward in helping our clients more accurately manage their security risks.
Frequently Asked Questions
How often is CVSS updated?
CVSS is periodically updated to incorporate new features, address vulnerabilities in the system, and align with industry standards.
Can CVSS v4.0 scores be compared with scores from previous versions?
While CVSS v4.0 scores are not directly comparable to scores from previous versions, there are guidelines available to help organizations migrate from older versions to v4.0.
Are CVSS scores universally accepted?
CVSS scores are widely accepted in the cybersecurity industry, but it’s important to consider additional factors specific to your organization’s context when assessing vulnerabilities.
Can CVSS v4.0 be used for non-technical vulnerabilities?
CVSS v4.0 can be beneficial for small businesses, as it provides a structured approach to prioritize and manage vulnerabilities based on their impact and exploitability.