Marc Rebischke, CC

What’s this all about?

Most of us (should) know the Common Vulnerability Scoring System (CVSS). For all who are not familiar with this, you can imagine the CVSS as a framework showing you the characteristics and severity of a vulnerability found in a specific Soft- or Hardware. Depending on several given characteristics of the vulnerability the so called CVSS-Scores can reach values between 0.0 (severity none) and 10 (severity critical). CVSS Version 1 was introduced in 2005 by the Forum of Incident Response and Security Teams (FIRST.Org, Inc.). The current CVSS-Version is v3.1 , Version 4.0 is planned to be published on October 1, 2023.

Why different CVSS-Scores?

As the title suggests there’s more than one CVSS-Score we must handle:

Sivachandu Gudivada, CISSP
  • Base Score You can imagine the CVSS Base-Score as the Severity-Score which can be reached in a worst-case scenario for a vulnerability. Can the vulnerability get exploited by a remote attacker? Does the Attacker need any privileges on the target system? Is any user interaction needed to exploit the vulnerability? Since these parameters should be known when publishing the vulnerability, that’s why the Base-Score in most cases does not change over time. In most cases the Base Score is used in Vulnerability-Reports and also the National Vulnerability Database (NVD) as Part of the National Institute of Standards and Technology (NIST), where you can find the Vulnerability Identifier (That’s these CVE-xxxx-xxxx Numbers).
  • Temporal Score While the Base Score is pretty stable for a given vulnerability the Temporal Score changes as soon as there’s exploit code out there, changes when it turns out that the exploit code really works against the vulnerability and will also change as soon as there is a patch or workaround available.
  • Environmental Score While the Base Score describes the worst-case scenario the Environmental Score is calculated in dependency of the real Attack surface within your organization. Will for example the loss of confidentiality, availability and/or the integrity influence my organization when you get affected by the vulnerability? Which impact would an exploitation of the vulnerability have within your organization? Since this Score is related to the environment within your organization it’s rarely published outside Organizations.

OK, what’s new with Version 4.0?

First of all….Version 4.0 is not yet published, the current Version is still 3.1. After reviewing and addressing all feedback the plan is to publish CVSS 4.0 on October 1, 2023. Some most important expected changes in v4.0 according to the current state are:

  • Finer granularity of the Base Metrics
  • It’s not all about the Base Score. You can address the given circumstances in your Organization regarding a vulnerability as usual. This can lead to a different CVSS-Score for your Organization. CVSS Version 4.0 introduces a new nomenclature to differ CVSS-Scores recognizing combinations of Base, Threat and Environmental.
  • Parts of the “Temporal Score” will not be longer recognized. Only the likelihood of an exploit is part of the new “Threat Metric Group”. “Temporal Score” will be history.
  • Subsequent Systems are more in focus now in the “Base Metrics”. This is great since it’s now recognized if a vulnerability can also be a threat to subsequent systems in your organization and how severe the vulnerability can be for these systems. Maybe a consequence of several recent supply chain attacks, i guess.
  • “Modified Base Metrics” is in parts comparable to the “Environmental Score” in CVSS 3.1. Not only that you can override the Base metric values if other privileges or circumstances are needed in your environment to exploit a vulnerability…you are also able to calculate a CVSS-Score in dependency of the environment in your organization regarding loss of availability, confidentially and/or Data integrity
  • Additional focus on OT/ICS/Safety

I encourage you to have a closer look into the linked sources to learn more about CVSS. It’s important to know the keys and facts behind the calculation of the Scores. In this article, I can only point you to the sources of CVSS. Have fun while digging deeper into the topic. Thanks for reading!

FIRST(sm) is a service mark of FIRST.ORG, Inc.
All other trademarks and service marks remain the property of their respective holders and are hereby acknowledged.