Foreword

"CVSS" (Common Vulnerability Scoring System) is a scoring system which associates a score (between 0 and 10) in order to assess the danger of a security vulnerability. This scoring system provides an open framework for communicating the characteristics and the impact of IT vulnerabilities.

CVSS version 1.0 was created in February 2005 and many Cert-IST articles have dealt with this subject. CVSS version 2.0 was officially released in June 2007 during the FIRST conference in Seville.

Since its launch, CVSS has been progressively adopted by editors, vulnerabilities databases or Certs. It had become a standard since NVD has been associating a CVSS score to each CVE references. The CVSS initiative is hosted by FIRST.

Since 2003, The Cert-IST has been assessing the vulnerabilities criticity with the EISPP metric. At the end of 2007, it set up a gateway between the EISPP and CVSS metrics in order to include the CVSS score in its vulnerability database.

1 – CVSS assessment criteria

CVSS consists of three groups (Base, Temporal and Environmental). Each group produces a numeric score ranging from 0 to 10 (null risk to very high risk), and a vector that reflects the values used to derive the score.

• The "Base" group represents the intrinsic and fundamental characteristics of a vulnerability.
• The "Temporal" group is derived from the "Base" group in such a way to reflect the characteristics of a vulnerability that changes over time (i.e. availability of a functional exploit or of a patch).
• The "Environmental" group is derived from the "Temporal" group in such a way to reflect the characteristics of a vulnerability that are specific to an user’s environment.

Each group has metrics allowing to compute a numeric score associated with the vulnerability risk.

The Base score

There are two sorts of Metrics related to the "Base" group:

• Metrics related to the vulnerability exploitability:

• Access Vector (AV): specify if in order to exploit the vulnerability the attacker needs to have a physical access or an account (L – "Local"), needs to have an access to a local network (A – "Adjacent Network") or if the vulnerability is exploitable from an external network (N – "Network")
• Access Complexity (AC): specifies the vulnerability exploitation complexity. It can be High (H), Medium (M) or Low (L). It is the intrinsic complexity: exploit availability does not have any influence on these metrics.
• Authentication (Au): specifies if to exploit the vulnerability the attacker does not have to authenticate (N – "None"), must authenticate one time (S – "Single") or must authenticate several times (M – "Multiple").

• Metrics related to the vulnerability impact:

• Confidentiality Impact (C): specifies the impact related to the data confidentiality. It can be Complete (C), Partial (P) or None (N).
• Integrity Impact (I): specifies the impact related to the data integrity. It can be Complete (C), Partial (P) or None (N).
• Availability Impact (A): specifies the impact related to the data availability. It can be Complete (C), Partial (P) or None (N).

These six metrics have a weight which allows to compute the "Base" score.

The "Base" vector is the following:

(AV:[L|A|N]/AC:[H|M|L]/Au:[N|S|M]/C:[C|P|N]/I:[C|P|N]/A:[C|P|N])

The Temporal score

There are three metrics related to the "Temporal" group:

• Exploitability (E): specifies if there is an exploit available for this vulnerability. It can be "Unproven" (U), exist as a "Proof-of-Concept" (POC), exist and be "Functional" (F), exist and spread through a Malware (H – "High"), or the information can be undefined (ND – "Not Defined").
• Remediation Level (RL): specifies if there is a workaround or a solution for this vulnerability. There can exist an Official Fix (OF), a Temporary Fix (TF – "Temporary Fix"), a Workaround (W – "Workaround"), or any solution (U – "Unavailable"), or the information can be undefined (ND – "Not Defined").
• Report Confidence (RC): specifies if this vulnerability is confirmed. It can be Unconfirmed (UC), Uncorroborated (UR), Confirmed (C), or the information can be undefined (ND – "Not Defined").

These three metrics have a weight, which with the "Base" score, allows to compute the "Temporal" score.

The " Temporal" vector is the following:

(AV:[L|A|N]/AC:[H|M|L]/Au:[N|S|M]/C:[C|P|N]/I:[C|P|N]/A:[C|P|N]
   /E:[U|POC|F|H|ND]/RL:[OF|TF|W|U|ND]/RC:[UC|UR|C|ND])

The Environmental score

There are three metrics related to the "Environmental" group:

• "Collateral Damage Potential" (CDP): This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment.  The metric may also measure economic loss of productivity or revenue. It can be "None" (N), "Low" (L), "Low-Medium" (LM), "Medium-High" (MH),"High (H), or Not Defined (ND).
• "Target Distribution" (TD): This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. It can be "None" (N), "Low" (L), "Medium" (M), High (H) or "Not Defined" (ND).
• "Security requirements" These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of confidentiality (CR), integrity (IR), and availability (AR).  Each security requirement has four possible values: "Low"(L), "Medium" (M), "High"(H) or "Not Defined" (ND).

These three metrics have a weight, which with the "Temporal" score, allows to compute the "Environmental" score.

The "Environmental" vector is the following:

2 – The CVSS score in the Cert-IST publications

Since 2003, the Cert-IST has been assessing the vulnerabilities criticity with the EISPP metric. In 2005, the Cert-IST started to integrate the CVSS v1.0 score and end of 2007, it set up a gateway between the EISPP and CVSS metrics in order to include CVSS v2.0 scores in each security advisory.

As a reminder, the Cert-IST was once a member of the EISPP project. This project aimed to define a metric in order to assess the risk of security vulnerabilities.

The Cert-IST has created a new section called "CVSS score(s)" in its security advisory. This section includes the base and temporal scores and vectors for the same advisory reference.

As for example, the CERT-IST/AV-2008.009 advisory "Vulnerabilities in the Microsoft Windows TCP/IP protocol (MS08-001)" version 2.1 published on February 4^th, 2008:

CVSS Score(s)

Cert-IST - CERT-IST/AV-2008.009

base score : 7.9 - (AV:A/AC:M/Au:N/C:C/I:C/A:C)

temporal score : 6.5 - (AV:A/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Note:  The Cert-IST calculates only the base and temporal scores. The environmental score can not be assessed because it relies on a specific IT environment which depends from many factors (system environments and so on).

3 – Gateways between EISPP v1.2 and CVSS version 2.0 metrics

The Cert-IST has setup a gateway between the EISPP and CVSS metrics in order to include CVSS scores in its vulnerability database.
The following table provides the way to calculate the CVSS base score with EISPP criteria.

(*) Impact: "Complete" (C), "Partial" (P) or "None" (N)

Note: The Temporal criteria are calculated manually.

4 - Documentation

CVSS guide version 2.0:

• http://www.first.org/cvss/cvss-guide.html
• http://www.first.org/cvss/cvss-guide.pdf

CVSS useful links: http://www.first.org/cvss/links.html

CVSS calculators:

• http://nvd.nist.gov/cvss.cfm?calculator
• http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/fr/CVSSv2.html

Cert-IST metric (EISPP v1.2): http://www.cert-ist.com/eng/ressources/Avis/NomenclatureFR/

EISPP v1.2 common advisory format: http://www.eispp.org/commonformat_1_2.pdf

NVD web site: http://nvd.nist.gov/

Cert-IST article (French only):

• Standards pour la gestion des vulnérabilités (mars 2007)
• Exemple d'application de la norme CVSS v1.0 (mai 2005)