MRL Wiki	Main Page | About | Help | FAQ | Special pages | Log in
	Category: Security Printable version | Disclaimers | Privacy policy

CVSS

From MRL Wiki

The Common Vulnerability Scoring System (CVSS) is an open and universal vulnerability scoring system developed by NIAC and maintained by FIRST. Its primary goal is to bring a common criteria to assess vulnerability severity and to determine urgency and priority of response.

The scoring system is based on three groups of metrics: Base Metric, Temporal Metric, and Environmental Metric. Each group is further subdivided into more granular metrics to address all characteristics of a vulnerability.

Contents 1 Base Metrics 2 Temporal Metrics 3 Environmental Metrics 4 Final Score 5 CVSS Vector Definition 6 See Also 7 External Links

[edit] Base Metrics

Basic Metrics represent core characteristics of a vulnerability which do not change over time. There are a total of seven Basic Metrics:

• Access Vector - measures whether a vulnerability is exploitable locally or remotely
  • Local (0.7)
  • Remote (1.0)

• Access Complexity - measures the complexity of attack required to exploit the vulnerability
  • High (0.8)
  • Low (1.0)

• Authentication - measures whether an attacker needs to be authenticated to the target system in order to exploit the vulnerability.
  • Required (0.6)
  • Not Required (1.0)

• Confidentiality Impact - measures the impact on Confidentiality of a successful exploit of the vulnerability on the target system
  • None (0)
  • Partial (0.7)
  • Complete (1.0)

• Integrity Impact - measures the impact of integrity of a successful exploit of the vulnerability on the target system.
  • None (0)
  • Partial (0.7)
  • Complete (1.0)

• Availability Impact - measures the impact on Availability of a successful exploit of the vulnerability on the target system
  • None (0)
  • Partial (0.7)
  • Complete (1.0)

• Impact Bias - allows a score to convey greater weighting to one of three impact metrics over the other two
  • Normal (0.333)
  • Confidentiality (0.5)
  • Integrity (0.25)
  • Availability (0.25)

The Base Metric score is calculated using this formula:

BaseScore = round_to_1_decimal(10 * AccessVector
                                  * AccessComplexity
                                  * Authentication
                                  * ((ConfImpact * ConfImpactBias)
                                  + (IntegImpact * IntegImpactBias)
                                  + (AvailImpact * AvailImpactBias)))

[edit] Temporal Metrics

Temporal Metrics represent characteristics of a vulnerability which change over time. There are a total of three Temporal Metrics:

• Exploitability - measures how complex the process is to exploit the vulnerability in the target system
  • Unproven (0.85)
  • Proof of Concept (0.9)
  • Functional (0.95)
  • High (1.00)

• Remediation Level - measures the level of an available solution
  • Official Fix (0.87)
  • Temporary Fix (0.90)
  • Workaround (0.95)
  • Unavailable (1.00)

• Report Confidence - measures the degree of confidence in the existence of the vulnerability and the credibility of its report.
  • Unconfirmed (0.90)
  • Uncorroborated (0.95)
  • Confirmed (1.00)

The Temporal Metric is calculated using this formula:

TemporalScore = round_to_1_decimal(BaseScore * Exploitability
                                             * RemediationLevel
                                             * ReportConfidence)

[edit] Environmental Metrics

Environmental Metrics represent the implementation and environment specific qualities of a vulnerability. There are a total of two Environmental Metrics.

• Collateral Damage Potential - measures the potential for a loss of physical equipment, property damage, or loss of life or limb.
• None (0)
• Low (0.1)
• Medium (0.3)
• High (0.5)

• Target Distribution - measures the relative size of the field of target systems susceptible to the vulnerability.
• None (0)
• Low (0.25)
• Medium (0.75)
• High (1.00)

The Environmental Metric is calculated according to this formula:

EnvironmentalScore = round_to_1_decimal((TemporalScore + ((10 - TemporalScore)
                                         * CollateralDamagePotential))
                                         * TargetDistribution)

[edit] Final Score

Final score is represented as a set of three numbers corresponding to Base Metric Score, Temporal Metric Score, and Environmental Metric Score. Most vulnerability databases list only Base and Temporal Scores since Environmental Metrics are organization specific. Below is an example of a complete vulnerability assessment for Buffer Overflow In NOD32 Antivirus Software (CVE-2003-0062):

----------------------------------------------------
BASE METRIC                 EVALUATION         SCORE
----------------------------------------------------
Access Vector               [Local]           (0.70)
Access Complexity           [High]            (0.80)
Authentication              [Not-Required]    (1.00)
Confidentiality Impact      [Complete]        (1.00)
Integrity Impact            [Complete]        (1.00)
Availability Impact         [Complete]        (1.00)
Impact Bias                 [Normal]         (0.333)
----------------------------------------------------
FORMULA                                   BASE SCORE
----------------------------------------------------
round(10 * 0.7 * 0.8 * 1.0 * (1.0 * 0.333) + 
     (1.0 * 0.333) + (1.0 * 0.333)) ==         (5.6)
----------------------------------------------------
	
----------------------------------------------------
TEMPORAL METRIC             EVALUATION         SCORE
----------------------------------------------------
Exploitability              [Proof-Of-Concept](0.90)
Remediation Level           [Official-Fix]    (0.90)
Report Confidence           [Confirmed]       (1.00)
----------------------------------------------------
FORMULA                               TEMPORAL SCORE
----------------------------------------------------
round(5.6 * 0.90 * 0.90 * 1.00) ==             (4.4)
----------------------------------------------------

----------------------------------------------------
ENVIRONMENTAL METRIC        EVALUATION         SCORE
----------------------------------------------------
Collateral Damage Potential [None - High]  {0 - 0.5}
Target Distribution         [None - High]  {0 - 1.0}
----------------------------------------------------
FORMULA                          ENVIRONMENTAL SCORE
----------------------------------------------------
round((4.4 + ((10 - 4.4) * {0 - 0.5})) * 
     {0 - 1.00}) ==                    (0.00 - 7.20)
----------------------------------------------------

[edit] CVSS Vector Definition

In addition to displaying the three scores (Base, Temporal, and Environmental) it is also common to display abbreviation of individual components.

CVSS Base Vectors should use the following format:

(AV:[L,LN,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])

The above abbreviation is interpreted as follows:

• AV - Access Vector
• AC - Access Complexity
• Au - Authentication
• C - Confidentiality Impact
• I - Integrity Impact
• A - Availability Impact

CVSS Temporal Vectors should use the following format:

/E:[U,P,F,H]/RL:[O,T,W,U]/RC:[N,U,C]

The above abbreviation is interpreted as follows:

• E - Exploitability
• RL - Remediation Level
• RC - Report Confidence

CVSS Environmental Vectors should use the following format:

/CD[N,L,M,H]:/TD:[N,L,M,H]/

The above abbreviation is interpreted as follows:

• CD - Collateral Damage Potential
• TD - Target Distribution

[edit] See Also

• CVE
• OSSTMM

[edit] External Links

• CVSS Official Page
• NIST NVD
• CVSS Score Calculator
• CVSS Vector Definitions

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About MRL Wiki | Find: This page has been accessed 456 times. This page was last modified on 21 June 2007, at 21:45.