November 10, 2023

CVSS 4.0 Decoded: Understanding & Implementing Changes

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a vendor-agnostic, industry-open standard owned and maintained by The Forum of Incident Response and Security Teams (FIRST). CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”

How Is CVSS Used?

The Forum of Incident Response and Security Teams (FIRST) explicitly states that: “CVSS Measures Severity, Not Risk.” This must be emphasized over and over given that the CVSS Base score, which only looks at the principal characteristics of a vulnerability and its associated severity, lacks evolving threat and business context to constitute a sufficient risk assessment and resulting determinations.

With that being said, CVSS scores serve as inputs into the following use cases:

The Evolution From CVSS v3.1 to CVSS v4.0

The Forum of Incident Response and Security Teams (FIRST) officially announced CVSS v4.0 in November 2022, four years after the release of CVSS v3.1.

Summary

CVSS 4.0 Decoded Understanding and Implementing Changes Summary

CVSS v3.1 & Feedback

The well-known CVSS v3.1 scores are primarily derived from the Base Metric Group, while the Temporal and Environmental Metrics Groups are supplemental, relying on the careful consideration of end-users. Ignoring the red boxes and including the black ones in the referenced graphic provides a visual representation of CVSS v3.1.

The Base and Temporal Metric Group scores are specified by vulnerability bulletin analysts, security product vendors, or application vendors. Given their subjective nature, the Environmental Metrics are specified by users. 

The publicly visible CVSS scores, which range from 0-10 (Low-High), are based solely on the Base Score and do not consider the Temporal Score. This omission can lead to a disconnect between the score and the actual risk in the real world. Furthermore, CVSS scores are influenced by the assessors’ interpretations and inherent human biases, often resulting in High or Critical ratings.

To accurately gauge the impact of vulnerabilities, end-users must delve into the threat context: the existence of an exploit, the availability of an official patch, and the reliability of the intelligence. This in-depth analysis allows them to integrate a business-risk perspective into the Base Score, addressing a common critique of CVSS v3.1. Security vendors advocate for the inclusion of threat intelligence and business-risk metrics as essential, not optional, to compensate for the Base Score’s limitations.

The complexity of the scoring system and its perceived inadequacies have hindered its adoption, particularly in the IT/OT, Industrial, Health, and Safety sectors. These issues have contributed to the development of CVSS v4.0.

CVSS v4.0 & Changes

CVSS v4.0 is composed of four metric groups: Base, Threat, Environmental, and Supplemental. The Temporal Metrics Group was renamed to the Threat Metrics Group. The Supplemental Metrics Group is a new addition.

Base Metrics Group Changes: 

Threat Metrics Group Changes: 

Environmental Metrics Group Changes: 

Supplemental Metrics Group:

Nomenclature Change: To support these metric groups, a new nomenclature purpose-built to encourage adoption beyond the Base Score. 

Vector String & Scoring Change: The updates to the revised metrics extend to the vector string as well. The new vector string, while not easily readable by humans, is machine-readable. Fortunately, FIRST has provided an updated, interactive calculator to aid in interpretation. Details on scoring changes are available in the accompanying Specification Document.

The 5 Takeaways You Should Care About

  1. CVSS Measures Severity, Not Risk
    Although CVSS v4.0 still provides a general sense of vulnerability severity, FIRST has emphasized the importance of threat exposure and business asset criticality as integral risk assessment inputs. The new CVSS v4.0 framework enhances robustness and transparency but still requires users to compute Threat, Environmental, and Supplemental Metrics.
  2. Vendors Still Take Responsibility For Base Metrics
    Vulnerability bulletins and security and application vendors will continue to contribute to Base Metric calculations. Accurately assessing your business risk, however, depends on incorporating Threat and Environmental Metrics.
  3. CVSS is One Input Among Many
    CVSS Base scores, which often lag behind CVE scores, are generic. Overreliance on CVSS for vulnerability management is discouraged; a more nuanced approach involving additional scrutiny is recommended.
  4. Threat Intelligence & Business Risk Context Is Still Your Responsibility
    It’s vital to integrate diverse threat intelligence sources to evaluate threat exposure impacting your Threat and Environmental Metric Groups; however, the investment to manually apply threat intelligence to every vulnerability or for every relevant CVE can be impractical and may affect patch cycles. Hive Pro’s Uni5 is an enterprise grade platform that automatically applied the widest breadth of threat intelligence to your assets and embedded vulnerabilities. Uni5 also considers your compensating controls and business risk context when prioritizing vulnerabilities, optimizing security controls, and automating remediation.
  5. Supplemental Metrics Drive The Principles of Organizational Resilience
    Begin calculating Supplemental Metrics by examining your Business Impact Analysis, Business Continuity, Incident Response Plans, and Asset or Data Classification Policies. This exploration must be viewed in the lens of effects on vulnerability and threat exposure management. While these don’t affect the final CVSS score, they’re essential for a comprehensive approach to vulnerability and threat management. 

Author: Zaira Pirzada

Related Events

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities

Book a demo and find out more about how Hive Pro can double your operational efficiency

Book a Demo