CVSS 4.0 Decoded: Understanding & Implementing Changes

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a vendor-agnostic, industry-open standard owned and maintained by The Forum of Incident Response and Security Teams (FIRST). CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”

How Is CVSS Used?

The Forum of Incident Response and Security Teams (FIRST) explicitly states that: “CVSS Measures Severity, Not Risk.” This must be emphasized over and over given that the CVSS Base score, which only looks at the principal characteristics of a vulnerability and its associated severity, lacks evolving threat and business context to constitute a sufficient risk assessment and resulting determinations.

With that being said, CVSS scores serve as inputs into the following use cases:

• Vulnerability Prioritization: CVSS scores provide a general, qualitative representation of vulnerability severity to feed in as an enrichment factor into a prioritization engine.
• Patch Management: CVSS scores can enrich patch prioritization and patch urgency. 
• Security Tool Automation: CVSS scores can be fed into security tools involved in the vulnerability management cycle to enrich automated scanning and remediation workflows.
• Risk Assessments: CVSS scores help in assessing the potential risk a vulnerability may bring to an organization’s assets.
• Third Party Risk Management: CVSS scores can enrich third-party risk assessments regarding the security postures of potential partners and vendors. 
• Incident Response: CVSS scores can help determine the severity of an incident and shape a sufficient response strategy.
• Compliance and Risk Reporting: CVSS scores can enrich security posture reporting and demonstrate compliance with vulnerability management requirements.

The Evolution From CVSS v3.1 to CVSS v4.0

The Forum of Incident Response and Security Teams (FIRST) officially announced CVSS v4.0 in November 2022, four years after the release of CVSS v3.1.

Summary

CVSS v3.1 & Feedback

The well-known CVSS v3.1 scores are primarily derived from the Base Metric Group, while the Temporal and Environmental Metrics Groups are supplemental, relying on the careful consideration of end-users. Ignoring the red boxes and including the black ones in the referenced graphic provides a visual representation of CVSS v3.1.

• The Base Metric Group represents the intrinsic qualities of a vulnerability like its exploitability, the complexity of the exploit, the privileges required, user involvement, the scope of impact across systems, and effects on system confidentiality, integrity, and availability.
• The Temporal Metric Group measures the current state of exploit techniques or code availability, the existence of patches/workarounds, and the degree of confidence in the exploit intelligence provided.
• The Environmental Metric Group represents the characteristics of a vulnerability that are unique to a user’s environment. These metrics enable analysts to customize the CVSS score with inputs regarding IT asset importance and compensatory security controls. These metrics are the modified equivalent of base metrics.

The Base and Temporal Metric Group scores are specified by vulnerability bulletin analysts, security product vendors, or application vendors. Given their subjective nature, the Environmental Metrics are specified by users. 

The publicly visible CVSS scores, which range from 0-10 (Low-High), are based solely on the Base Score and do not consider the Temporal Score. This omission can lead to a disconnect between the score and the actual risk in the real world. Furthermore, CVSS scores are influenced by the assessors’ interpretations and inherent human biases, often resulting in High or Critical ratings.

To accurately gauge the impact of vulnerabilities, end-users must delve into the threat context: the existence of an exploit, the availability of an official patch, and the reliability of the intelligence. This in-depth analysis allows them to integrate a business-risk perspective into the Base Score, addressing a common critique of CVSS v3.1. Security vendors advocate for the inclusion of threat intelligence and business-risk metrics as essential, not optional, to compensate for the Base Score’s limitations.

The complexity of the scoring system and its perceived inadequacies have hindered its adoption, particularly in the IT/OT, Industrial, Health, and Safety sectors. These issues have contributed to the development of CVSS v4.0.

CVSS v4.0 & Changes

CVSS v4.0 is composed of four metric groups: Base, Threat, Environmental, and Supplemental. The Temporal Metrics Group was renamed to the Threat Metrics Group. The Supplemental Metrics Group is a new addition.

Base Metrics Group Changes: 

• Attack complexity is split into two metrics: attack complexity and attack requirements. Attack requirements reflect the prerequisite conditions of the vulnerable component that makes an attack possible while Attack complexity reflects the exploit engineering complexity required to outmaneuver defensive measures. 
• User interaction has been changed from ‘none’ and ‘required’ to ‘none,’ ‘passive,’ and ‘active’ to account for more granularity in user actions when subverting protections, whether consciously or involuntarily.
• Due to widespread confusion, the ‘Scope’ metric was retired. It has been expanded upon in the ‘Impact Metrics’ section, which now includes ‘Vulnerable System C/I/A’ and ‘Subsequent System(s) C/I/A’. This clarifies that the exploitation of a vulnerability may affect surrounding systems, and such impacts must be considered. The definitions regarding impact have been only slightly modified to account for total loss, partial loss, or no loss.

Threat Metrics Group Changes: 

• Although the Exploit Code Maturity metric has been renamed to Exploit Maturity, it continues to assess the likelihood of  vulnerability exploitation by measuring the current state of exploit techniques, exploit code availability, or active, “in-the-wild” incidents of exploitation. The only change worth noting here is in the metrics calculus. The previous metric value inputs were: not defined, high, functional, proof-of-concept, unproven. Now they are defined as: not defined, attacked, proof-of-concept, and unreported. The purpose of these changes is to ensure accuracy when discussing threats. As in CVSS v3.1, analysts are required to gather their own threat intelligence and make their own determinations. 
• The Remediation Level metric has been retired; however, this decision warrants further explanation. The metric evaluated whether a workaround, temporary fix, or official fix was available for an exploit. Its removal from the Threat Metric Group is justified because it does not accurately reflect the threat. Nonetheless, it would be more appropriately placed in the Environmental Metric Group, as it impacts the overall risk of a reported vulnerability.  
• Report Confidence has been retired. This is reasonable due to its highly subjective nature, which is based on opinion. It has not been incorporated into any other category.

Environmental Metrics Group Changes: 

• The Modified Base Metrics allow analysts to adjust individual Base Metric values to reflect the unique characteristics of their organization’s environment and the significance of the affected IT assets. These metrics assess the impact on Confidentiality, Integrity, and Availability for all affected IT assets. As with CVSS v3.1, it is up to the analysts to assess these factors at their discretion.

Supplemental Metrics Group:

• This new, optional metric group offers metrics for additional, non-inherent attributes of a vulnerability. These include the impact on safety, the potential for attackers to automate attacks, the urgency of remediation, the recoverability from an attack, the categorization of the vulnerable system based on its capability or data richness, and the effort required to respond to an exploit. Designed to be inclusive, these metrics are particularly relevant to the IoT, ICS, and healthcare sectors, which require a nuanced understanding of these impacts for vulnerability prioritization. They can also be leveraged by any industry to enhance organizational resilience and to assess the qualitative or quantitative costs of exploitation. The application of this metric group is at the discretion of the user and does not influence the final CVSS score.

Nomenclature Change: To support these metric groups, a new nomenclature purpose-built to encourage adoption beyond the Base Score. 

• CVSS-B: CVSS Base Score
• CVSS-BT: CVSS Base + Threat Score
• CVSS-BE: CVSS Base + Environmental Score
• CVSS-BTE: CVSS Base + Threat + Environmental Score

Vector String & Scoring Change: The updates to the revised metrics extend to the vector string as well. The new vector string, while not easily readable by humans, is machine-readable. Fortunately, FIRST has provided an updated, interactive calculator to aid in interpretation. Details on scoring changes are available in the accompanying Specification Document.

The 5 Takeaways You Should Care About

1. CVSS Measures Severity, Not Risk
   Although CVSS v4.0 still provides a general sense of vulnerability severity, FIRST has emphasized the importance of threat exposure and business asset criticality as integral risk assessment inputs. The new CVSS v4.0 framework enhances robustness and transparency but still requires users to compute Threat, Environmental, and Supplemental Metrics.
2. Vendors Still Take Responsibility For Base Metrics
   Vulnerability bulletins and security and application vendors will continue to contribute to Base Metric calculations. Accurately assessing your business risk, however, depends on incorporating Threat and Environmental Metrics.
3. CVSS is One Input Among Many
   CVSS Base scores, which often lag behind CVE scores, are generic. Overreliance on CVSS for vulnerability management is discouraged; a more nuanced approach involving additional scrutiny is recommended.
4. Threat Intelligence & Business Risk Context Is Still Your Responsibility
   It’s vital to integrate diverse threat intelligence sources to evaluate threat exposure impacting your Threat and Environmental Metric Groups; however, the investment to manually apply threat intelligence to every vulnerability or for every relevant CVE can be impractical and may affect patch cycles. Hive Pro’s Uni5 is an enterprise grade platform that automatically applied the widest breadth of threat intelligence to your assets and embedded vulnerabilities. Uni5 also considers your compensating controls and business risk context when prioritizing vulnerabilities, optimizing security controls, and automating remediation.
5. Supplemental Metrics Drive The Principles of Organizational Resilience
   Begin calculating Supplemental Metrics by examining your Business Impact Analysis, Business Continuity, Incident Response Plans, and Asset or Data Classification Policies. This exploration must be viewed in the lens of effects on vulnerability and threat exposure management. While these don’t affect the final CVSS score, they’re essential for a comprehensive approach to vulnerability and threat management. 

Author: Zaira Pirzada