Unpromising Vulnerability Prioritization with Common Vulnerability Scoring System (CVSS)
What is CVSS?
“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities” – NIST National Vulnerability Database.
CVSS scores are static scores on the scale of 0 to 10, composed of three metrics which are Base, Temporal and Environmental. The Base Scores specifies the severity of a vulnerability by considering its intrinsic characteristics and an assumption of a worst-case impact. The Temporal score adjusts the Base score by incorporating dynamic factors such as maturity of exploit code and finally, the Environmental metric adjusts both Base and Temporal scores to a specific computing environment by accounting for confidentiality, integrity, and availability requirements of the target environment. Traditionally, CVSS has been used as a metric for prioritization of vulnerabilities because a fact which cannot be denied is “all vulnerabilities cannot be remediated”, however, the usage of CVSS as a vulnerability prioritization tool is highly debatable as the vectors meant to quantify statistical relevance for temporal and environmental impacts are not representative thus, making conclusions problematic.
Problems with CVSS
One of the biggest problems with CVSS is that it remains constant throughout the life of a vulnerability. Typically, CVSS score is assigned within 2 weeks of vulnerability discovery and post that, it is generally never reassessed. Further, following the primary objective of CVSS, the scores provide a severity rating to the vulnerability and throws no light on the actual risk possessed by them. The reason to that is the scores are limited to a theoretical view of a worst-case impact of exploitation rather than accounting the actual threat landscape and relevant business context. Moreover, the limited scale of 0 to 10 practically fails even in defining the severity prioritization because of the rapidly growing number of vulnerability discoveries collates a large portion of them into the High and Critical severity groups. As per research conducted by Hive Pro Threat Research Team, 32.7% of all vulnerabilities discovered till date are grouped under Critical or High severity i.e., CVSS score between 7 to 10 by the National Vulnerability Database. In the year 2021 alone, there were 20,141 vulnerabilities published by the National Vulnerability Database, out of which 1,165 were of Critical severity i.e., CVSS >= 9 and 2845 were of High severity i.e., CVSS >= 7 <= 8.9. Thus, we can conclude that, prioritization based on CVSS severity is ineffective as it still has a huge number of vulnerabilities in the prioritized bucket.
Exploitability is one of the most important components of vulnerability prioritization and has also been factored in the CVSS Temporal metric; however, as mentioned above, the CVSS does not consider the actual threat landscape and attack taxonomies of vulnerabilities and is therefore highly inefficient in exploitability prediction. Hive Pro Threat Research Team conducted an analysis of 168,867 Vulnerabilities published by the National Vulnerability Database until the 31st December 20201 and observed that only 10.13% of all known vulnerabilities actually had an exploit available in the wide. On further analysis of the exploitable vulnerabilities, it was observed that a significant portion of exploitable vulnerabilities have a CVSS Base Average of 5.5 and CVSS Temporal Average of 5.7. Also, our analysis identified several CVEs which were not assigned a CVSS score as on 12th June 2021. For example – CVE-2021-28550 (Adobe Reader RCE Vulnerability) which is still under the reserved category of the NVD and does not have a CVSS score, however, is being widely exploited by the actors. As per Hive Pro Threat Research Team, the Risk Score for this vulnerability is 97 (on a scale of 100).
Conclusion
Such serious issues with CVSS based vulnerability prioritization raises an important question that, do we really need CVSS scores? Well, the answer to this question is highly subjective. CVSS scores are informative and have a purpose of defining vulnerability severity, any usage of CVSS beyond this is highly problematic. These scores give information of individual vulnerabilities; however, it fails when vulnerabilities are clubbed together. Therefore, the need of the hour is an intelligent, risk-based vulnerability prioritization solution HivePro Uni5 which accounts for exploitability, threat landscape, adversary activities, adversary behaviour, social media context and organization’s business context for vulnerabilities and then prioritizes them for remediation.
HivePro Uni5 focuses on Threat and Exposure Management by using vulnerability as a pivot to assist customers to reduce the attack surface and move away from trying to “fix everything” to fix “what matters”.
HivePro Uni5 provides a true risk score for every vulnerability based on 20+ parameters such as Threat Actor Landscape, Industry Vertical, Geolocation, wormability, exploitability to name a few. This enables enterprises to take decisions on what to Patch Now and what can be Scheduled to Patch Later. To know more about HivePro Uni5, feel free to reach out to us.
Author: Purvi Garg