If you have read about security bugs online, you have probably come across points that are given for use. These are scored based on the Common Vulnerability Scoring System, which is used to categorize exploits in the Common Vulnerability and Exposures database. We discuss what constitutes the point.
What affects the score?
The total base score is ranked from 0 to 10 and consists of three sub-cores – exploitability, impact and scope. A lower evaluation rate is worse, as is a higher impact. An exploitation that can be easily exploited over the network by anyone and that has a high impact would be critical, and an exploitation that requires physical access or user interaction and does not do much would be very low impact.
Exploitation refers to how easily a vulnerability can be exploited by an attacker. The fewer things required of the attacker, the easier it is to exploit. There are four components to this:
- Attack Vector is what network relationship the attacker must have to the source to extract exploitation. The simplest and most serious is Networking, which means that exploitation can be pulled by anyone who has access to the public. Neighboring means that the attacker must be in a shared network and local means local network. Physical requires direct interaction and often user interaction.
- attack Complexity refers to a little more than just how complicated it is. Higher attack complexity means that more parts must be in the right place to exploit the vulnerability. Low complexity means that utilization can be utilized on a wide range of systems.
- Permissions required. Nothing means it can be used by anyone on the web,
Low means that the attacker has some form of privilege, and High means that the user must have extended privileges to use it.
- User Interaction, whether the target must do something for the exploit to work. This metric is binary, whether interaction is required or not.
Impact refers to how serious the exploit is and how much it affects the target system. This has three components:
- secrecy, or unauthorized readings (ie whether the attack provides access to resources that should be private). Low is a basic exposure of certain private information, and High means that serious data (often customer data) can be exposed.
- Integrity, or unauthorized type. Low refers to the attacker being able to write to specific files, and High gives the attacker write access to everything within the scope of the target.
- Availability refers to whether exploitation can cause an application to crash, including but not limited to DDoS attack vectors. Low means that parts of the application can go offline, and High means that most or all of the application can be downloaded with exploit. There is a difference. Privacy and integrity refer to data used by the application, and availability refers to Operation of the service itself. There are scenarios where this can overlap with integrity – an exploit that gives attackers full write access to the system can also allow them to delete the application itself.
Finally, Extent. This is a bit more complicated, but basically refers to whether the exploit provides access outside the control of the target, usually outside a safety sandbox or barrier. The CVSS Guide defines it as “when a component security mechanism separating components is bypassed due to a vulnerability and this causes a security impact outside the scope of the vulnerable component.”
Examples of this include a vulnerability in a virtual machine that enables host typing, vulnerabilities in microprocessors that allow access to other threads, scripts across multiple sites, or URL redirects that can access a user’s browser and sandbox space).
In the end, all of this comes down to a single point, and a description like “High” or “Critical” that describes the overall difficulty level.
Next to the score, you often see the vector string, which at first looks confusing but is really just abbreviated key value pairs for each component.
You can actually take any string and load it into the calculator after the hashtag to get a better picture of it:
The second main point is Temporal Score, which tracks how a exploit’s difficulty level changes over time. This includes code maturity (if the exploit is used in practice), whether there are any corrections or not and how confident the publisher is about the details of the exploit.