MRL WikiMain Page | About | Help | FAQ | Special pages | Log in


Printable version | Disclaimers | Privacy policy

CVSS

From MRL Wiki

The Common Vulnerability Scoring System (CVSS) is an open and universal vulnerability scoring system developed by NIAC and maintained by FIRST. Its primary goal is to bring a common criteria to assess vulnerability severity and to determine urgency and priority of response.

The scoring system is based on three groups of metrics: Base Metric, Temporal Metric, and Environmental Metric. Each group is further subdivided into more granular metrics to address all characteristics of a vulnerability.

Contents

[edit] Base Metrics

Basic Metrics represent core characteristics of a vulnerability which do not change over time. There are a total of seven Basic Metrics:

The Base Metric score is calculated using this formula:

BaseScore = round_to_1_decimal(10 * AccessVector
                                  * AccessComplexity
                                  * Authentication
                                  * ((ConfImpact * ConfImpactBias)
                                  + (IntegImpact * IntegImpactBias)
                                  + (AvailImpact * AvailImpactBias)))

[edit] Temporal Metrics

Temporal Metrics represent characteristics of a vulnerability which change over time. There are a total of three Temporal Metrics:

The Temporal Metric is calculated using this formula:

TemporalScore = round_to_1_decimal(BaseScore * Exploitability
                                             * RemediationLevel
                                             * ReportConfidence)

[edit] Environmental Metrics

Environmental Metrics represent the implementation and environment specific qualities of a vulnerability. There are a total of two Environmental Metrics.

The Environmental Metric is calculated according to this formula:

EnvironmentalScore = round_to_1_decimal((TemporalScore + ((10 - TemporalScore)
                                         * CollateralDamagePotential))
                                         * TargetDistribution)

[edit] Final Score

Final score is represented as a set of three numbers corresponding to Base Metric Score, Temporal Metric Score, and Environmental Metric Score. Most vulnerability databases list only Base and Temporal Scores since Environmental Metrics are organization specific. Below is an example of a complete vulnerability assessment for Buffer Overflow In NOD32 Antivirus Software (CVE-2003-0062):

----------------------------------------------------
BASE METRIC                 EVALUATION         SCORE
----------------------------------------------------
Access Vector               [Local]           (0.70)
Access Complexity           [High]            (0.80)
Authentication              [Not-Required]    (1.00)
Confidentiality Impact      [Complete]        (1.00)
Integrity Impact            [Complete]        (1.00)
Availability Impact         [Complete]        (1.00)
Impact Bias                 [Normal]         (0.333)
----------------------------------------------------
FORMULA                                   BASE SCORE
----------------------------------------------------
round(10 * 0.7 * 0.8 * 1.0 * (1.0 * 0.333) + 
     (1.0 * 0.333) + (1.0 * 0.333)) ==         (5.6)
----------------------------------------------------
	
----------------------------------------------------
TEMPORAL METRIC             EVALUATION         SCORE
----------------------------------------------------
Exploitability              [Proof-Of-Concept](0.90)
Remediation Level           [Official-Fix]    (0.90)
Report Confidence           [Confirmed]       (1.00)
----------------------------------------------------
FORMULA                               TEMPORAL SCORE
----------------------------------------------------
round(5.6 * 0.90 * 0.90 * 1.00) ==             (4.4)
----------------------------------------------------

----------------------------------------------------
ENVIRONMENTAL METRIC        EVALUATION         SCORE
----------------------------------------------------
Collateral Damage Potential [None - High]  {0 - 0.5}
Target Distribution         [None - High]  {0 - 1.0}
----------------------------------------------------
FORMULA                          ENVIRONMENTAL SCORE
----------------------------------------------------
round((4.4 + ((10 - 4.4) * {0 - 0.5})) * 
     {0 - 1.00}) ==                    (0.00 - 7.20)
----------------------------------------------------

[edit] CVSS Vector Definition

In addition to displaying the three scores (Base, Temporal, and Environmental) it is also common to display abbreviation of individual components.

CVSS Base Vectors should use the following format:

(AV:[L,LN,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])

The above abbreviation is interpreted as follows:

CVSS Temporal Vectors should use the following format:

/E:[U,P,F,H]/RL:[O,T,W,U]/RC:[N,U,C]

The above abbreviation is interpreted as follows:

CVSS Environmental Vectors should use the following format:

/CD[N,L,M,H]:/TD:[N,L,M,H]/

The above abbreviation is interpreted as follows:

[edit] See Also

[edit] External Links

Retrieved from "http://www.midnightresearch.com/wiki/index.php/CVSS"

This page has been accessed 2,576 times. This page was last modified on 21 June 2007, at 21:45.


Find

Browse
Main Page
Community portal
Current events
Recent changes
Random page
Help
Edit
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
Moreā€¦