The Dilemma of CVSS Severity Rating: Lacking Real-World Context
The Common Vulnerability Scoring System (CVSS) has long been relied upon by security teams and developers to assess the severity of vulnerabilities. This standardized framework assigns a score to each Common Vulnerabilities and Exposures (CVE) entry, ranging from 0 to 10, to reflect the exploitability and potential damage of a vulnerability.
However, there is growing concern that the CVSS severity rating lacks real-world context, leading to misplaced priorities and wasted resources in vulnerability remediation efforts. Shachar Menashe, Senior Director of JFrog Security Research, highlights this issue and offers insights into how organizations can better prioritize fixes.
Challenges with CVSS Severity Rating
Menashe highlights that the current CVSS scoring system is based on a complex set of factors, which do not adequately consider the real-world impact of vulnerabilities. In a study conducted by JFrog, it was found that the severity rating of many common vulnerabilities was overinflated.
For example, the study revealed that 64% of the top 50 CVEs received a lower severity rating when assessed by JFrog Security Research compared to the CVSS. This suggests that many vulnerabilities are harder to exploit than reported and their high severity rating can be deceiving.
The Real Metric: Exploitability
To analyze the context of a CVE, Menashe suggests considering real-world factors that determine exploitability. This includes assessing whether a vulnerability is exploitable in a service’s default configuration or only under contrived scenarios, the existence of a reachable path to the vulnerable code, code preconditions, the likelihood of parsing untrusted data, and the deployment and security mechanisms of the vulnerable software.
The Limitations of CVSS Scoring
The current CVSS scoring system provides some context through its impact metrics such as Confidentiality, Integrity, and Availability. However, these metrics are rated based on a theoretical assessment without fully considering the actual impact of an attack on real-world systems.
Menashe gives examples of how the CVSS severity rating may not accurately reflect the severity of vulnerabilities. A denial-of-service (DoS) attack that crashes a minor process will receive the same “High” availability impact rating as a DoS attack that crashes a critical daemon. Similarly, a buffer overflow that doesn’t overwrite any meaningful variable still receives a “High” integrity impact rating, even if it has no security impact.
To illustrate the limitations of CVSS scoring further, Menashe refers to the OpenSSL vulnerability CVE-2022-3602, which was initially feared but later found to have no real-world impact. Despite this, it still received a “High” impact rating in CVSS.
CVSS 4.0 and Its Insufficient Solution
CVSS 4.0, the latest version of the scoring system, includes an “Attack Requirement” metric, aiming to reflect the conditions needed for a successful attack. However, Menashe argues that this metric is not detailed enough to address the rarity of attack requirements.
For instance, a remote code execution vulnerability that is only exploitable under extremely rare configurations or conditions will be marked as having “Attack Requirements” present. This would slightly alter the score from 9.3 to 9.2. Yet, organizations will still receive critical scores for theoretical remote vulnerabilities that are highly unlikely to happen in real-world scenarios.
Advice: Adding Context and Integration
While the CVSS system continues to evolve, Menashe provides valuable advice on how organizations can better assess the criticality of vulnerabilities and allocate resources effectively.
Utilizing Additional Resources
Menashe suggests examining CVSS ratings beyond the National Vulnerability Database (NVD) and paying special attention to ratings provided by specific entities such as Common Vulnerabilities Enumeration (CNA) and distro-specific or project-specific severity scores. These additional ratings, such as those from Ubuntu, Red Hat Linux, and Apache Web Server, often offer a more accurate assessment of severity.
Integrating Real-World Context
Menashe emphasizes the importance of integrating real-world exploitability, CVE applicability, and contextual analysis into the remediation process. Rather than expecting developers to “fix everything,” organizations should equip them with the necessary information to prioritize and address the vulnerabilities that truly matter.
Philosophical Discussion: Balancing Realism and Preparedness
The issue raised by Menashe’s analysis of CVSS severity rating prompts a broader philosophical discussion about the delicate balance between realism and preparedness in the realm of cybersecurity.
On one hand, the importance of accurately assessing vulnerabilities and focusing resources on meaningful security measures cannot be underestimated. Organizations must be cautious not to squander their limited remediation resources on flaws that are unlikely to impact their systems. By integrating real-world factors, organizations can make more informed decisions and prioritize their vulnerability management efforts effectively.
On the other hand, cybersecurity is an ever-evolving landscape, and preparing for worst-case scenarios is crucial. While some vulnerabilities may seem highly improbable in reality, unexpected combinations of factors or the emergence of new exploit techniques can quickly turn a theoretical vulnerability into a tangible threat. Therefore, organizations must strike a balance between pragmatic prioritization and maintaining a certain level of preparedness.
Editorial: Advancing Vulnerability Assessment and Remediation
The issue highlighted by Menashe shines a light on the need for continual advancement in vulnerability assessment and remediation practices. As the cybersecurity landscape becomes increasingly complex and threats evolve, relying on a single scoring system may no longer suffice.
Efforts should be made to refine and expand the CVSS scoring system to incorporate a more comprehensive understanding of real-world context. By doing so, organizations can align their vulnerability management strategies with the actual impact vulnerabilities may have on their systems.
Furthermore, collaboration across the cybersecurity community is key. Information sharing and the cultivation of additional resources, such as distro-specific and project-specific severity ratings, can help organizations gain a more accurate assessment of vulnerability criticality and make informed decisions.
Conclusion
The reliance on CVSS severity rating for vulnerability prioritization and remediation has its limitations. The lack of real-world context in current scoring systems can mislead organizations and cause wastage of valuable resources.
It is vital for organizations to consider additional resources, integrate real-world exploitability, and leverage contextual analysis to improve vulnerability management practices. By refining the CVSS system and embracing collaborative efforts, the industry can advance in its ability to accurately assess vulnerabilities and allocate resources effectively.
<< photo by Frames For Your Heart >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Why Cybersecurity Awareness Falls Short: Shifting the Spotlight to Behavioral Change
- Former Soviet States Under Attack: The Perplexing Case of Kazakh Assailants Disguised as Azerbaijanis
- Webmail Zero-Day Bug: Winter Vivern APT’s One-Click Exploit Unleashed
- ForAllSecure’s Dynamic Software Bill of Materials: Revolutionizing Application Security
- Elevating Cybersecurity Measures: Companies Tackle the Exploited Libwebp Vulnerability
- Empowering Developers: The Key Role of Security Teams in Shifting Left
