Practical Guidance for CVSS v4.0 Scoring

Slide Note
Embed
Share

Practical guidance on scoring the new CVSS v4.0 standard, including insights on metric guidance, new features, score nomenclature, and retired metrics. Learn about the changes, enhancements, and improvements in CVSS v4.0 to enhance your vulnerability assessments.

kirsten
kirsten Follow

Uploaded on Aug 13, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CVSS v4.0: Where the Rubber Meets the Road Practical guidance for scoring the new standard. Nick Leali and Dave Dugal September 21, 2023

  2. Agenda Metric Guidance Introduction 1 4 Supplemental Metrics What is CVSS v4.0 2 5 Resources Score Transitions 6 3

  3. What is new with v4.0? 8/13/2024 3

  4. New CVSS Features Temporal renamed to Threat Metrics simplified and clarified Remediation Level (RL) and Report Confidence (RC) retired Exploit "Code" Maturity renamed to Exploit Maturity (E) with clearer values Finer granularity, new Base metrics New Base metric: Attack Requirements (AT) New Base metric values: User Interaction (UI): Passive (P) and Active (A)

  5. CVSS v4.0 Score Nomenclature The CVSS Standard is NOT just the Base Score To stress this concept, new nomenclature has been adopted: CVSS-B: CVSS Base Score CVSS-BT: CVSS Base + Threat Score CVSS-BE: CVSS Base + Environmental Score CVSS-BTE: CVSS Base + Threat + Environmental Score The more metrics used to enrich your CVSS scoring, the higher quality your assessment will be.

  6. Scope is Retired! Retired Base Metric: Scope (S) Problem: Scope may have been the least loved and least understood CVSS metric ever. Caused inconsistent scoring between product providers Implied lossy compression of impacts of vulnerable and impacted systems Solution: Impact Metrics expanded into two sets: Vulnerable System Confidentiality (VC), Integrity (VI), Availability (VA) Subsequent System(s) Confidentiality (SC), Integrity (SI), Availability (SA) 8/13/2024 6

  7. Supplemental Metric Group Supplemental Metrics give additional context to a vulnerability. No metric will define numerical impact on the final calculated CVSS score Note: All Supplemental Metrics supplied by the information provider are optional. Automatable Recovery Value Density Vulnerability Response Effort Provider Urgency Safety

  8. The Math of v4.0 8/13/2024 8

  9. The Scores They Are A-Changin *Depending on your metrics cisco-sa-ipv4.0-vfr-dos-CXxtFacb / CVE-2023-20027 A vulnerability in the implementation of the IPv4.0 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Numeric score (v3 Base) 8.6 (v4.0 Base) 8.7 (v4.0 B+T) 6.6 (v4.0 B+T with S) 6.6 Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/ V:D/RE:M/U:Amber/E:U

  10. Examples of v3 to v4.0 Transitions Vulnerability Class v3 Score v3 Metric v4.0 Score v4.0 Metric CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N Privilege escalation (AV:Netwk, PR:Low) 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H 8.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N Privilege escalation (AV:Local, PR:High) 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S: U/C:H/I:H/A:H 8.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:N/VI:N/VA:H/SC:N/SI:N/SA:N Denial of Service 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S :U/C:N/I:N/A:H CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S :U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S: C/C:L/I:L/A:N CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:N/A:N 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Shellshock 9.8 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC :N/VI:L/VA:N/SC:L/SI:L/SA:N Stored XSS 5.4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A Heartbleed 7.5 8.7

  11. Practical Scoring Guidance

  12. User Interaction: Passive or Active? User Action Passive or Active? Browse an internal SharePoint site Click a link Run a program View a document in email Connect to an access point Copy a file into a directory Dismiss a security warning Passive Active It Depends! Passive Passive Active Active 8/13/2024 CVSS v4: Where the Rubber Meets the Road 12

  13. Focus on: User Interaction Passive: limited interaction by the targeted user with the vulnerable system and the attacker s payload... Active: perform specific, conscious interactions with the vulnerable system and the attacker s payload Two XSS examples, Stored vs. Reflected CVE-2020-0926: A user must browse within a web application CVE-2022-24682: A user must click a link Numeric Score Vector String (v4.0 Base) 5.1 (v4.0 Base) 5.1 CVE-2020-0926 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVE-2022-24682 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

  14. Focus on: Attack Requirements Attack Requirements: the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack The metric is related to external challenges: Deployment and execution conditions or variables of the vulnerable system must be overcome. Examples include: race condition or network injection (MITM). CVE-2020-3549: Cisco FMC and FTD Hash Theft An attacker must be able to observe traffic between hosts, an on-path attack. Numeric Score (v4.0 Base) 9.2 Vector String CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

  15. Focus on: Subsequent System Impact Subsequent System Confidentiality, Integrity, and Availability: assessment providers need to account for impacts both to the Vulnerable System and impacts outside of the Vulnerable System CVE-2023-22394: Junos OS Memory Leak DoS Subsequent systems, i.e. other hosts using the vulnerable device as a gateway, are impacted, and the SA:L metric is selected. Numeric Score (v4.0 Base) 8.7 (v4.0 B+T) 6.6 Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U

  16. Additional Subsequent System Impact Example Subsequent System Confidentiality, Integrity, and Availability: assessment providers need to account for impacts both to the Vulnerable System and impacts outside of the Vulnerable System CVE-2020-3947: VMware Use-After-Free A user within the guest operating system could execute arbitrary code on the host. A successful exploit could allow the attacker to impact the host and other virtual machines as a result. Numeric Score (v4.0 Base) 9.4 Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

  17. Subsequent System Guidance What IS a Subsequent System? Guest host in a VM Device attached to a network gateway A managed Device Including OT / ICS / SCADA equipment 8/13/2024 17

  18. Context Clues: Supplemental Metrics

  19. Focus on: Safety Safety: indicates the degree of impact to the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited CVE-2023-28728: Panasonic Control FPWIN ICS Buffer Overflow The impact from an attacker gaining full control of software that is running on a programmable logic controller (PLC) may meet the definition of IEC 61508 consequence category marginal, critical or catastrophic. Numeric Score (v4.0 Base) 8.5 (v4.0 Base+S) 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

  20. Focus on: Recovery Recovery: describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed CVE-2016-5729: Lenovo Thinkpwn Exploit The attacker could ... prevent recovery of the system ... and locking down the system. Numeric Score (v4.0 Base) 9.3 (v4.0 Base+S) 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:I Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

  21. Focus on: Provider Urgency To facilitate a standardized method to incorporate additional provider- supplied assessment, an optional pass-through Supplemental Metric called Provider Urgency is available. CVE-2099-10001: 2099-01 Security Bulletin: Junos: RPD core due to receipt of BGP UPDATE with malformed optional transitive attributes A BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. The RPD process crashes immediately upon receipt of the BGP UPDATE, resulting in a Denial of Service (DoS) of the router. Numeric Score (v4.0 Base) 8.7 (v4.0 Base+S) 8.7 Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/U:Amber

  22. Focus on: Automatable CVE-2099-10002: 2099-01 Security Bulletin: Junos: RPD core due to processing and forwarding of BGP UPDATE with malformed optional transitive attributes A BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. The RPD process forwards the BGP UPDATE, then crashes and restarts, resulting in a cascade Denial of Service (DoS) of the router, and all downstream routers. Numeric Score Vector String (v4.0 Base) 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/U:Red

  23. CVSS v4.0 Schedule and Timeline Request for Public Comment: June 8th, 2023 Closing of Public Comment: July 31st, 2023 Comment Responses Complete: September 30th, 2023 CVSS v4.0 Official Publication: Q4/2023 (October 31st, 2023) Public comments, questions, and concerns: cvss@first.org

  24. Questions?

  25. Additional Resources CVSS v4.0 Site https://www.first.org/cvss/v4/ CVSS v4.0 Training https://learn.first.org/catalog/info/id:126, cms_featured_course:1 CVSS Feedback cvss@first.org CVSS Examples Draft CVSS v4.0 Announcement https://www.first.org/cvss/v4/cvss- v4.00-presentation.pdf https://www.first.org/cvss/v4/examples

Related


MCAS Biology Test Scoring Process Overview

MCAS Biology Test Scoring Process Overview

nikolas
Speaking Scoring Practice Slides for Secondary Level Assessment

Speaking Scoring Practice Slides for Secondary Level Assessment

her_ste
Supporting Schools and Students: Hand-Scoring & Score Reporting Training Module

Supporting Schools and Students: Hand-Scoring & Score Reporting Training Module

vyom_2
GD Bart Puppy Test: Behavior Scoring System Overview

GD Bart Puppy Test: Behavior Scoring System Overview

django
Promoting Archery in Hillingdon: Understanding Scoring and Rules

Promoting Archery in Hillingdon: Understanding Scoring and Rules

abdullah
Understanding Questionnaires, Scoring, and UAT Part 1



Understanding Questionnaires, Scoring, and UAT Part 1



alfonso
Understanding Sequence Alignment and Scoring Matrices

Understanding Sequence Alignment and Scoring Matrices

atwell_a
Self-Determination Assessment Scoring Guide

Self-Determination Assessment Scoring Guide

sahil
Understanding Tactical Fouls and DOGSO in Soccer

Understanding Tactical Fouls and DOGSO in Soccer

maisey
AchieveNJ Teacher Evaluation Scoring Guide Overview

AchieveNJ Teacher Evaluation Scoring Guide Overview

kwame
Overview of RACP Divisional Clinical Examination Scoring Grid and Bands

Overview of RACP Divisional Clinical Examination Scoring Grid and Bands

atreyu
ELPA21 Screener Speaking Scoring Slides with Rationales

ELPA21 Screener Speaking Scoring Slides with Rationales

bellard_n
Data Quality Assessments

Data Quality Assessments

haniya
Faculty Instructions: Accessing, Viewing & Scoring Student Assessments in VIA/SLL - George Mason University Summer 2023

Faculty Instructions: Accessing, Viewing & Scoring Student Assessments in VIA/SLL - George Mason University Summer 2023

trenton
Basketball Fundamentals and Rules Overview

Basketball Fundamentals and Rules Overview

oksana
Understanding the WSP Audit Process

Understanding the WSP Audit Process

renata
Basic Rules and Procedures of 3x3 Basketball Game

Basic Rules and Procedures of 3x3 Basketball Game

viaan
Overview of RACP Divisional Clinical Examination

Overview of RACP Divisional Clinical Examination

manu
NJQSAC User Manual Overview and Process

NJQSAC User Manual Overview and Process

ted
Entity Resolution Problem in Customer Data Matching

Entity Resolution Problem in Customer Data Matching

jaer409
Residence Returning Scheme Points Allocation Guidelines

Residence Returning Scheme Points Allocation Guidelines

naliy
The Power of Music in Film: An Exploration of Ramin Djawadi's Cinematic Soundscapes

The Power of Music in Film: An Exploration of Ramin Djawadi's Cinematic Soundscapes

jeerype
Understanding Guidance: Definitions, Nature, Scope, and Importance

Understanding Guidance: Definitions, Nature, Scope, and Importance

jahziel
Understanding the Meaning, Definition, and Nature of Guidance in Education

Understanding the Meaning, Definition, and Nature of Guidance in Education

gideon

More Related Content

Adult Educational Guidance Services Model in Ireland
Adult Educational Guidance Services Model in Ireland
Compilation Guidance Development for National Accounts
Compilation Guidance Development for National Accounts
A Handbook for Building National MPIs: Practical Guidance for Ending Poverty
A Handbook for Building National MPIs: Practical Guidance for Ending Poverty
Training on Competence-Based Education and Practical Assignments
Training on Competence-Based Education and Practical Assignments
Understanding Guidance: Definitions, Nature, Scope, and Importance
Understanding Guidance: Definitions, Nature, Scope, and Importance
New Guidance on Vitamin D Supplements in Care Homes Workshop
New Guidance on Vitamin D Supplements in Care Homes Workshop
Adult Social Care Guidance on COVID-19 Prevention and Control
Adult Social Care Guidance on COVID-19 Prevention and Control
Practical Aspects of Taking Cervical Samples: Guidance for Sample Takers
Practical Aspects of Taking Cervical Samples: Guidance for Sample Takers
Understanding Probability and Calculating Probabilities with Z-Scores
Understanding Probability and Calculating Probabilities with Z-Scores
Understanding the Objectives of Online Laboratories in STEM Education
Understanding the Objectives of Online Laboratories in STEM Education
Supervision Guidance for Primary Care Network Multidisciplinary Teams
Supervision Guidance for Primary Care Network Multidisciplinary Teams
Guidance for the training of cervical sample takers
Guidance for the training of cervical sample takers
Federal Agencies Guidance on Ethics, Compliance, and Audit Services under NSPM-33
Federal Agencies Guidance on Ethics, Compliance, and Audit Services under NSPM-33
ESFA Funding Guidance for Young People 2022-2024
ESFA Funding Guidance for Young People 2022-2024
Evolution of Child Guidance: From History to Modern Practices
Evolution of Child Guidance: From History to Modern Practices
Guidance on Subject Access Requests under Data Protection Act 2018 for Social Workers in Children's Services
Guidance on Subject Access Requests under Data Protection Act 2018 for Social Workers in Children's Services
Understanding Child Guidance Clinics: A Comprehensive Overview
Understanding Child Guidance Clinics: A Comprehensive Overview
Detailed Guidance and Requirements for Implementing NSPM-33
Detailed Guidance and Requirements for Implementing NSPM-33
Comprehensive Guidance on COPD and Mental Health in Primary Care
Comprehensive Guidance on COPD and Mental Health in Primary Care
COPD and Mental Health: Holistic Guidance for Primary Care
COPD and Mental Health: Holistic Guidance for Primary Care
Unlocking the Potential of Workplace Learning: Tandem Training for VET Teachers and Trainers
Unlocking the Potential of Workplace Learning: Tandem Training for VET Teachers and Trainers
In-House Pro Bono: Regulatory Guidance and Challenges
In-House Pro Bono: Regulatory Guidance and Challenges
Understanding Employee Apprenticeships: Benefits, Responsibilities, and Guidance
Understanding Employee Apprenticeships: Benefits, Responsibilities, and Guidance
Care Concierge: Supporting You Through Later Life Care Journey
Care Concierge: Supporting You Through Later Life Care Journey