Practical Guidance for CVSS v4.0 Scoring

Practical guidance on scoring the new CVSS v4.0 standard, including insights on metric guidance, new features, score nomenclature, and retired metrics. Learn about the changes, enhancements, and improvements in CVSS v4.0 to enhance your vulnerability assessments.

• CVSS v4.0
• Scoring Guidance
• Vulnerability Assessment
• Security Metrics

kirsten Follow

Uploaded on Aug 13, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. CVSS v4.0: Where the Rubber Meets the Road Practical guidance for scoring the new standard. Nick Leali and Dave Dugal September 21, 2023

2. Agenda Metric Guidance Introduction 1 4 Supplemental Metrics What is CVSS v4.0 2 5 Resources Score Transitions 6 3

3. What is new with v4.0? 8/13/2024 3

4. New CVSS Features Temporal renamed to Threat Metrics simplified and clarified Remediation Level (RL) and Report Confidence (RC) retired Exploit "Code" Maturity renamed to Exploit Maturity (E) with clearer values Finer granularity, new Base metrics New Base metric: Attack Requirements (AT) New Base metric values: User Interaction (UI): Passive (P) and Active (A)

5. CVSS v4.0 Score Nomenclature The CVSS Standard is NOT just the Base Score To stress this concept, new nomenclature has been adopted: CVSS-B: CVSS Base Score CVSS-BT: CVSS Base + Threat Score CVSS-BE: CVSS Base + Environmental Score CVSS-BTE: CVSS Base + Threat + Environmental Score The more metrics used to enrich your CVSS scoring, the higher quality your assessment will be.

6. Scope is Retired! Retired Base Metric: Scope (S) Problem: Scope may have been the least loved and least understood CVSS metric ever. Caused inconsistent scoring between product providers Implied lossy compression of impacts of vulnerable and impacted systems Solution: Impact Metrics expanded into two sets: Vulnerable System Confidentiality (VC), Integrity (VI), Availability (VA) Subsequent System(s) Confidentiality (SC), Integrity (SI), Availability (SA) 8/13/2024 6

7. Supplemental Metric Group Supplemental Metrics give additional context to a vulnerability. No metric will define numerical impact on the final calculated CVSS score Note: All Supplemental Metrics supplied by the information provider are optional. Automatable Recovery Value Density Vulnerability Response Effort Provider Urgency Safety

8. The Math of v4.0 8/13/2024 8

9. The Scores They Are A-Changin *Depending on your metrics cisco-sa-ipv4.0-vfr-dos-CXxtFacb / CVE-2023-20027 A vulnerability in the implementation of the IPv4.0 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Numeric score (v3 Base) 8.6 (v4.0 Base) 8.7 (v4.0 B+T) 6.6 (v4.0 B+T with S) 6.6 Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/ V:D/RE:M/U:Amber/E:U

10. Examples of v3 to v4.0 Transitions Vulnerability Class v3 Score v3 Metric v4.0 Score v4.0 Metric CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N Privilege escalation (AV:Netwk, PR:Low) 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H 8.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N Privilege escalation (AV:Local, PR:High) 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S: U/C:H/I:H/A:H 8.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:N/VI:N/VA:H/SC:N/SI:N/SA:N Denial of Service 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S :U/C:N/I:N/A:H CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S :U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S: C/C:L/I:L/A:N CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:N/A:N 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Shellshock 9.8 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC :N/VI:L/VA:N/SC:L/SI:L/SA:N Stored XSS 5.4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/V C:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A Heartbleed 7.5 8.7

11. Practical Scoring Guidance

12. User Interaction: Passive or Active? User Action Passive or Active? Browse an internal SharePoint site Click a link Run a program View a document in email Connect to an access point Copy a file into a directory Dismiss a security warning Passive Active It Depends! Passive Passive Active Active 8/13/2024 CVSS v4: Where the Rubber Meets the Road 12

13. Focus on: User Interaction Passive: limited interaction by the targeted user with the vulnerable system and the attacker s payload... Active: perform specific, conscious interactions with the vulnerable system and the attacker s payload Two XSS examples, Stored vs. Reflected CVE-2020-0926: A user must browse within a web application CVE-2022-24682: A user must click a link Numeric Score Vector String (v4.0 Base) 5.1 (v4.0 Base) 5.1 CVE-2020-0926 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVE-2022-24682 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

14. Focus on: Attack Requirements Attack Requirements: the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack The metric is related to external challenges: Deployment and execution conditions or variables of the vulnerable system must be overcome. Examples include: race condition or network injection (MITM). CVE-2020-3549: Cisco FMC and FTD Hash Theft An attacker must be able to observe traffic between hosts, an on-path attack. Numeric Score (v4.0 Base) 9.2 Vector String CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

15. Focus on: Subsequent System Impact Subsequent System Confidentiality, Integrity, and Availability: assessment providers need to account for impacts both to the Vulnerable System and impacts outside of the Vulnerable System CVE-2023-22394: Junos OS Memory Leak DoS Subsequent systems, i.e. other hosts using the vulnerable device as a gateway, are impacted, and the SA:L metric is selected. Numeric Score (v4.0 Base) 8.7 (v4.0 B+T) 6.6 Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U

16. Additional Subsequent System Impact Example Subsequent System Confidentiality, Integrity, and Availability: assessment providers need to account for impacts both to the Vulnerable System and impacts outside of the Vulnerable System CVE-2020-3947: VMware Use-After-Free A user within the guest operating system could execute arbitrary code on the host. A successful exploit could allow the attacker to impact the host and other virtual machines as a result. Numeric Score (v4.0 Base) 9.4 Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

17. Subsequent System Guidance What IS a Subsequent System? Guest host in a VM Device attached to a network gateway A managed Device Including OT / ICS / SCADA equipment 8/13/2024 17

18. Context Clues: Supplemental Metrics

19. Focus on: Safety Safety: indicates the degree of impact to the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited CVE-2023-28728: Panasonic Control FPWIN ICS Buffer Overflow The impact from an attacker gaining full control of software that is running on a programmable logic controller (PLC) may meet the definition of IEC 61508 consequence category marginal, critical or catastrophic. Numeric Score (v4.0 Base) 8.5 (v4.0 Base+S) 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

20. Focus on: Recovery Recovery: describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed CVE-2016-5729: Lenovo Thinkpwn Exploit The attacker could ... prevent recovery of the system ... and locking down the system. Numeric Score (v4.0 Base) 9.3 (v4.0 Base+S) 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:I Vector String CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

21. Focus on: Provider Urgency To facilitate a standardized method to incorporate additional provider- supplied assessment, an optional pass-through Supplemental Metric called Provider Urgency is available. CVE-2099-10001: 2099-01 Security Bulletin: Junos: RPD core due to receipt of BGP UPDATE with malformed optional transitive attributes A BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. The RPD process crashes immediately upon receipt of the BGP UPDATE, resulting in a Denial of Service (DoS) of the router. Numeric Score (v4.0 Base) 8.7 (v4.0 Base+S) 8.7 Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/U:Amber

22. Focus on: Automatable CVE-2099-10002: 2099-01 Security Bulletin: Junos: RPD core due to processing and forwarding of BGP UPDATE with malformed optional transitive attributes A BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. The RPD process forwards the BGP UPDATE, then crashes and restarts, resulting in a cascade Denial of Service (DoS) of the router, and all downstream routers. Numeric Score Vector String (v4.0 Base) 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/U:Red

23. CVSS v4.0 Schedule and Timeline Request for Public Comment: June 8th, 2023 Closing of Public Comment: July 31st, 2023 Comment Responses Complete: September 30th, 2023 CVSS v4.0 Official Publication: Q4/2023 (October 31st, 2023) Public comments, questions, and concerns: cvss@first.org

24. Questions?

25. Additional Resources CVSS v4.0 Site https://www.first.org/cvss/v4/ CVSS v4.0 Training https://learn.first.org/catalog/info/id:126, cms_featured_course:1 CVSS Feedback cvss@first.org CVSS Examples Draft CVSS v4.0 Announcement https://www.first.org/cvss/v4/cvss- v4.00-presentation.pdf https://www.first.org/cvss/v4/examples