CVSSv3: Newer Is Better, Right?
January 5, 2017 • RBS
The Common Vulnerability Scoring System (CVSS) is currently developed and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user’s environment. The Base metrics produce a score ranging from 0.0 to 10.0, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
CVSSv1 was first released in February 2005 by the National Infrastructure Advisory Council (NIAC). This initial draft was not subject to peer review or reviewed by other qualified organizations. In April 2005, NIAC selected the Forum of Incident Response and Security Teams (FIRST) to become the custodian of CVSS for future development.
Feedback from vendors utilizing CVSSv1 in production suggested there were “significant issues with the initial draft of CVSS“. Work on CVSSv2 began in April 2005 with the final specification being launched in June 2007.
CVSSv2 became widely used and supported by many vendors as well as vulnerability scanning tools, security detection tools, and service providers. Even with it being heavily relied on, there were problems with the standard. In 2013, we at Risk Based Security published an open letter called CVSSv2 Shortcomings, Faults, and Failures Formulation discussing these concerns as work on CVSSv3 was underway. Some of the reviewed areas were:
- Insufficient granularity
- Vague and ambiguous guidelines
- The challenge of scoring authentication
- The pitfalls of “Access Complexity”
- Limitations of the “Access Vector” breakdown
- And a variety of other considerations to improve vulnerability scoring
The conclusion pointed to the need for CVSS to be overhauled. It had too many shortcomings to provide an adequate and reliable risk scoring model.
Initial work on CVSSv3 commenced in May 2012, as the FIRST Board approved the roster for the CVSS Special Interest Group (SIG) team that would oversee the development. During the preview stage RBS provided a longer report with feedback directly to the FIRST CVSS SIG.
June 2015, CVSSv3 was officially released, making it eight years from the last time the standard was officially updated.
As part of our VulnDB offering, we have scored tens of thousands of vulnerabilities with CVSSv2 and were looking forward to an improved standard. While improvements have been made, CVSSv3, unfortunately, also introduced new concerns and did not completely address some of the problems with CVSSv2.
Currently, we at Risk Based Security have not switched from CVSSv2 to CVSSv3. We first wanted to better understand the improvements and limitations of CVSSv3 and also observe its adoption. While some vendors and organizations have started using CVSSv3, our current stance seems to be in line with a majority of the industry, as CVSSv3 adoption has not been swift.
As part of our analysis into CVSSv3, we have decided to publish a series of blog posts over the coming month, sharing our thoughts on CVSSv3 and, hopefully, ultimately concluding if CVSSv3 provides sufficient value to justify a switch.