Myth: “You Can’t Give a CVSS Score to a Vulnerability Without a CVE ID”
October 12, 2021 • RBS
Who owns and maintains CVSS? Hint, it’s not MITRE. Even though the National Vulnerability Database (NVD) assigns CVSS severity scores to CVE entries, a vulnerability doesn’t need a CVE ID to be scored.
The popularity and wide-spread use of CVE/NVD has also contributed to the second myth in our latest series, Vulnerability Myths You Should Stop Believing. There are those who believe that the CVSS severity score is dependent on a vulnerability having a CVE ID. That is not true.
This false assumption is most likely from NVD entries displaying a CVSS score front and center, but CVSS is not developed or maintained by MITRE. CVSS is managed by FIRST.Org, Inc., a US-based non-profit organization. Once a CVE is published, what you see is the score that NVD assigned to it days or weeks later.
What is a CVSS Score?
Confusion between CVSS and CVE may come from not fully understanding what CVSS actually is. Essentially, a CVSS score represents the severity and characteristics of a vulnerability. It is created from a formula and is assigned based on three metric groups: Base, Temporal, and Environmental. A score can actually be generated from the Base metrics alone, and do not require Temporal or Environmental, optional metrics that are used to further refine a score. None of these three groups depend on a CVE ID. The scoring all comes down to what is known about the vulnerability in question.
But with that in mind, this vulnerability myth is rooted in trust issues. This is what believers of this myth are really asking:
- Are vulnerabilities without CVE IDs real vulnerabilities?
- How do you even know/find these details if there is no CVE ID?
Vulnerabilities Without CVE IDs Are Real Vulnerabilities
Yes, vulnerabilities without CVE IDs are real. By definition, vulnerabilities are any flaw in computer software or hardware that allows an attacker to cross privilege boundaries, whether it has a CVE ID or not. Furthermore, a CVE ID isn’t a “seal of approval”. For one thing, CVE has long had a problem with inaccuracies created from insufficient vetting, and includes some entries that are not vulnerabilities by definition. If we were to treat CVE IDs as a certificate of authenticity, we would have to accept those entries as credible.
The opposite scenario is true too. If a CVE ID is required before we take vulnerabilities seriously, then what about zero-days? Are they not real until they are officially reported to MITRE? We’ll discuss zero-days more later…
The Details Are There If You Look for Them
So then you’re convinced, non-CVE ID vulnerabilities are real, and need to be taken care of. But how can we find actionable details for non-CVE ID vulnerabilities?
Things like impact, exploit information, solution details, and other metadata are needed to get an idea of the potential scope a vulnerability poses and how it can be remediated. However security professionals know that CVE entries often lack this information. But that doesn’t mean that it doesn’t exist!
The answer to this question ties into the first vulnerability myth and our previous discussions on vulnerability discovery. CVE isn’t the official source for vulnerabilities, it is just the “most used” one. Vulnerability sources come in all shapes and sizes like researcher blogs, service sites like GitHub, or social media. MITRE doesn’t monitor any of these sources, they just aggregate whatever information is reported directly to them.
This is why security professionals waste hours validating the vulnerabilities in their queue instead of actually managing them. When it comes to many CVE entries, there are no standards. Recent changes in the CVE and CNA (CVE Numbering Authority) rules have each CNA writing vulnerability descriptions. Worse, any researcher requesting a CVE ID can include a proposed description. These are often used without any sanity checking or edits to make them standard and readable. There are even CVE descriptions that don’t mention the vulnerable product!
If you want actionable data, you need dedicated resources and personnel that are aware and monitoring all known vulnerability sources. There are really only two alternatives: either hire a full-time staff that are dedicated to vulnerability discovery, or let someone else do the research for you and rely on a comprehensive and detailed vulnerability intelligence solution.
The Risk Based Security Platform for Vulnerability Management
Power real-time prioritization and remediation decisions with the only source of comprehensive vulnerability and supply-chain intelligence.
Thanks for tuning in to the latest addition of Vulnerability Myths You Should Stop Believing. If you want more details on CVSS scores, check out our previous in-depth article series. Join us next week to find out if there is such a thing as a “100% secure” product.
Subscribe to Risk Based Security to get email notifications whenever we release the latest security news and analysis.