If you are concerned about cybersecurity (and you might be as you are reading this now), you have probably heard of terms like CVE and CVSS. But what do they mean and how do they work? In this article, we will explain what CVE and CVSS are, why they are important, and how they can help you manage vulnerabilities in your software and systems.
What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It is a project that tracks and catalogs publicly known vulnerabilities in software and hardware. It is funded by the US Department of Homeland Security and maintained by the MITRE Corporation.
If you look closely, the abbreviation contains two main keywords, vulnerabilities and exposures. A vulnerability is a weakness or flaw in a product or system that can be exploited by an attacker to compromise its security or functionality. Whereas, an exposure is a situation or configuration that allows an attacker to access or affect a product or system.
CVE records are created as a means of a standardized entry that describes a vulnerability or exposure using a common language and format. It contains a unique identifier (CVE ID), a brief description, references to external sources of information, and other metadata.
The main purpose of CVE is to provide a common way of naming and describing vulnerabilities and exposures so that they can be easily identified, shared, compared, and analyzed by different parties such as security researchers, vendors, users, and tools.
How are CVE Records Created?
CVE records are created by organizations called CVE Numbering Authorities (CNAs). CNAs are entities that have the authority to assign and publish CVE IDs for vulnerabilities or exposures that affect their products or domains. There are over 150 CNAs worldwide, including software vendors, open source projects, research institutes, government agencies, and security companies.
The process of creating a CVE record involves the following steps:
Discover
This step refers to when a person or organization identifies a new vulnerability.
Report
The discoverer reports the findings to a CVE Program participant. A CVE program participant can be a CVE Numbering Authority (CNA), which is authorized to assign CVE IDs to vulnerabilities affecting products within their scope, or a CVE Submitter, which is an individual or organization that submits vulnerability information to a CNA or directly to the CVE Program
Request
The CVE Program participant who receives the vulnerability report requests a CVE Identifier (CVE ID). A CVE ID is a unique identifier assigned to each vulnerability in order to track and reference it throughout its lifecycle.
Reserve
After the CVE ID is requested, it is reserved for the vulnerability. This means that the CVE stakeholder(s) involved in the coordination and management of the vulnerability start using the CVE ID internally. However, the vulnerability is not yet publicly disclosed, and the responsible CVE Numbering Authority (CNA) is not ready to make it known.
Submit
The CVE Program participant submits the details of the vulnerability to the CNA. These details typically include information about the affected product(s), specific versions impacted or fixed, the type of vulnerability, its root cause, impact, and at least one public reference or source of information.
Publish
The responsible CNA publishes the CVE Record to the CVE List when it has the minimum required data elements. The CVE List is a public database or repository with information on known vulnerabilities. The CVE Record becomes public after publication, and security professionals, researchers, and organizations can download and view it to learn about the vulnerabilities and take appropriate actions to reduce the risks.
What is CVSS?
CVSS stands for Common Vulnerability Scoring System. It is a standard that defines how to measure and communicate the severity of vulnerabilities. It was developed by an international group of experts from various sectors such as government, industry, academia, and the security community.
A CVSS score is a numerical value that represents the potential impact of a vulnerability on a product or system. It is based on several factors such as the type, scope, complexity,and exploitability of the vulnerability, as well as the availability and effectiveness of mitigations.
The purpose of CVSS is to provide a consistent and objective way of assessing and comparing the severity of vulnerabilities so that they can be prioritized and managed accordingly by different parties such as vendors, users, and tools.
How are CVSS Scores Calculated?
CVSS scores are calculated using a formula that takes into account three metric groups: base, temporal, and environmental. Each metric group consists of several metrics that have predefined values and weights. The formula combines the values and weights of the metrics to produce a score ranging from 0 to 10, where 0 means no impact and 10 means maximum impact.
The three metric groups are:
Base
This group reflects the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It includes metrics such as attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
Temporal
This group reflects the characteristics of a vulnerability that may change over time due to the availability of exploits, patches, or other factors. It includes metrics such as exploit code maturity, remediation level, and report confidence.
Environmental
This group reflects the characteristics of a vulnerability that are specific to a user’s environment and may vary from one user to another. It includes metrics such as modified attack vector, modified attack complexity, modified privileges required, modified user interaction, modified scope, modified confidentiality impact, modified integrity impact, modified availability impact, security requirements, and collateral damage potential.
The CVSS scoring formula is:
CVSS Score = ((Base Score) + (Temporal Score) + (Environmental Score)) / 3
The CVSS rating scale is:
| Score | Rating | Description |
|---|---|---|
| 0.0 | None | The vulnerability has no impact or is not exploitable. |
| 0.1 - 3.9 | Low | The vulnerability has minimal impact or is difficult to |
exploit.
4.0 - 6.9| Medium| The vulnerability has moderate impact or is moderately easy
to exploit.
7.0 - 8.9| High| The vulnerability has severe impact or is easy to exploit.
9.0 - 10.0| Critical| The vulnerability has extreme impact or is very easy to
exploit.
How does CVE correlate to CVSS?
CVSS can be used to score each CVE entry to show how severe and impactful the vulnerability is. However, CVE does not give any scores or rankings by itself, and is not directly linked to CVSS. The National Vulnerability Database (NVD) gives CVSS base scores for most CVE entries, and also has a CVSS calculator that lets users add more score data to adjust their severity ratings. Therefore, CVSS can help organizations evaluate and prioritize vulnerabilities for remediation based on their risk levels and business impacts.
Using CVE and CVSS Scores
Both CVE and CVSS scores can be used together to search, analyze, and prioritize vulnerabilities in your software and systems.
For example, you may use CVE IDs to search for vulnerabilities that affect your products or domains on the official CVE website, the NVD, or other public sources. In this case, having knowledge of specific CVE IDs can greatly accelerate your research, particularly when utilizing tools like [SearchSploit](https://www.binaryte.com/blog/exploring-exploit-possibilities- with-search-sploit). This enables you to efficiently reduce the time dedicated to investigation and achieve faster results. CVE descriptions and references may also help you to understand the nature and impact of vulnerabilities on your products or systems.
For CVSS scores, there are three metrics involved as we mentioned earlier. Each metric may give you a more thorough understanding of each specific vulnerability.
For example, CVSS base scores enable you to compare the intrinsic severity of vulnerabilities across different products or systems. Higher base scores indicate more severe vulnerabilities that require immediate attention. CVSS temporal score takes into account the changes in vulnerability over time. Therefore, monitoring it will help you stay updated thus allowing you to adapt your mitigation strategies accordingly. Additionally, CVSS environmental scores provide the flexibility to customize vulnerability severity according to your specific environment and unique requirements. By considering additional factors, such as the impact on your organization’s unique assets and configurations, you can tailor the severity rating to better align with the actual risk posed.
Conclusion
CVE and CVSS scores are valuable tools for vulnerability management. They can help you identify, describe, measure, and communicate the severity of vulnerabilities in your software and systems. They can also help you search, analyze, and prioritize vulnerabilities for remediation based on their risk levels and business impacts.
However, CVE and CVSS scores are not perfect or complete. They have some limitations that should be taken into account when using them for vulnerability management. While CVSS metrics are valuable tools, it’s important to remember that they should not replace human judgment or expertise. Relying solely on these metrics does not guarantee complete security or safety.