CVSS v4: Assessing vulnerabilities to prioritize their mitigation
Table of Contents
CVSS v4 expands the focus on the issues to be taken into account when assessing IT vulnerabilities and making decisions to remediate them
Even today, many people are still unaware that a cyber-attack has direct consequences for the companies and individuals affected by it. To the extent that security incidents affecting sectors such as industry or healthcare can compromise people’s physical safety and even cause fatalities.
CVSS v4, the new version of a key indicator when assessing the severity of known vulnerabilities, pays attention to this issue, including several metrics that pay attention to the safety of human beings. However, this is only one of several new features of CVSS v4.
FIRST, a global forum of security and incident response groups has officially released CVSS v4 to update an indicator that has become a standard for IT vulnerability management. The final CVSS v4 document includes:
- Changes to the indicator’s base metrics.
- Emphasizes evaluating the impact of vulnerability exploitation on both the vulnerable system and subsequent systems.
- Transforms the old temporal metrics into threat metrics.
- It includes a set of additional metrics that do not affect the vulnerability score but can be of great help in aspects such as security, recovery from security incidents, or combating the automation of attacks.
- It emphasizes the need for the most comprehensive assessments possible.
- Explains how the scoring system was developed from 15 million CVSS-BTE vectors through the ongoing work of cybersecurity experts.
The following is an analysis of the new features of CVSS v4, highlighting its usefulness for professionals providing vulnerability management services in enterprise IT infrastructures.
1. A standard that facilitates IT vulnerability management
For almost two decades, CVSS has become a global standard for scoring, prioritizing, and mitigating vulnerabilities based on their likelihood of being exploited and their level of impact on organizations in the event of successful exploitation.
The more than 200,000 vulnerabilities currently known have neither the same probability of being successfully exploited by hostile actors nor the same level of impact on companies in the event of a security incident. Hence, the Common Vulnerability Scoring System is an indicator used by cybersecurity professionals and companies to assess the vulnerabilities present in the corporate IT infrastructure and to mitigate them.
However, organizations do not have infinite financial, human, technical, and time resources to address all vulnerabilities. It is, therefore, of vital importance to prioritize the vulnerabilities whose exploitation may be most critical for a company, taking into account its business objectives and the need to ensure business continuity.
1.1. Measuring the severity level of a vulnerability
The score assigned to a vulnerability using the CVSS model ranges from 0 to 10, depending on the different metrics evaluated when analyzing the vulnerability. The score obtained on the scale graphically indicates the level of severity of a vulnerability:
- 0.1 – 3.9: Low severity level.
- 4 – 6.9: medium severity level
- 7 – 8.9: high severity level
- 9 – 10: Critical severity level
As with previous versions, FIRST has developed a calculator for CVSS v4 that allows you to obtain the CVSS score immediately based on the values you select for each metric. This calculator applies advanced formulas developed by the FIRST team to make the tool as easy to use as possible.
Since version 1 was released in 2005, FIRST has periodically published several updates to adapt this standard to the changing cyber threat landscape.
The result of this constant updating work is the release of CVSS v4 in 2023, which introduces a series of modifications to the standard we will now describe.
2. Changes to the base metrics
Base metrics are, as the name suggests, those that measure the intrinsic characteristics of a vulnerability and, therefore, remain constant over time:
- They remain stable over time.
- They are the same in all user environments.
- They are essential when analyzing a vulnerability using this system.
The base metrics are further divided into exploitation metrics and impact metrics. CVSS v4 has introduced several new features related to both types.
2.1. New exploitation metrics and values
- A new exploitation metric has been created: Attack Requirements (AT). This metric focuses on the deployment and execution preconditions that enable the malicious attack. The values of this metric are.
- a. None. Hostile actors can successfully exploit the vulnerability without relying on system deployment conditions.
- b. Present. When the success of the attack depends on execution conditions that are not under the complete control of the attacker, including requirements such as race conditions or the possibility of being positioned on a network segment that allows interception of data exchanged between the victim and the target resource.
- In the User Interaction (UI) metric, which deals with whether or not a human being (beyond the attacker) needs to be involved for the vulnerable asset to be compromised, two values have been incorporated in addition to None:
- a. Passive. Limited participation by a user is required to exploit the vulnerability without the need for that user to subvert system protections actively. For example, it is running an application that calls a malicious binary deployed on the system.
- b. Active. Exploiting the vulnerability requires the user to perform specific and conscious interactions with the vulnerable system, and the attacker’s payload or user interaction alters the implemented security mechanisms, facilitating the exploitation of the vulnerability. For example, the user has to import a file into a vulnerable application or disregard security warnings when performing a specific action.
2.2. Assessing the impact on a vulnerable system and subsequent systems
About the base impact metrics, i.e., those that measure the effects of exploiting a vulnerability, first of all, it should be noted that in CVSS v4, the Scope metric has been eliminated. This decision is because, according to FIRST, it was concluded that this metric was challenging to understand and gave rise to inconsistencies when assessing vulnerabilities.
Secondly, CVSS v4 has proceeded to create two different assessments of the impact of exploiting a vulnerability, differentiating between:
- Impact on the vulnerable system
- Impact on subsequent systems
Thus, security analysts using CVSS v4 must determine the values of the impact metrics (Confidentiality, Integrity, and Availability), differentiating between the system affected by the vulnerability and those related to it that may be affected. If this cannot be achieved, it will be sufficient to select the value None in all the metrics of the impact analysis on subsequent systems.
3. Adaptation of environment metrics
As far as environment metrics are concerned, CVSS v4 has not introduced modifications per se. However, it is essential to note that the system differentiates between two types of environment metrics:
- Environment metrics per se focus on the characteristics of a vulnerability that are relevant to a particular environment, highlighting the particularities of each organization. These metrics are Confidentiality Requirements, Integrity Requirements, and Availability Requirements.
- The modified base metrics. This group of metrics works as a mirror of the base metrics. It has been designed to allow security analysts to override the base metrics, adapting the evaluation to the specific characteristics of the environment they are analyzing.
In such a way, each base metric has a replica in the form of an environment metric. This means that the changes described above are transferred to the environment metrics that modify the base metrics.
Beyond what we have just pointed out, we must highlight the importance given by CVSS v4 to the safety of people. So much so that two environment metrics expressly include the need to analyze the impact of the exploitation of a vulnerability on the workers, clients, or patients of the organization being evaluated:
- Subsequent Systems Integrity (MSI).
- Availability of downstream systems (MSA)
In both metrics, the Safety (S) value can be selected in case it is determined that exploitation of the vulnerability could lead to severe injury or even more significant harm to people. This is particularly interesting for areas such as industrial control systems (ICS) or the health sector.
4. Threat metrics to replace temporary metrics
The third type of metrics collected in the indicator versions before CVSS v4 were temporal metrics. However, in CVSS v4, they have been replaced by threat metrics. In addition, the Correction Level and Trust metrics have been removed from the report so that the only threat metric is Exploit Maturity (E).
According to the CVSS v4 specification document, the threat metrics are intended to:
- Measure the current state of exploit techniques or the availability of code that hostile actors can employ to exploit the vulnerability.
- Analyze the existence of patches or fixes to mitigate the vulnerability.
- Assess the level of confidence in the vulnerability description.
As a result, the Exploit Maturity metric is used to measure the probability of exploitation of the vulnerability, considering the existence or not of techniques, code, and methodologies for its execution.
To address this metric, organizations must rely on Threat Intelligence services that gather information on malicious activities and the techniques and methods used by hostile actors. Threat Intelligence professionals can determine the value to assign to this metric:
- Attacked (A). Attacks focused on exploiting the vulnerability have been reported, and there is evidence of workarounds facilitating exploitation.
- Proof of Concept (P). An explanation of the concept is available and accessible, but no exploitation attempts have been reported, nor have tools been discovered that simplify exploitation.
- Unreported (U). Proof of concept, attacks, or tools has yet to be discovered.
5. Supplementary metrics and extrinsic characteristics of the vulnerability
In addition to the three major groups of metrics (baseline, environment, threats), CVSS v4 incorporates a new typology of metrics that are not taken into account when scoring a vulnerability but which can be very useful for companies when managing and mitigating vulnerabilities in their IT infrastructure.
Hence, IT vendors can use these metrics to inform the companies that purchase their products.
These six additional metrics measure extrinsic attributes of a vulnerability and provide contextual information that can be valuable in assessing the risk of a vulnerability and whether or not to prioritize its mitigation.
5.1. Security, automation, recovery…
As they do not affect the calculation of the CVSS score, companies are free to determine what relevance they assign to each of these metrics:
- Security. It focuses on the potential impact of exploiting a vulnerability on the physical safety of people. Some systems have been used directly associated with security, such that an incident in those systems can directly impact people’s safety.
- Automatable. This metric assesses whether the first four phases of the Cyber Kill Chain (reconnaissance, weaponization, distribution, and exploitation) can be automated and attack multiple targets.
- Provider Urgency. Many vendors provide additional security assessments on vulnerabilities affecting their products. This metric standardizes them through a traffic light system: red, amber, and green. Red indicates maximum urgency, amber indicates moderate, and green indicates reduced speed. The fourth option, “Clean,” represents that the impact is shallow and, therefore, the evaluation is only informational.
- Recovery. This metric measures the resilience of a system and the organization’s ability to recover from an attack.
- Value Density, or resources that hostile actors can control by exploiting the vulnerability. The key is to measure whether the vulnerable system has limited resources or, on the contrary, has access to multiple resources.
- Vulnerability Response Effort. The actions that need to be taken to respond to a vulnerability and remediate it successfully have different difficulty levels. This metric measures how difficult it would be for an organization to mitigate the vulnerability successfully. This information helps prioritize vulnerabilities and their remediation.
6. CVSS v4, the added value of going beyond the assessment of base metrics
In addition to the new features described in this article, CVSS v4 focuses on a fundamental issue for FIRST: how this vulnerability assessment system is used.
FIRST takes advantage of the CVSS v4 concept to remind cybersecurity specialists, companies, and public administrations that the standard goes far beyond the base metrics. Evaluating these metrics is indispensable to scoring a vulnerability, and they measure its intrinsic characteristics. But threat and environment metrics are also fundamental for analyzing the probability of exploitation of a vulnerability and its impact on a specific environment.
Therefore, when using CVSS v4, it is recommended that all metrics be completed to obtain a very accurate score on the severity of a vulnerability for a specific organization.
6.1. CVSS-BTE: Understanding the risk of a vulnerability
This comprehensive analysis is called CVSS-BTE (Base, Threat, Environment). It provides a broad overview of a vulnerability, considering the threat landscape and the organization’s characteristics, resources, and business objectives that must mitigate it.
The team that has developed the new version of this vulnerability assessment system maintains that CVSS-B, i.e., an analysis that includes only the base metrics, serves to observe the technical severity of a vulnerability and only takes into account the characteristics of that vulnerability. Therefore, it is recommended that vulnerability mitigation decisions be based on something other than this type of assessment.
Instead, CVSS-BTE allows us to understand the substantial risk of a vulnerability for a company since it considers the real threats linked to a vulnerability through Threat Intelligence services and the criticality for the environment of a successful exploitation of the vulnerability.
In this way, CVSS v4 claims that the raison d’être of this tool and the reason why it has become a global standard is that it is beneficial to manage vulnerabilities and undertake their mitigation with maximum efficiency, taking into account the reality and priorities of each organization.
CVSS v4 is a further step in the evolution of a critical indicator to help companies improve their resilience to cyber-attacks.
6.2. Recommendations for assessing vulnerabilities
In its final version, CVSS v4 incorporates a series of recommendations to help professionals and companies use this tool.
6.2.1. How to enrich the results of vulnerability scanning
- Integrate vulnerability scanning results with enterprise asset management. This will enable the use of environment metrics and facilitate the remediation of identified vulnerabilities.
- Incorporate the information provided by Threat Intelligence professionals into the vulnerability scanning results. Since such information will allow the use of exploit maturity metrics, the CVSS v4 score will be more accurate in prioritizing vulnerabilities.
6.2.2. Clarification of concepts and use cases
- Keep in mind that confidentiality and integrity metrics revolve around potential impacts on the data used by a service. At the same time, availability metrics focus on the performance and operation of the service itself.
- Concepts for evaluating local attacks are clarified.
- FIRST includes in the usage guide several examples to understand the relationship between vulnerable systems and downstream systems.
6.2.3. Using CVSS v4 to go a step further in vulnerability assessment
- Although CVSS v4 is a tool designed to assess vulnerabilities individually, it is possible to analyze a chain of vulnerabilities. Analysts must detect which exposures are interrelated, evaluate them separately, and then combine the results into a vector representing the chained vulnerabilities.
- The user guide informs practitioners how to use CVSS v4 to assess the impact of a vulnerability in a library.
- In addition, it is also possible to obtain multiple CVSS Base scores for a single vulnerability depending on the product versions, platforms or operating systems on which it is present.
In short, CVSS v4, whose final publication will take place in the coming months, updates the metrics used to measure the severity of IT vulnerabilities, and covers more aspects to be taken into account in vulnerability management, to increase the level of customization of the tool and to focus on such crucial aspects as the physical security of people.
This article is part of a series of articles about Vulnerability Assessment
- CVSS: Scoring IT Vulnerabilities
- EPSS: What is the probability of a vulnerability being exploited?
- SSVC: How to make decisions about IT vulnerabilities
- CVSS v4: Assessing vulnerabilities to prioritize their mitigation