What is EPSS?

An Exploit Prediction Scoring System (EPSS) estimates the probability that a vulnerability will be exploited in the system. It helps prioritize the vulnerability remediation efforts in conjunction with an existing CVSS score.

The EPSS probability score is between 0 and 100 (in percentage) the higher the score of vulnerability the higher the chance of getting exploited. EPSS uses current threat information from CVE and real-world exploit data to identify the probability score of any vulnerability.

Examples:

Following are the examples of vulnerabilities having higher EPSS scores:

• EPSS score: 91.3% 

CVE ID: CVE-2019-0708

Vulnerability Detail:  A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

• EPSS score: 68.37%

CVE ID: CVE-2019-5736

Vulnerability Detail: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had to write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

The above EPSS scores of vulnerabilities are calculated using the following EPSS calculator: https://secopsolution.com/epss-calculator 

The above EPSS score of vulnerabilities may change in the future as the factor affecting the vulnerabilities changes so to stay updated with the EPSS score of the vulnerability you may always calculate it regularly by using EPSS calculator.

Benefits of EPSS:

• This solution will enable security professionals to take a proactive approach to today's complicated threats.
• Patching vulnerabilities using the EPSS scoring system frees up security teams’ time.
• The implementation of EPSS enables security teams of all sizes to make decisions based on factual information rather than their own opinions and internal discussions.

What is CVSS?

The common vulnerability scoring system (CVSS) is a way to assign scores to vulnerabilities on the basis of their principal characteristics. This score indicates the severity of a vulnerability and on that basis, it can be categorized into low, medium, high, and critical severity which can be used by the organization to prioritize the vulnerabilities present in the system.

The CVSS score ranges from 0.0 to 10.0, where 1.0 is considered as least severe and 10.0 is the most severe. A CVSS score is derived from three sets of metrics Base, Terminal, and Environmental. These three metrics cover the different characteristics of a vulnerability, its impact, and environmental tolerance over time. 

Example:

Following are the vulnerabilities with high CVSS scores:

• CVSS score: 9.8 - Critical

CVE ID: CVE-2019-19781

Vulnerability: Citrix Application Delivery Controller Vulnerability

• CVSS score: 9.8 - Critical

CVE ID: CVE-2018-7600

Vulnerability: Drupal Remote Code Execution Vulnerability

• CVSS score: 7.8 - High

CVE ID: CVE-2017-8759

Vulnerability: Microsoft .NET Framework Remote Code Execution

Benefits of CVSS:

• The CVSS rating system intends to offer a common framework for evaluating the seriousness of cybersecurity vulnerabilities across different businesses.
• Combining a strong security plan with an effective CVSS score enables businesses to concentrate on the most serious risks and discover rapid ways to ramp up their repair efforts.
• CVSS scores help security teams to prioritize the vulnerabilities that need immediate attention. 

Summary of the CVSS vs EPSS

Correlation between CVSS and EPSS

EPSS takes pride in being an open, data-driven initiative that seeks to determine the likelihood that a software vulnerability would be used in the field. Whereas the severity score produced by CVSS is based on the vulnerabilities' inherent features.

For example, you can consider the following vulnerability which has a high CVSS score but a low EPSS score:

1. CVE ID: CVE-2022-34878

CVSS Score: 8.8

EPSS Score: 0.89%

Vulnerability Detail: SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows an attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

‍

2. CVE ID: CVE-2022-31245

CVSS Score: 8.8

EPSS Score: 9.03%

Vulnerability Detail: Mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

‍

However, we can combine these two methods for adopting a better vulnerability prioritizing technique like CVSS is a useful tool for capturing the fundamental properties of a vulnerability, but it needs to be used in combination with data-driven threat information, like EPSS, in order to better prioritize vulnerability remediation efforts.

‍

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.