The Common Vulnerability Scoring System (CVSS) is a framework used by cybersecurity professionals to assess the severity of vulnerabilities in software and systems. CVSS provides a score that indicates the severity of a vulnerability, based on several metrics such as the ease of exploitation, impact on confidentiality, integrity, and availability, and the required level of user interaction. In January 2023, the National Institute of Standards and Technology (NIST) released an update on CVSS 4.0, outlining the changes and improvements made to the framework.

CVSS chronology

CVSS has undergone a number of versions, with each version incorporating new metrics and improvements. The first version of CVSS was released in 2005, followed by CVSS v2 in 2007, which introduced several new metrics such as Access Vector, Access Complexity, and Authentication. In 2015, CVSS v3 was released, which addressed some of the limitations of previous versions and introduced new metrics, such as Attack Vector and Attack Complexity. While CVSS has been an effective tool for vulnerability assessment, it has also faced criticism for some of its shortcomings.

Challenges of v3 and goals of v4

Despite the improvements made in CVSS v3, there were still some limitations that needed to be addressed. One of the key challenges of CVSS v3 was the scoring system was difficult to interpret, leading to confusion among users, with vulnerabilities being assigned a single score without taking into account the specific circumstances required for an attacker to exploit the vulnerability. The goal of CVSS v4 was to address this limitation by introducing new metrics that provide a more comprehensive assessment of vulnerabilities and their potential impact.

What's new in cvssv4?

CVSS is not just the Base Score, now new nomenclature has been adopted:

• CVSS-B: CVSS Base Score
• CVSS-BT: CVSS Base + Threat Score
• CVSS-BE: CVSS Base + Environmental Score
• CVSS-BTE: CVSS Base + Threat + Environmental Score

In CVSSv4, Temporal metrics has been renamed to Threat in which Remediation Level (RL) and Report Confidence (RC) has been retired and “Exploit code maturity” has been renamed to “Exploit maturity”.

New Base metric: Attack Requirements (AT) is added which Reflects the prerequisite conditions of the vulnerable component that make the attack possible.

In the Base metric: User Interface (UI) new values have been added 

• Passive (P): Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable component 
• Active (A): Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable component.

Base metric: Scope (S) has been removed and in its place impact metrics have expanded on two sets Vulnerable System (Confidentiality (VC), Integrity (VI), Availability (VA)) and Subsequent Systems (Confidentiality (SC), Integrity (SI), Availability (SA)).

A new metric has been added in Cvssv4: Supplemental metric group: It provides the ability to define new metrics that describe and measure additional extrinsic attributes of a vulnerability. It includes the following:

• Automable (A): The “Automatable” metric captures the answer to the question ”Can an attacker automate the exploitation of this vulnerability across multiple targets?” based on steps 1-4 of the kill chain: reconnaissance, weaponization, delivery, and exploitation. 

             Metric value:

                           a. No (N): Attackers cannot reliably automate all steps of the kill chain.

                            b. Yes (Y): Attackers can reliably automate all steps of the kill chain.

• Recovery (R): This metric describes the resilience of a Component/System to recover services, in terms of performance and availability, after an attack has been performed.

              Metric value:

                           a. Automatic (A): The Component/System recovers automatically after an attack.

                           b. User (U): The Component/System requires manual intervention by the user to                                   recover services, after an attack.

                           c. Irrecoverable (I): The Component/System is irrecoverable by the user, after an                                  attack.

• Value Density (V): Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.

              Metric value:

                          a. Diffuse (D) The system that contains the vulnerable component has limited                                 resources. 

                           b. Concentrated (C) The system that contains the vulnerable component is rich in                                   resources.

• Vulnerability Response Effort (RE): Provides supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure.

            Metric value:

                         a. Low (L) The effort required to respond to a vulnerability is low/trivial.

                          b. Moderate (M) The actions required to respond to a vulnerability require some                                 effort on behalf of the consumer and could cause minimal service impact to                                 implement.

                           c. High (H) The actions required to respond to a vulnerability are significant and/or                                  difficult, and may possibly lead to an extended, scheduled service impact.

• Provider Urgency (U): It facilitates a standardized method to incorporate additional provider-supplied assessment, an optional “pass-through” Supplemental Metric called Provider Urgency has been defined.

              Metric value:

                            a. Red (R) …the highest urgency

                            b. Amber (A) …a moderate urgency

                            c. Green (G) …a reduced urgency

                            d. Clear (C) …low or no urgency (i.e.: Informational)

More focus on OT/Safety: The conventional C/I/A trio of logical impacts no longer accurately describes many vulnerabilities, hence the new Cvssv4 also concentrates outside of this triad. It includes:

               a. Consumer-assessed Safety (MSI:S, MSA:S)

                b. Provider-assessed Safety through Safety (S) supplemental metric

Final thoughts:

The update on CVSS 4.0 represents a significant improvement to the framework, providing a more accurate and nuanced assessment of the severity of vulnerabilities. The addition of new metrics allows for a more comprehensive assessment of vulnerabilities and their potential impact. With the guidance and best practices provided by NIST, cybersecurity professionals can use CVSS 4.0 effectively to assess vulnerabilities and prioritize remediation efforts.

‍

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.