Fundamental errors in the Common Vulnerability Scoring System (CVSS) need to be resolved for better prioritisation.

Discussing six “operational challenges” within the CVSS, speakers Ankur Sand and Syed Islam said that in their research they “don't believe it is fully solved, we just started the journey and we will look at improving it.”

Fail the Triad

The speakers - who said they were not speaking on behalf their mutual employer JP Morgan Chase - told the audience at the Black Hat Europe conference in London that most CVSS scores use the ‘CIA’ triad of  confidentiality, integrity, and availability “and CVSS uses those three core items to define the impact of any given vulnerability.”

However Islam said by doing this, it equally puts weight on all three sides of the matrix, and in CVSS and you can select “high low, or none” for each of this factors.

“Because of the overall aggregation, if there's a vulnerability which impacts a single matrix and not the other ones you are bounded by the formal as to the maximum score you can give,” he said,

“If there happens to be a situation where there's a vulnerability with only a high for confidentiality and none for integrity and availability, the maximum score you can get out of this is 8.6, but generally we see that these vulnerabilities tend to be around 7.5.”

Artificially Low

Islam said that this means there are scores “which are artificially low, despite having a huge impact.” This means it may not be determined to be fixed quickly.

Islam said in the last year alone, there were around 2,500 vulnerabilities which follow this pattern. “This is one of the challenges that we have seen again and again when vulnerabilities come through,” he said.

“So, what we are proposing is firstly people be aware that there can be vulnerabilities which can be very highly impactful, and there are certain patterns that you can look for.” This includes if a CVE has a high matrix on one element, and nothing rated on the other, and is getting a low score, “you probably want to look at those specifically to reprioritise them according to your enterprise’s appetite.”

The presenters also presented on issues where there is a discrepancy in the CVSS score, missing dependencies - where CVEs require dependencies, and having the right conditions for the vulnerable to be exploited.

“This information is highly fragmented, there is no comprehensive data that tells you what is the current state accurately of a given exploit at any time and it's obviously a rapid and dynamic environment, which keeps on changing,” Islam said.

He said the chances are you are miss vulnerabilities that should be prioritized higher because of what happens within the environment.

Still to be Solved

The speakers also highlighted two forms that need to be solved. The first relates to how to incorporate nation state threat actor analysis into the CVSS scoring and prioritisation. Islam said there is ongoing work on this, with some work done on CVS score for exploited vulnerabilities.

“What is it missing in all of this is how do we incorporate that into the CVSS framework to impact vulnerabilities,” Islam asked. “So I have a vulnerability score of 9.5. I have a EPSS score of 1.2, how do I combine this together? How do we use that information?"

He called on the security community to work on this and find a solution.

The other issue Islam described as “very crucial given where we are today and the amount of remote working” as it relates to a well-known vulnerability in Zoom, and how to get CVSS to consider privacy too. 

He said that of 21,000 vulnerabilities published in 2023, there were only 89 cases found where privacy was in the description. “It is not prominent within the CVSS framework to give the right amount of scoring and prioritisation,” he said.

They concluded by saying it is not that CVSS is wrong, but we need extensions to the framework to make it more user friendly in the environment. “We're trying to prioritise vulnerabilities and spend resources on fixing it,” he said.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.