Common Vulnerability Scoring System Criteria

Technote (FAQ)


Question

What are the criteria for the Common Vulnerability Scoring System (CVSS)?

Answer

IBM Security Solutions has begun incorporating the use of the Common Vulnerability Scoring System with published Alerts and Advisories to help customers determine the relevance and threat level of a vulnerability to their environment. This article details the criteria used to produce this score.

CVSS uses three groups of metrics to calculate vulnerability scores:

o Base Metrics - vulnerability attributes that are constant over time and among implementations. A base score for a vulnerability is calculated by applying a formula to the values of the base metrics.

o Temporal Metrics - vulnerability attributes that change over time but are the same among implementations. A temporal score for a vulnerability is calculated by applying a formula to the base score and the values of the temporal metrics.

o Environmental Metrics - vulnerability attributes that are organization and implementation-specific. An environmental score is calculated by applying a formula to the temporal score and the values of the environmental metrics.

Base Metrics:

  • Access Vector-the vulnerability can be exploited either locally or remotely
    • Local: only with local authentication or physical access (0.7)
    • Remotely: (1.0)
  • Access Complexity-the complexity of the attack required to exploit the vulnerability
    • High: specialized access conditions exist, such as the system is exploitable only with user interaction (0.8)
    • Low: system is always exploitable (1.0)
  • Authentication-the authentication required by the attacker in order to exploit the vulnerability
    • Required: authentication is required (0.6)
    • Not required: authentication is not required (1.0)
  • Confidentiality Impact-measures the amount of information disclosed
    • Complete: access to all critical system information (1.0)
    • Partial: access to limited files and data (0.7)
    • None: no impact (0.0)
  • Integrity Impact-measures the amount of modification of data
    • Complete: entire system can be compromised (1.0)
    • Partial: modification of limited files and data (0.7)
    • None: no impact (0.0)
  • Availability Impact-measures the impact on the systems availability
    • Complete: total shutdown of the affected resource (1.0)
    • Partial: target experiences slowdowns or short outages (0.7)
    • None (0.0)
  • Impact Bias- used to give greater importance to one of the three impact metrics: confidentiality, integrity, and availability.
    • Normal: all three impacts are equally important
      • Confidentiality Impact Bias: (0.333)
      • Integrity Impact Bias: (0.333)
      • Availability Impact Bias: (0.333)
    • Confidentiality: the confidentiality impact is more important than the others
      • Confidentiality Impact Bias: (0.5)
      • Integrity Impact Bias: (0.25)
      • Availability Impact Bias: (0.25)
    • Integrity: the integrity impact is more important than the others
      • Confidentiality Impact Bias: (0.25)
      • Integrity Impact Bias: (0.5)
      • Availability Impact Bias: (0.25)
    • Availability: the availability impact is more important than the others
      • Confidentiality Impact Bias: (0.25)
      • Integrity Impact Bias: (0.25)
      • Availability Impact Bias: (0.5)

To calculate the base score, the impact and impact bias values are first combined using the formula

(Confidentiality Impact * Confidentiality Impact Bias) + (Integrity Impact * Integrity Impact Bias) + (Availability Impact * Availability Impact Bias).

The result of this formula is a value between 0 and 1. This value is multiplied with the following:
(10 * Access Vector * Access Complexity * Authentication).
The final result produces a base score ranging between 0.0 and 10.0.

The complete formula is:
BaseScore = round_to_1_decimal (10 * Access Vector * Access Complexity * Authentication * ((Confidentiality Impact * Confidentiality Impact Bias) + (Integrity Impact * Integrity Impact Bias) + (Availability Impact * Availability Impact Bias)))

Temporal Metrics

  • Exploitability
    • Unproven: no exploit code is available or method is theoretical (0.85)
    • Proof of Concept: code is not functional is all situations, may require more tuning to work (0.9)
    • Functional: code works in most situations where vulnerability is exploitable (.95)
    • High: vulnerability is exploitable via functional mobile autonomous code, or no exploit is required (1.00)
  • Remediation Level
    • Office Fix: complete vendor solution is available (0.87)
    • Temporary Fix: official but temporary fix available (0.90)
    • Workaround: unofficial, non-vendor solution available (0.95)
    • Unavailable: no solution available or impossible to apply (1.00)
  • Report Confidence - measure the degree of confidence in the existence of the vulnerability
    • Unconfirmed: single unconfirmed source or possibly conflicting reports (0.90)
    • Uncorroborated: multiple non-official sources (0.95)
    • Confirmed: vendor or author of the affected technology confirms vulnerability (1.00)
  • Temporal Score = round_to_1_decimal (BaseScore * Exploitability plus BaseScore * RemediationLevel plus BaseScore * ReportConfidence

Environmental Metrics -adjusts the Temporal metrics to account for an organizations environment

  • Collateral Damage Potential - measures the potential for loss in physical equipment, property or loss of life or limb
    • None: no potential for physical or property damage (0)
    • Low: successful exploit may result in significant physical or property damage or loss, system may be damaged or destroyed (0.1)
    • Medium: successful exploit may result in significant physical or property damage or loss (0.3)
    • High: successful exploit may result in catastrophic physical or property damage or loss, possibly over a wide area (0.5)
  • Target Distribution - measures the relative size of the field of target systems susceptible, meant as an environmental-specific indicator
    • None: no target systems exist, or only exist in a laboratory setting (0)
    • Low: targets exist in the environment, but only on a small scale (between 1% and 15% of the total environment) (0.25)
    • Medium: targets exist, but on a medium scale (between 16% and 49% of the total environment) (0.75)
    • High: targets exist inside the environment on a considerable scale (between 50% and 100% of the total environment) (1.00)

More information about CVSS can be found at http://www.first.org/cvss/cvss-guide.html


If the above information does not resolve your issue, please contact IBM Security Solutions Customer Support.

Cross reference information
Segment Product Component Platform Version Edition
Security Fidelis Security Systems Appliances and Support Proventia Management SiteProtector System

Historical Number

3562

Product Alias/Synonym

Enterprise Scanner
Fidelis Fidelis XPS CommandPost
Fidelis Fidelis XPS Direct
Fidelis Fidelis XPS Internal
Fidelis Fidelis XPS Mail
Fidelis Fidelis XPS Proxy
General Security Information
Internet Scanner
Lotus Protector for Mail Security
Lotus Protector Mail
Proventia Appliance
IBM Proventia Network IDS - A
IBM Proventia Network IPS - G
IBM Proventia Network MFS - M
Proventia Desktop
Proventia Endpoint Secure Control
Proventia Filter Reporter
Proventia for Crossbeam
Proventia Mail Filter
Proventia Network Active Bypass
Proventia Network ADS
Proventia Network Security Controller
Proventia Network Mail Security
Proventia Network IPS Virtual Appliance
Proventia Server - Windows
Proventia Server - Linux
Proventia Server for VMWare
Proventia Web Filter
Proventia Web Protection
RealSecure Server Sensor
RealSecure Network Sensor
SiteProtector Event Collector
SiteProtector Security Fusion Module

Rate this page:

(0 users)Average rating

Document information


More support for:

Proventia Network Enterprise Scanner

Software version:

1.4, 2.1, 2.2, 2.3

Operating system(s):

Firmware

Reference #:

1435423

Modified date:

2010-10-17

Translate my page

Machine Translation

Content navigation