The First.org defined the Common Vulnerability Scoring System (CVSS) to help describing and understanding vulnerabilities better. The CVSS specification is available currently in version 3.1 and can be found here.
This specification defines a methodology, that helps to develop a score to better identify the criticality of vulnerabilities, taking into consideration impact and exploitability. The impact Score describes the effects an exploit of the vulnerability may result in at worst. Thus it describes the advantage an attacker gains through the exploitation of this vulnerability, concerning the aspects confidentiality, availability and integrity. Together with the Exploit Score, the Impact Score forms the Base Score.
To understand this better, assume an attacker with the "read" privilege exploits the vulnerability described and therefor gains "write" access. This will impact only the integrity aspect, not availability not confidentiality.
Each of the aspects will be measured in { high, low, none} categories. The following table helps you to understand the indications:
none (= 0) | low ( = 0.22) | high (= 0.56) | |
Confidentiality | no loss of confidentiality | access to some or parts of restricted information is possible, but attacker does not have complete control over what to access | complete loss of confidentiality, attacker may select and access data as wanted |
Integrity | no loss of integrity | modification is possible but amount and control over modification are limited | complete loss of integrity, attacker gains command over data |
Availability | no impact on availability | performance is reduced or negatively impacted, shorter outages might happen |
total loss of availability, system may be lost or critical components destroyed |
The Impact Sub Score (ISS) is calculated using the following formula. Use the figures from above table to replace the values:
ISS = 1 - [( 1 - Confidentiality) * (1 - Availability) * ( 1 - Integrity)]
To determine the final Impact score (IS), combine the ISS with the Scope information and use one of the following formulas:
A) if Scope is "Unchanged":
6.42 * ISS
B) if Scope is "Changed":
7.52 * (ISS - 0.029) - 3.25 * ( ISS -0.02)^15
PLEASE NOTE: The CVSS is widely accepted. It makes use of many constants as shown in the formula above. These constants have been derived from some arcane expert knowledge during specification phase and are not public scientific knowhow. You will find the constants and further details in the specification.
Together with the Exploit Score the Impact Score builds the Base Score. Find more information about vulnerability management here.
Comments
0 comments
Article is closed for comments.