The latest version of the Common Vulnerability Scoring System (CVSS version 4.0), released last week, should enable organizations to better assess and manage the risk that a security bug might pose to their specific environments. However, how helpful it really is will depend on their willingness and ability to use all the new metrics in CVSS 4.0 to build the context needed for smarter vulnerability prioritization.
“Previous CVSS versions provided a more generalized risk assessment,” says Callie Guenther, senior manager, cyber threat research at Critical Start. “The new scores address the need for a dynamic and context-sensitive evaluation, reflecting the actual risk a vulnerability poses in the context of current threats and the specific environment it’s in.”
Filling the Gaps
CVSS maintainer Forum of Incident Response and Security Teams (FIRST) last week officially published CVSS 4.0 after initially previewing it at FIRST’s annual conference in Montreal this June. The new version’s biggest contribution is its inclusion of several metrics that allow vulnerability analysts to consider not just the technical severity of a vulnerability — or its base score — but a variety of other factors.
There’s a greater emphasis in CVSS 4.0, for instance, on organizations being able to adjust the severity of a particular vulnerability based on threat factors such as the availability of proof-of-concept code or active exploit activity. It allows vulnerability managers to then further refine a vulnerability’s severity score to their specific environment.
Also, the base metric itself, which is often the only metric that many organizations consider when assessing a vulnerability’s severity, now includes two new components that allow organizations to consider attack requirements when doing a vulnerability assessment.
“These differentiated scores allow organizations to conduct a multilayered assessment of vulnerabilities, considering the inherent risk (Base), the current threat landscape (Base+Threat), and the specific environmental factors (Base+Environment),” Guenther says. “This enables a more tailored risk management approach.”
CVSS 4.0 also adds more granularity to the potential scope of a specific vulnerability, including supply chain risk. The previous version (CVSS 3.1) allowed for a generalized assessment of a vulnerability’s impact on the confidentiality, integrity, and availability of a system. CVSS 4.0 includes metrics that give vulnerability and remediation teams a way to assess the impact of a vulnerability on specific systems in their environment and on other downstream system that might be connected to it.
Enabling Greater Context for “Subsequent” Systems
Part of the effort to provide more granular context is tied to organizations’ infrastructure sprawl, according to Mayuresh Dani, security research manager at Qualys.
For instance, “earlier versions of CVSS considered Confidentiality, Integrity and Availability,” he says. “Now, the modified base metrics are further segregated to include Vulnerable System Confidentiality, Integrity, Availability and Subsequent System Confidentiality, Integrity, Availability. This breakdown allows organizations to account for the vulnerability impact based on the vulnerable system and the subsequent systems that are affected.”
In addition, CVSS 4.0 also introduces a new set of optional supplemental metrics — such as whether a vulnerability can be exploited in an automated fashion or if it poses a risk to physical safety — to help infosec and vulnerability management teams decide how quickly they need to address a vulnerability. Some of the metrics in the supplemental category can be especially useful in operational technology (OT) and industrial control system (ICS) environments, where software vulnerabilities can sometimes pose a threat to physical safety.
CVSS 4.0 can also be useful in vulnerability management when used in conjunction with tools like the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog and FIRST’s Exploit Prediction Scoring System (EPSS). But a lot depends on the ability for organizations to take a software vendor’s CVSS score for a vulnerability and layer in all the additional context from their internal systems around it.
“All too often, we hope for scoring systems to be a silver bullet when in fact they are more like a compass that points us in the right general direction,” says Patrick Garrity, senior researcher and vice president at Nucleus. “This is where incorporating threat intelligence and human analysis can be incredibly valuable. We can’t keep expecting scoring systems to make all the decisions for us. At some point, someone will need to step in and do some work.”
CVSS 4.0 May Offer Higher Severity Scores
Back when FIRST rolled out CVSS 3.0, the changes it introduced in vulnerability scoring resulted in average vulnerability scores rising substantially. A Cisco study of 3,862 vulnerabilities showed the average base score for vulnerabilities increase from 6.5 on the CVSS 2 scale to 7.4 with CVSS 3. Some 1,077 vulnerabilities moved from Low and Medium severity to High and Critical forcing organizations to pay greater attention to them — whether always merited or not. That’s something that could happen with the introduction for CVSS 4.0 as well.
When FIRST previewed CVSS 4.0 in June, Garrity rescored vulnerabilities scored with CVSS 3.0 and 3.1 using the version 4.0 calculator. The exercise showed a high likelihood that CVSS scores will increase overall.
“It’s likely that scores will increase overall if you only use the Base Score,” Garrity says. “This may result in more vulnerabilities being classified as high or critical.” That is why organizations need to continue considering factors like asset value, exploitability, and other factors. “It is crucial to note that it is not recommended to rely on the CVSS base score alone for determining remediation priority.”
This is especially important when organizations have to prioritize vulnerabilities in the National Vulnerability Database (NVD) that have been scored under different CVSS versions. “Considering that NVD will continue to include CVSS 3.0 and 3.1 in its database, infosec, and incident response teams should prioritize bugs based on the newest version,” Garrity says. Organizations should prioritize threat intelligence sources such as CISA KEV, EPSS, and commercial threat intelligence prioritization rather than relying on severity scores alone, he notes.
Incident response and vulnerability management teams should not directly compare scores across CVSS versions because of the different scoring criteria in each version, Guenther adds. Instead, they should evaluate the context of each vulnerability.
“A CVSS 4.0 score of 7 may reflect a more comprehensive risk analysis than a 3.x score due to the new framework’s nuanced approach,” she says. “The same goes for discrepancies between high scores in 3.x and lower scores in 4.0; the context and specifics of the metrics should guide the prioritization rather than the score alone.”