CVSS Base Score Metrics is a way to represent measured risks and aspects of computer software vulnerabilities in relation to cybersecurity. The risks and aspects defined below are consistent, which mean that they do not change based on a system’s environment or over time.
The Base Score metrics are based on the following fields:
Attack Vector (AV) – The Attack Vector metric is based on the context of the attack. This metric primarily represents how the distance between the system and attackers affects the vulnerabilities. The risk due to the number of potential attackers over a network are much higher than the risk of a smaller number of attackers that would require physical access to a system.
Attack complexity (AC) – Attack complexity are circumstances that are out of control of the hacker. This metric does not include any user interaction requirements that are needed to perform the attack.
Privileges required (PR) – Privileges required means the level of privileges that an attacker needs prior to starting an attack. There are three levels of this metric, None – meaning the hacker does not need any additional privileges to perform the attack. Low – meaning that the hacker has certain user privileges, but not administrative rights. High – meaning the hacker has administrative access to a feature that could affect the entire system. The higher the score, less privileges are needed.
User Interaction (UI)– The user interaction metric is the input needed from a user of a target system separate from the hacker. This metric indicates whether an attacker can attack by themselves, or if the attacker needs access from another human being to perform the attack. There are two levels of this privilege. None means that no user action is needed. Required means that a user needs to interact for the attack to occur.
Scope (S) – The scope means whether a vulnerability of one component affects resources in other component not in its’ security scope. There are two levels of this metric. Unchanged – Which means once an attack occurs, the vulnerability will not affect other resources outside the scope. And changed – which means the vulnerability can affect other resources that are not in the security scope of the attack.
Confidentiality (C)– This metric measures how confidentiality of a system is breached due to an attack because of a system vulnerability. Confidentiality means to limit access to only people who need access, and to stop access to others who do not need access to the system.
Integrity (I) – The integrity metric is based on whether information that should not be accessed are able to be accessed by the hacker, or whether certain information can be modified because of a vulnerability.
Availability (A). – The availability metric is based on the impact of availability of the system. Availability of the system includes factors such as network bandwidth, processor cycles and disk space that all contribute to the availability metric score of the system.
- What is CVSS Temporal Score Metrics? Describe all the fields in CVSS 3.1 calculator that pertain to CVSS Temporal Score Metrics. Reference index #1, #2
CVSS Temporal Score Metrics are vulnerability characteristics that change over time.
The Temporal score metrics are based on the following fields: Exploit Code Maturity (E), Remediation Level (RL), and Report Confidence (RC).
Exploit Code Maturity (E)– Exploit code maturity means how likely a vulnerability is to occur, given the method of attack, and the availability of exploit code that is available to the attacker.
Remediation Level (RL) – Remediation level metric tracks the progress of a potential solution to a vulnerability. There are 5 values of this metric. There is Not Defined, Unavailable, Workaround, Temporary Fix, and Official Fix. A vulnerability starts as unpatched, and then is placed into one of the other categories once the issues have been investigated.
Report Confidence (RC). – Report confidence measures the assurance of a specific vulnerability. For example, whether a vulnerability itself is the root cause, or whether the vulnerability exists because of a separate issue. There are 5 different metric values which are Not Defined, Confirmed, Reasonable, and Unknown.
What is CVSS Environmental Score Metrics? Describe all the fields in CVSS 3.1 calculator that pertain to CVSS Environmental Score Metrics.
CVSS Environmental Score Metrics are vulnerability characteristics that are specific to a users’ environment.
The Environmental score metrics are based on the following fields: Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR), Modified Attack Vector (MAV), Modified Attack Complexity (MAC), Modified Privileges Required (MPR), Modified User Interaction (MUI), Modified Scope (MS), Modified Confidentiality (MC), Modified Integrity (MI), and Modified Availability (MA).
Confidentiality Requirement (CR) – The confidentiality requirement is defined as the classification level of a set of data on a system. Data that passes through the system that is not processed is not included in the confidentiality requirements.
Integrity Requirement (IR) – The integrity requirement means how accurate is the data on the system. Data that passes through the system that is not processed is not included in the Integrity requirements.
The modified attack vectors have all attributes as the Base metric, and an additional metric that is “Not Defined”. The reason that these attack vectors are modified is to adapt the metrics to a specific user’s environment.
Sources:
Reference Index #1 https://www.first.org/cvss/specification-document
Reference index #2 https://www.first.org/cvss/calculator/3.1
Reference Index #3 https://nvd.nist.gov/vuln/detail/CVE-2020-10564