Understanding the Common Vulnerability Scoring System (CVSS): Part 2
By Eric P. Maurice-Oracle on Nov 07, 2007
Hi, this is Eric Maurice again! Last week, we discussed the objectives of CVSS and how it impacted the scoring philosophy of the standard. Today, we are going to take a closer look at the formula vendors use to compute CVSS Base Scores.
The CVSS Base Score is computed from six criteria, known collectively as the �Base Metrics�, representing �the most fundamental, immutable qualities of a vulnerability�. These criteria are:
1. Access Vector. This measures �how remote an attacker can be to attack a target�. The possible Access Vector values are Local, Adjacent Network, and Network;
2. Access Complexity. This measures �the complexity of attack required to exploit the vulnerability once an attacker has gained access to the target system�. The possible Access Complexity values are High, Medium and Low;
3. Authentication. This measures �the number of times an attacker must authenticate to the target system in order to exploit the vulnerability�. The possible Authentication values are Multiple, Single, and None;
4. Confidentiality Impact. This measures �the impact on confidentiality of a successful exploit of the vulnerability on the target system�, that is to say, improper information disclosure. The possible Confidentiality Impact values are None, Partial, and Complete;
5. Integrity Impact. This measures �the impact on integrity of a successful exploit of the vulnerability on the target system�, that is to say, data corruption. The possible Integrity Impact values are None, Partial, and Complete;
6. Availability Impact. This measures �the impact on availability of a successful exploit of the vulnerability on the target system�, that is to say, denial of service. The possible Availability Impact values are None, Partial, and Complete.
A numerical value is assigned to each of the three possible answers for each of the six criteria. Then a formula, known as the �Base Equation�, is used to assign weight to each of the criteria, combine the weighted values, and derive the Base Score. The application of the Base Equation formula yields in a maximum score of 7.5 for vulnerabilities typically found in Oracle products (it would be extraordinary if an Oracle security bug would result in a complete compromise of the underlying operating system). Note that the National Vulnerability Database considers CVSS scores between 7.0 and 10.0 to be �high�.
The National Institute of Standards and Technology (NIST) hosts a CVSS 2.0 calculator online. This neat utility provides the ability to compute the score without necessarily manually dealing with the Base, Temporal, or Environmental equations. Let�s take one of the vulnerabilities addressed in the October 2007 CPU (CPUOct2007); the vulnerability DB01 had the following particularities:
- Exploitability Metrics:
o Related exploit range (AccessVector): Network
o Attack complexity (AccessComplexity): Low
o Level of authentication needed (Authentication): Single Instance
- Impact Metrics:
o Confidentiality impact (ConfImpact): Partial
o Integrity impact (IntegImpact): Partial
o Availability impact (AvailImpact): Partial
When entering these values, the calculator provides the score of 6.5 as reported in the CPU documentation.
Oracle quickly realized some limitations of the CVSS base scoring system. One is that CVSS does not distinguish between, for example, the disclosure of only a single database record and the disclosure of all data in a database. Oracle therefore introduced the �Partial+� rating to denote such rare situations where the impact of the vulnerability can result in widespread impacts while partial means only limited impact. Note that Oracle uses the Partial numeric value assigned by CVSS for both Partial and Partial+, so that Oracle does not deviate from the standard.
For more information, see:
- Oracle MetaLink Note 394487.1 (subscription to MetaLink required) explains Oracle's implementation of the CVSS standard.
- Oracle MetaLink Note 394486.1 (subscription to MetaLink required) provides a detailed explanation of Oracle�s risk matrices.
- The Guide to the Common Vulnerability Scoring System version 2.0 is available online, and it includes the scoring formulas set forth by the standard.