Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

How to Calculate CVSS Score? (Common Vulnerability Scoring System)

Sarvesh Kumar by Sarvesh Kumar
September 19, 2024
Reading Time: 10 mins read
63
0
How to calculate cvss score
Share on FacebookShare on Twitter

Introduction

The Common Vulnerability Scoring System (CVSS) is an open framework designed to provide a consistent method for measuring the severity of software vulnerabilities. Developed by the Forum of Incident Response and Security Teams (FIRST), CVSS is widely used by security professionals, software vendors, and organizations to assess and prioritize vulnerabilities. This article will provide a detailed, step-by-step guide on how to calculate a CVSS score, covering its components, metrics, and the scoring process.

To calculate CVSS Score you can navigate to official NIST website: NVD – CVSS v3 Calculator (nist.gov)

 

Understanding CVSS

CVSS is composed of three metric groups:

  1. Base Metrics: These represent the intrinsic characteristics of a vulnerability and are constant over time and user environments.
  2. Temporal Metrics: These represent characteristics that change over time, such as the availability of a fix.
  3. Environmental Metrics: These represent the characteristics of a vulnerability that are specific to a user’s environment.

Each metric group consists of various metrics that are used to calculate a numerical score, which in turn helps in understanding the severity of the vulnerability.

Base Metrics

The Base Metrics group consists of several components, each of which contributes to the overall CVSS Base Score. The Base Score is the starting point for the CVSS score and is designed to be as objective and consistent as possible.

1. Attack Vector (AV)

The Attack Vector metric describes how a vulnerability is exploited. It has four possible values:

  • Network (N): The vulnerability can be exploited remotely over a network.
  • Adjacent Network (A): The vulnerability requires an attacker to be on the same local network.
  • Local (L): The attacker needs physical or local access to the vulnerable system.
  • Physical (P): The attacker needs physical interaction with the affected system.

Impact on CVSS Score: A vulnerability that can be exploited remotely (Network) generally receives a higher score than one that requires local access.

2. Attack Complexity (AC)

The Attack Complexity metric assesses the conditions required to exploit the vulnerability. It has two possible values:

  • Low (L): Exploitation is straightforward and does not require specialized conditions.
  • High (H): Exploitation requires specific conditions or is more complex.

Impact on CVSS Score: Vulnerabilities that are easier to exploit (Low) have a higher score compared to those requiring complex conditions.

3. Privileges Required (PR)

This metric describes the level of privileges an attacker needs to exploit the vulnerability. It has three possible values:

  • None (N): No privileges are required.
  • Low (L): Low-level privileges are required.
  • High (H): High-level privileges are required.

Impact on CVSS Score: Vulnerabilities that can be exploited with no privileges (None) typically receive a higher score.

4. User Interaction (UI)

The User Interaction metric assesses whether the exploitation of the vulnerability requires user involvement. It has two possible values:

  • None (N): No user interaction is required.
  • Required (R): User interaction is required.

Impact on CVSS Score: Vulnerabilities that do not require user interaction (None) usually have a higher score compared to those that do.

5. Scope (S)

The Scope metric describes whether the exploitation of the vulnerability impacts only the vulnerable component or if it affects other components as well. It has two possible values:

  • Unchanged (U): The exploitation affects only the vulnerable component.
  • Changed (C): The exploitation impacts additional components beyond the vulnerable one.

Impact on CVSS Score: Vulnerabilities that affect additional components (Changed) have a higher score.

6. Confidentiality Impact (C)

This metric measures the impact on the confidentiality of the information. It has three possible values:

  • None (N): No impact on confidentiality.
  • Low (L): Confidential information is partially exposed.
  • High (H): Confidential information is completely exposed.

Impact on CVSS Score: Higher impacts on confidentiality (High) lead to a higher score.

ADVERTISEMENT

7. Integrity Impact (I)

The Integrity Impact metric assesses the impact on the integrity of the information. It has three possible values:

  • None (N): No impact on integrity.
  • Low (L): Integrity is partially affected.
  • High (H): Integrity is fully compromised.

Impact on CVSS Score: Higher impacts on integrity (High) lead to a higher score.

8. Availability Impact (A)

This metric describes the impact on the availability of the system. It has three possible values:

  • None (N): No impact on availability.
  • Low (L): Availability is partially affected.
  • High (H): Availability is fully impacted.

Impact on CVSS Score: Vulnerabilities with higher impacts on availability (High) have a higher score.

Temporal Metrics

Temporal Metrics reflect the characteristics of a vulnerability that change over time, such as the availability of a fix or the existence of exploit code. These metrics are optional and can modify the Base Score.

1. Exploit Code Maturity (E)

This metric assesses the availability and quality of exploit code for the vulnerability. It has four possible values:

  • Not Defined (X): Not applicable.
  • Unproven (U): No exploit code is available.
  • Proof-of-Concept (P): Exploit code is available but not fully functional.
  • Functional (F): Exploit code is reliable and functional.
  • High (H): Exploit code is widely available and fully functional.

Impact on CVSS Score: A higher maturity of exploit code (Functional, High) generally increases the score.

2. Remediation Level (RL)

This metric measures the availability of a fix or patch for the vulnerability. It has four possible values:

  • Not Defined (X): Not applicable.
  • Official Fix (O): An official fix or patch is available.
  • Temporary Fix (T): A temporary solution is available but may not be permanent.
  • Workaround (W): Workarounds are available but may not fully mitigate the vulnerability.
  • Unavailable (U): No fix or workaround is available.

Impact on CVSS Score: Vulnerabilities with no available fix or workaround (Unavailable) typically have a higher score.

3. Report Confidence (RC)

This metric assesses the reliability of the information regarding the vulnerability. It has three possible values:

  • Not Defined (X): Not applicable.
  • Unknown (U): The vulnerability details are not well-known.
  • Reasonable (R): The vulnerability details are reasonably well-known.
  • Confirmed (C): The vulnerability details are confirmed and well-documented.

Impact on CVSS Score: Higher confidence in the report (Confirmed) may not directly impact the Base Score but affects the Temporal Score.

Environmental Metrics

Environmental Metrics account for the specific context of the vulnerability within an organization’s environment. These metrics are optional and allow for customization of the CVSS score based on the environment in which the vulnerability is assessed.

1. Modified Attack Vector (MAV)

The Modified Attack Vector metric assesses if the attack vector changes based on the specific environment. It has the same values as the Attack Vector metric.

2. Modified Attack Complexity (MAC)

The Modified Attack Complexity metric assesses if the complexity of the attack changes based on the specific environment. It has the same values as the Attack Complexity metric.

3. Modified Privileges Required (MPR)

The Modified Privileges Required metric assesses if the level of privileges required changes based on the specific environment. It has the same values as the Privileges Required metric.

4. Modified User Interaction (MUI)

The Modified User Interaction metric assesses if user interaction requirements change based on the specific environment. It has the same values as the User Interaction metric.

5. Modified Scope (MS)

The Modified Scope metric assesses if the impact of the vulnerability changes based on the specific environment. It has the same values as the Scope metric.

6. Modified Confidentiality Impact (MC)

The Modified Confidentiality Impact metric assesses if the confidentiality impact changes based on the specific environment. It has the same values as the Confidentiality Impact metric.

7. Modified Integrity Impact (MI)

The Modified Integrity Impact metric assesses if the integrity impact changes based on the specific environment. It has the same values as the Integrity Impact metric.

8. Modified Availability Impact (MA)

The Modified Availability Impact metric assesses if the availability impact changes based on the specific environment. It has the same values as the Availability Impact metric.

Calculating the CVSS Score

Step 1: Determine Base Metrics

First, gather all the necessary information to assess the Base Metrics:

  1. Attack Vector (AV)
  2. Attack Complexity (AC)
  3. Privileges Required (PR)
  4. User Interaction (UI)
  5. Scope (S)
  6. Confidentiality Impact (C)
  7. Integrity Impact (I)
  8. Availability Impact (A)

Step 2: Calculate the Base Score

The Base Score is calculated using the following formula:

Base Score=roundup(Impact Subscore×Exploitability Subscore)

 

Where:

  • Impact Subscore is derived from the Confidentiality Impact, Integrity Impact, and Availability Impact metrics.
  • Exploitability Subscore is derived from the Attack Vector, Attack Complexity, Privileges Required, and User Interaction metrics.

The specific formulas and calculations are defined in the CVSS v3.1 specification.

Step 3: Determine Temporal Metrics

Assess the Temporal Metrics:

  1. Exploit Code Maturity (E)
  2. Remediation Level (RL)
  3. Report Confidence (RC)

Step 4: Calculate the Temporal Score

The Temporal Score is calculated by adjusting the Base Score based on the values of the Temporal Metrics. The formula for the Temporal Score is:

Temporal Score=roundup(Base Score×Exploit Code Maturity×Remediation Level×Report Confidence)

Step 5: Determine Environmental Metrics

Assess the Environmental Metrics:

  1. Modified Attack Vector (MAV)
  2. Modified Attack Complexity (MAC)
  3. Modified Privileges Required (MPR)
  4. Modified User Interaction (MUI)
  5. Modified Scope (MS)
  6. Modified Confidentiality Impact (MC)
  7. Modified Integrity Impact (MI)
  8. Modified Availability Impact (MA)

Step 6: Calculate the Environmental Score

The Environmental Score is calculated by adjusting the Temporal Score based on the values of the Environmental Metrics. The formula for the Environmental Score is:

Environmental Score=roundup(Temporal Score×Modified Impact Subscore×Modified Exploitability Subscore)

ADVERTISEMENT
Sarvesh Kumar

Sarvesh Kumar

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
706
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
164
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
465
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
147
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

How to Download and Install Windows Server 2022 on VirtualBox

How to Download and Install Windows Server 2022 on VirtualBox?

September 28, 2024
212
How to calculate cvss score

How to Calculate CVSS Score? (Common Vulnerability Scoring System)

September 19, 2024
492

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    747 shares
    Share 299 Tweet 187
  • Termux Top 10 Most Powerful Tools in 2024

    278 shares
    Share 111 Tweet 70
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    84 shares
    Share 34 Tweet 21
  • How To Create Your Open Source SIEM Home Lab?

    125 shares
    Share 50 Tweet 31
  • 100 Most Asked SOC Analyst Interview Questions For Freshers

    92 shares
    Share 37 Tweet 23
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In