Or, Oh my god stop using CVSS for everything

So anyway, CVSS is pretty bad and 4.0 partly kinda redeems it a little. Let’s talk about why that is and why vulnerability management is widely just… broken. 🙂

Also, I’m assuming you either know the basics of this topic or you have access to [favourite search engine] 😉

But everyone uses CVSS? Must be good, right?

The simple answer is, just because something is widely used doesn’t mean it’s good. Case closed, we did it guys.

CVSS at its core is a measure of the characteristics of a particular reported vulnerability: how does someone have to exploit it? where can they exploit it from? what degree of control can someone get from using this exploit? and so on, all in a nice, readable vector. This isn’t bad per se, it’s helpful to have a simple vector that humans and machines can both process to gain an overview of a vuln. But is that how it’s applied?

No, no it’s not. If you’re someone who has to follow PCI DSS, you’re obligated to patch anything that’s scored a severity 7 or higher ASAP otherwise Visa, MasterCard and co will take away your Money Privileges. If the sev 7 vuln is too hard to widely exploit or low risk when considering which system within your company it applies to, you’re just wasting time and resources on something that actually isn’t very high risk just because muh CVSS high/critical score.

Another angle is, what kind of security issues actually get exploited in the wild? Is it the big scary sev 10 xz backdoor, or is it some misconfiguration that isn’t actually tracked as a vuln because it’s just a misconfiguration?

Other scoring systems

In terms of Not CVSS systems, they broadly fall into 3 categories: machine learning (good), machine learning (buzzword shit), and manual. I’ll start with ML (buzzword shit) since those are easiest to discuss.

Machine Learning (buzzword shit)

Various security companies produce scores qua products that are invariably based on wao AI machine learning cool epic that they don’t share. What are they actually measuring? Who knows! They say it’s a measure of what vulns are most in need of attention but what does that meeeeeean? Useless!

Machine Learning (good)

EPSS. Literally just EPSS ahaha. It spits out a probability that a vuln will be exploited in the next 30 days. Simple as.

EPSS is actually open to a degree, there’s papers written about how it works and its performance, and clear explanations of what its intended usecase is. Naturally, due to using some closed datasets, FIRST can’t just say everything, but it is theoretically possible to make An Model that is similar to EPSS on your own with enough compute and data. And best of all, it is designed in a way to maximise efficiency, minimise effort, and keep a reasonable coverage of the actually exploited vulns. As FIRST openly says, it’s not perfect but it’s pretty good for what it is and intends to do. Unlike CVSS 😉

Manual

There’s various SSVC-based and SSVC-adjacent models that use a decision tree to determine vulnerability patching priority. I am most familiar with SSVC so that’s what I’ll cover here. Essentially, it’s a big ol’ tree of nodes where you decide how a vuln affects your specific environment and how urgently you should be patching that vuln. Unfortunately, this one is the most time-consuming and thus isn’t adopted as much because you need to know a lot about your environment and have good visibility into what assets you have, where they are etc. That said, it’s actually really good (especially if you injest various data sources to help make your decisions) because it’s very customised to your specific environment, enabling you to properly consider Risk™️.

Risk

Risk is a strategic board game of global domination and conquest designed by French filmmaker Albert Lamorisse. It was first published in 1957 by the American toy and game manufacturer Parker Brothers…

Risk is also a measure of the chance something bad will happen, particularly helpful within a context where you can’t just Fix Everything Ever Always because unfortunately, we are in The Real World. When considering vulnerability management, you probably should be going for the highest risk issues as priority 1 to fix, but then comes the dilemma of how to rank stuff per risk.

Remember how I mentioned PCI DSS mandating fixing >7 CVSS score vulns and how that can be a waste of resources? That’s because CVSS is not a measure of risk despite originally being envisaged as such :^)

Who’d’ve thunk that a score based on the technical characteristics would only give you information about the technical characteristics? There is of course the bandaid (imo at least) of adding B/T/E explicitly to CVSS score listings, that is, saying whether a score is just the base score, or if it has the temporal and environment score by labelling it CVSS-B, CVSS-BT and so on¹. To this day, I don’t think I’ve seen a T or E on a CVSS score in the wild, it’s always just base score and sometimes people don’t even mention that it’s a CVSS score (looking at you, Dan Goodin 👁️) and just call it a severity score. Because it is clearly The Severity Score.

Okay if CVSS isn’t good what do we do now?

Do proper risk assessments lmao.

More seriously though, use the right tool for the job and gain the knowledge to understand when a tool is that right tool for the job. SSVC won’t be the right tool for every environment, because some businesses just pay MSPs and MSSPs and have minimal attack surface they manage themselves, and CVSS (particularly the vector) is actually super useful if you want to briefly summarise the technical elements of a particular vulnerability. EPSS is broadly useful in the sense that it’s helpful to know in general if a vuln is likely or unlikely to be used in the wild within 30 days but of course doesn’t take into account your own environment.

But.

Keep in mind that like, most vulns are just misconfigurations or piss poor coding and design, so maybe we should be focusing in on those rather than going “zomg it’s a 10/10 so bad!” every time, hey? Yes this is both a CVSS and cybersec journalism callout, gottemmmmmmmm