PG - CVSS v4 – A Better Version of an Imperfect Solution

morning everyone um look at this ball let's say this single ball is a vulnerability and you can focus all your attention on that ball on that ball and our systems will always be vulnerable so maybe a vulnerability alone it's not really the end of the world and let's say now that you have a lot of vulnerabilities all mixed up and a bduck doing God knows what in there then you start to have a problem as Security Professionals our goal is to make sure that we will try to mitigate as many vulnerabilities as possible or put as many security controls in place to try to avoid exploit exploitation so you can start finding some order trying to give some order to

those vulnerabilities maybe you will group them into severities and and that's how you come up with CVSs CVSs stands for common vulnerability scoring system and it's defined as a vendor agnostic industry open standard uh by the book it's owned and managed by first an US based nonprofit organization that started originally with the mission to help security incident response teams across the world uh then it has been ad adopted by Mitra from the beginning uh who runs the CV program and to associate as well with CVS as the scoring standard soon became adopted by everyone as well number one scoring standard the idea is that it will convey characteristics and severity of software vulnerabilities very important keep

these two terms in mind so really quick about me I'm from Portugal uh I'm curious I guess I have to be in this line of work I consider myself a cyber security Enthusiast uh for around 10 years I've been working for nearly 10 uh four years at check marks as an application security analyst doing research as well and I've been practicing kaga for almost 14 years and I love to read I love to write I love to travel uh so enough about me now let's go to what matters and we we're here to talk today about the latest version of CVSs and how it's still not it's better but it's still not the perfect solution so why version 4 first of all

there wasn't enough granularity before to provide precise severity scores um you could have two distinct vulnerabilities that would end up in the end with a same score uh which wasn't really good if you want to distinguish them and be able ble to prioritize somehow then options themselves are limited for instance you can Define in version 3.1 uh granularity uh you can Define some I mean uh what did I uh user interaction sorry I was trying to remember the parameter can Define user interaction and uh you can say whether it's required or not but you couldn't really say whether it was a bive or an active type of interaction for instance and parameters still and what they were

supposed to describe the characteristics they wanted to bring about the vulnerabilities still was a bit blurry in some cases for instance I know what the Ty complexity means but do I really know what it means uh and why not why not try to improve the previous version if it's not that good so we came up with this new version of CVSs it's now running everyone is starting to adopt it adopt it gradually and these were the main changes in terms of groups uh the score is divided by groups the main group that everyone uses is the base metrix group but then you have temporal metrix that is now called threat metrix with a few changes then

supplemental metrix as an entirely entirely new group and in terms of uh changes in a base metric group there's a new parameter attack requirements and the scope was removed but it was just uh in reality moved to the impact part to be divided into vulnerable and subsequent system uh you can now Define the confidentiality integrity and availability parameters in terms of these two different systems and then you got uh the exploit maturity the only parameter being defined in threat mat group to Define how is a vulnerability currently being exploited in the wild and then we got the environmental metric group that allows the consumer to modify the metrix according to his specific uh environment then supplemental metrics to

provide still some extrinsic characteristics uh of the vulnerability and allowing us to cover other sectors that might not be properly covered with the other parameters so really quick uh looking at an example uh you can see that is for this vulnerability it was taken from the official documentation but a m a bit modified for the sake of this exercise and we're talking about a a juniper router that has the an our protocol enabled and an attacker could poison the cach and put there a spoof IP entry and it would cause a denial of service to the user of that IP eventually and then he can also redirect traffic to themselves cause some sort of man in the

middle and we know that Dynamic RP inspection is enabled by default so looking at this example I wanted to ask for your input on this you can see here the the vector for version 3.1 with some ele highlighted and what do you think would be the final score in here if you were to guess can say just some roof number from 1 to 10 seven

78 okay you're just trying to say different right because you you got it right you're good um yeah this is the final score that would result from this vector and now let's look at bit Ed it in a different perspective to in terms of version four so well the attack factor is still the same adjacent because of the protocol we're talking about ARP in an adjacent Network and then we also have a tech complexity as high but this is actually one of the big differences because before you would still have attack complexity but as I said attack complexity is one of the cases where you really don't know what it means could mean a lot of things and mean nothing at

all so it was quite shitty to tell the truth and now you can probably make it a bit less shitty and so you can say that that complexity is specifically about having uh active measures active protective measures in the system that will somehow delay or slow down the attacker and the attacker will have to circumvent those measures in order to achieve successful exploitation so now we know that attack complexity means specifically that and other stuff that you can mean by attack complexity are actually part of the attack requirements now and that's how you get a supposedly more precise um characterization now and that will count a bit to should count a bit to lower the score because I attack

complexity but then also really really important is that now you can define whether the vulnerable or subsequent system is being impacted and we now know that in terms of vulnerable System since we're just creating SP IP entry in the our protocol we have a low impact on the on the um sorry integrity on the Integrity you can see there the vi and the vulnerable Integrity metric we have a low impact but then you can Define more precisely that you have a high impact on the confidentiality of the subsequent system because the attacker can read the traffic from the user and then also in terms of availability because it can cause a denial of service so also a high impact

on the availability so if you were to guess now what would you say it's the resulting

score seven again

six okay nine so you think it's more or less the same or worse or maybe lower well it's lower and I'm not here to argue if it's correct or not you would have actually to compare between other vulnerabilities other different vectors but well it is what it is right away you don't know but you can argue that it's probably a bit too low regarding the actual impact they're causing or to the users or not or maybe version 3.1 was a bit too high well it was just for you to understand uh some of the main differences and so in general in a nutshell what CVSs wanted to bring was first of all reinforce and they emphasize it at the

lot if you read the documentation that CVSs is not just a base score you should use all the other metric groups also finer granularity by adding new elements you should now have more variations of scores uh then they inest the impact metrics as we've seen with the vulnerable and subsequent system and they wanted to promote accessible information making it more transparent uh being able to tell a better story overall more clarity and ease of use of the vector and this is awesome right well not really let's not rush and let's talk really quick about open source first and very important element we all know it's philosophical it's philanthropic magical everyone is using open source according to the

census 2 study 70 to 90% of modern software Solutions are using free open source and we can do a quick test here looking at an npm package called Gatsby a popular one for building websites and and you can see all these dependencies popping up direct or transitive this would be the final result of all the dependencies you get in this single package which is quite a lot and it would be of course naive to think that at least you don't have one vulnerability you don't control all these dependencies but yeah one vulnerability is thing to to feel you have hundreds if not thousands of vulnerabilities in all these dependencies so is CVSs a solution or

even now version four for this well back to the colors you can group it by severity as I've shown you but you can still tell whether the system that is being impacted is really exploitable under its conditions how the exploitability in Practical terms if the measures that are in place in your system are really going to be circumvented in this vulnerability if you can do something with it there are a lot of factors that you need to consider besides severity but well if it's CVSs we're talking about severity so this often leads us to the idea of risk vulnerability management and these terms are used interchangeably a lot of times risk or vulnerability management and

even cvsa for risk and vulnerability management this is of course wrong and it's one of the first problems one of the main problems of misunderstanding the the purpose of CVSs and of course one thing is severity another is the risk of exploitation for instance and that you could even incorporate into vulnerability management but again all different terms and to explain the next points to make it clear I will need to use a lot of memes so sorry about that if you don't like memes um but it's better to prove my point so first of all of course is misunderstanding the purpose of CVSs um well you can run it other way but if you want to get the most out of

it you need to again understand that CVSs is about severity then relying only on CVSs for risk and vulnerability management again CVSs is just for severity and even worse is if you're relying only on the base group alone this is something you don't want to be doing and in practice is much harder than in theory uh because vulnerabilities are often complex as you know there are a lot of nuances uh this is some some limitation uh and the score in version four is supposedly more precise and customizable but that doesn't mean that it's necessarily more easy to use also how many vulnerabilities we're talking about because the more vulnerabilities you have the more difficult it will be to try to have a

good score and um well I'll also with all this customization all these other parameters and all it might have introduced more subjectivity and that can also not be not that good also limited information this is a big problem if you don't have enough information you don't really have the context about about the vulnerabilities you can't really know how to properly come up with a score you need the information and okay this is obvious sor about that but well it should be said still H because it doesn't happen in reality and what about osss libraries that's another problem we have uh because associated with the lack of information and context we even have lack of context or we can't really

implement it when we're attributing a specific score to OS libraries we will have to resort to the information we have because it will still depend on specific implementations of that library of course and then that takes us a lot of times to score over inflation because if you have that information you're limited to it you are limited to using a general scenario so you need to use the worst case scenario that's actually part of The Official Guidelines you need to have a worst case scenario but this is also often misinterpreted because worst case does doesn't mean you also need to have the worst case for the impact metrix you should use only the most reasonable

outcome according to the information you have and you I can give you a really easy example for instance you have some vulnerability which is having passwords exposed in clear text and you can eventually use those passwords you found there is some command line you can use with those credentials to you log in in there then you have remote code execution but the impact is not remote code execution because the vulnerability itself it's only limited to the to the clear text credentials so that would be the impact and not remote code execution and also you get that a lot from bug bounty hunters vulnerability reporters they will overinflate the score on purpose uh that's the the meme you have there it's

usually for for financial uh or reputational rewards because over inflating the score will make the vulnerability look more critical uh but if you do it on hunter.com for instance you will get a penalty for miscalculating the CVSs in your in your reputation and uh of course manual can be a hassle but automated doesn't always work you should uh you should use both uh uh you really need to use both actually because as consumers you can use Automation in environmental metrics and in threat metrics using threat intelligence sources but you as providers of the score you still need to provide the base car in a manual matter to do it properly and also if eventually you want to supply with supplemental

metrics as well and then we have like a classical problem of Time Versus quality of course you can waste a lot of time making the score perfect for a vulnerability but can you really do it if you have 300 vulnerabilities for instance of course eventually Somewhere in Time quality will be sacrificed then of course willingness to do things properly um because we have consumers we have providers all having to we have to rely on both of them and then it requires focus it requires Direction it requires learning obviously to properly use the the score so it's not easy and you do have to rely on both provider and consumer and this is a problem alone because you need to expect

that both of them will properly use the the score also another problem another problem is the neglect fatigue and discouragement in the open source uh generally you find a lot that software maintainers won't really care about vulnerabilities they don't really care about um wasting time with vulnerabilities because there's still the idea that it's a waste of time they want to focus on on coding and improving their their projects so uh how can we try to tackle some of these challenges some underlined of course because we can't solve everything we can really um make this perfect but we can try to get the the best out of version four and again never too much to stress this out severity as

many times as you can have it CVSs is a tool not the entire solution you can use it for risk management but you can use it for risk management it's not risk management again uh there it's still not enough to tackle the the question of of risk management so again uh and you should be using uh fully CVSs capabilities as obvious the base core should be used properly as I said earlier uh worst case scenario based on the information but not always uh but then you shouldn't forget the other elements you have the threats metric group for uh knowing whether there's current explo ation activity in the wild it's very important environmental if you really want to

classify it in terms of particulars consumers environment and supplemental even for additional characteristics when it makes sense uh so well uh whoever is supplying information about the vulnerabilities advisories they should provide as much information of course this is obvious because without context as we've seen you can't really build a reliable score and even open source advisories in the end are relying on CVSs it's the the main used standard for classifying severity well we need manual work automated work not everything can be automated as we've seen but you can use automation whenever possible um so this is also an important guideline providers will be able to provide with the base metric and the supplemental metrics consumers will be

able to automate the part of the threat metrics and the environmental metrics and one way to do it is with Asset Management database this is actually a great recommendation for automation you can have an asset class being defined and all the confidentiality integrity and availability requirements how it impacts that specific asset in terms of these elements and then the exposure meaning if it's internally or Internet facing also really important for that um and of course read the Source because well if you don't uh read The Source you w't know how to properly use the vector it has a lot of great specifications like confidentiality and integrity versus availability and other important stuff that it will explain

more in depth and contains almost everything you need to know about it of course and what's next then well providers and consumers need to cooperate of course because as we've seen both are needed more transparency more transparency of information uh well software maintainers product owners uh product vendors vulnerability reporters Everyone by bound ERS should disclose as as many details about the vulnerabilities as possible there's a really good step towards it Mitra is now encouraging that CNAs will Pro provide as much details as possible including CVSs because in the past they would just left it for they would leave it for Downstream aors like nvd just leave it empty nvd would fill in the CVSs but

that doesn't make sense of course because CNAs are responsible for reporting the vulnerabilities creating the advisories so they should be the ones filling the C CSS they have the most details so this should make in the future the available CVSs scores much better associated with the CVS then there's a CVSs extensions framework which is uh also a very important uh thing to consider defined as a some methods some formal methods that will allow it to that are defined in the documentation and will allow it to extend the framework between the um above the the core metric group and allow it to even classify other sectors and of course collaborating with open source communities very important

whenever possible and if you're interested for instance you can you can and everyone is allowed of course to be part of the CVSs special interest group from first where they are constantly contributing to the Improvement of CVSs and so so that's it I want to invite everyone for to talk with me after the questions in case you are interested to discuss CVSs I will be glad to do it and I want to thank everyone for being present thanking the organization as well and for the opportunity to talk here today thank you