Security researchers find deep flaws in CVSS vulnerability scoring system – Source: www.csoonline.com

The industrywide method for assessing the severity of vulnerabilities in software and hardware needs to be revised because it provides potential misleading severity assessment, delegates at Black Hat Europe were told Thursday.

The Common Vulnerability Scoring System (CVSS) makes use of various metrics to quantify vulnerability severity. A presentation at Black Hat by cybersecurity experts from JPMorganChase highlighted examples in which the system fails to accurately reflect real-world risks associated with vulnerabilities. The problem is that because many vulnerabilities are inaccurately scored, organizations end up prioritizing remediation efforts based on flawed data.

For example, CVSS scores fail to account for contextual factors such as the environment in which a vulnerability exists or whether it has been actively exploited in the wild. “CVSS impact metrics give equal weight to confidentiality, integrity, and availability, overlooking the unique risk priorities of organizations and the true impact a vulnerability might have,” according to JPMorganChase.

During 2023, the average disclosure rate was 80 vulnerabilities per day, a figure that is increasing around 20% year-over-year. Around 18% of vulnerabilities are rated as critical with a CVSS 3.0 score of 9 or above.

The severity of vulnerabilities is being underrated

The JPMorganChase analysis suggests that around 10% of vulnerabilities are potentially being underrated. For example, a Citrix NetScaler DDoS vulnerability, CVE-2020-8187, a vulnerability rated at only 7.5 disclosed during the COVID crisis had the “potential to bring organizations to a grinding halt.”

The researchers said that insufficient attention is given to privacy as an issue in the drawing up of CVSS scores. “The use of generic confidentiality metrics is potentially masking privacy impact in thousands of CVEs.”

For example, Zoom information disclosure vulnerability CVE-2019–13450 (webcam opening without user interaction) was rated as only of medium risk despite its potential impact of “privacy violations, security risks, [and] potential legal and reputational consequences”, according to the JPMorganChase researchers.

They assert that inadequate dependency consideration is another major shortcoming of CVSS scores, affecting the prioritization of at least 11% of CVEs.

Exploits sometimes require a specific setup or rely on other software vulnerabilities — configuration and access controls can significantly affect an attacker’s ability to exploit a vulnerability. The researchers allege that while user privileges can influence the severity and potential impact of a breach, they remain another factor that fails to be adequately represented in the calculus of CVSS scores.

CVSS 4.0 also has shortcomings, researchers say

The upcoming CVSS 4.0 framework introduces expanded impact metrics, refined temporal metrics, and new supplemental metrics to improve assessment accuracy. However, issues including a lack of consideration of privacy concerns and advanced persistent threat (APT) associations remain, according to the JPMorganChase security researchers.

JPMorganChase has put together a framework to factor in the lack of APT and exploitability weighting and the issue of dependencies. The financial services giant has developed a conceptual design it is encouraging other members of the security community to review and participate in further refining.

In response to a question from CSO, Syed Islam, a principal security architect at JPMorganChase, acknowledged that only organizations that had achieved a degree of security maturity — for example by having an inventory of technologies and applications upon which their business relies — would benefit substantially from applying its vulnerability assessment methodology.