The Common Vulnerability Scoring System (CVSS) is a public standard maintained by the Forum of Incident Response and Security Teams (FIRST) that provides a method for scoring IT-related vulnerabilities. Additional details and documentation on the standard are available at http://www.first.org/cvss.
CVSS divides a vulnerability into three components: Base, Temporal, and Environmental. The base metric describes how severe the issue is from a technical perspective. The temporal metric tells how a vulnerability changes over time, and the environmental metric specifies the impact on a specific running system.
This document focuses on how Cisco uses CVSS. To learn more about the individual metrics or the scoring mechanics, please view the official documentation provided by FIRST.
Within Cisco, two groups use CVSS: the Product Security Incident Response Team (PSIRT) and the Cisco analyst team that creates multivendor vulnerability alerts. Cisco PSIRT handles security vulnerabilities in all Cisco products. This team is the only group tasked with communicating information about vulnerabilities in Cisco products to customers. The multivendor alert analyst team provides intelligence and analysis for many vendors and products.
A common task for the PSIRT and analyst groups is assigning and communicating CVSS scores to Cisco customers. In addition to external communications, PSIRT also uses CVSS as a major component in prioritizing team workload.
CVSS Usage Within PSIRT
The current version of CVSS is version 3. Cisco is currently using version 2. Cisco will begin to adopt CVSSv3 for assessing security vulnerabilities in the fourth quarter of calendar year 2016. Please see The Evolution of Scoring Security Vulnerabilities for more information.
When PSIRT receives a report of a potential vulnerability, a base score is assigned to the issue. This initial score is marked as preliminary because it is often assigned without actually reproducing the issue described within the report. A temporal score is also assigned at this time, even though it usually plays a lesser role in the process. The exception would be dealing with an issue where a vulnerability can be triggered by mobile autonomous code (for example, a virus or worm). If that is the case, and the report has sufficiently high base score, a PSIRT manager will immediately start working on the report.
Whatever the preliminary score may be, it is recorded with all known information at the time. The preliminary base score is a major component that determines how soon a PSIRT Incident Manager takes the report from the input queue. Higher priority cases (those cases with higher base scores) are usually selected first. To prevent reports with lower scores from remaining in the input queue for too long, the next available Incident Manager may be asked to verify the older reports instead of a more recent report with a higher score.
When a PSIRT Incident Manager begins working on a report, the preliminary score may change. Although the score is assigned before all the facts about a vulnerability are known, the score does not change as often as might be assumed. Experience, knowledge of Cisco products, and how those products are deployed help Incident Managers assign the correct score at the onset of scoring. Liaisons with other groups within and outside of Cisco are also helpful.
To ensure the most accurate and consistent scoring, the scores (base and temporal) are verified by a second Incident Manager. Each report accepted by PSIRT has a primary and a backup owner. The primary owner actively works on the report while the backup owner monitors the situation and provides assistance when required. The primary duties of a backup owner include verifying the CVSS score assigned by the primary Incident Manager.
For reports in which these two scores do not match, the primary and backup Incident Managers reconcile any differences. Differences may occur when aspects of the report are understood differently, or when the backup Incident Manger can provide new insight or additional information that may affect overall report understanding. Whatever situation occurs, the primary and backup managers must agree on a single score.
This process produces the final score and, in virtually all instances, it is the score that will be presented in the Security Advisory or other PSIRT publication. During review, new information may be uncovered that changes the base score.
CVSS Usage for Cisco Multivendor Vulnerability Alerts
Multivendor alert analysts provide base and temporal scores for each multivendor alert. CVSS provides a view into the direct impact of a vulnerability on the host platform running the affected software.
During initial analysis of a vulnerability, the analysts check whether the primary product vendor has issued a CVSS score. If a vendor has provided a CVSS base score, this score will be used in the alert. Some vendors, such as the Cisco PSIRT organization, also provide temporal scores for their vulnerabilities. IntelliShield usually uses these vendor-provided temporal scores for the first version of an alert produced following the release of the vendor's temporal score. After an analyst has produced a score, it is integrated into language in the alert summary to align with the metrics of the base and temporal scores for a vulnerability.
In some cases, third-party reports or analysts' testing may reveal inconsistencies with the vendor's interpretation of CVSS or application of the score. The analysts use the vendor's base score, but the temporal score may be adjusted and a detailed explanation will be included in the alert regarding the adjustment.
Because multivendor alerts are produced as living documents, one alert is produced per vulnerability to ensure that each has an accurate CVSS score. When new or updated information regarding a vulnerability is released, the alert is updated. Often, these updates will cause elements of the temporal score to change. Updates may include the release of public exploits or vendor patches.
Beyond providing the base and temporal decimal scores, multivendor alerts also include the shorthand CVSS vector used to derive those scores. The availability of both scores is especially effective for organizations that produce environmental scores for their networks. With a full shorthand vector from the multivendor alert, organizations can apply security requirements that rely on specific base metrics. The end result is a flexible tool to assist in vulnerability management and risk assessment.
Cisco uses CVSS to provide customers with a single and common scoring system that is used by multiple vendors. In situations where vendors use their own proprietary scoring systems, it can be difficult for customers to determine the relative importance of reported vulnerabilities. The decision maker who must choose how an "Important" vulnerability in a Microsoft operating system relates to the "Easy/Wide" confidentiality impact in an Oracle database has a difficult task. CVSS removes the obstacle of multiple scoring systems. Customers can use the same metrics to compare vulnerabilities to make timely, informed decisions on the relative impact to their environments.
This document is part of the Cisco Security portal.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.