The Common Vulnerability Scoring System (CVSS) is a public standard maintained by the Forum of Incidence and Response Teams (FIRST) that provides a method for scoring IT-related vulnerabilities. Additional details and documentation are on the standard are available at http://www.first.org/cvss.
CVSS divides vulnerability into three components: Base, Temporal, and Environmental. The base metric describes how severe the issue is from a technical perspective. The temporal metric tells how a vulnerability changes over time, and the environmental metric specifies the impact on a specific running system.
This document focuses on how Cisco uses CVSS. To learn more about the individual metrics or the scoring mechanics, please view the official documentation provided by FIRST.
Within Cisco, two groups use CVSS: the Product Security Incident Response Team (PSIRT) and the Cisco Security IntelliShield Alert Manager Service team. Cisco PSIRT handles security vulnerabilities in all Cisco products. This team is the only group tasked with communicating information about vulnerabilities in Cisco products to customers. The Cisco Security IntelliShield Alert Manager Service provides customizable, up-to-the-minute security intelligence, in-depth vulnerability analyses, and highly reliable threat validation. IntelliShield Alert Manager provides this intelligence and analysis for all vendors and products, including Cisco products.
A common task for the PSIRT and IntelliShield groups is assigning and communicating CVSS scores to Cisco customers. In addition to external communications, PSIRT also uses CVSS as a major component in prioritizing team workload.
CVSS Usage Within PSIRT
When PSIRT receives a report of a potential vulnerability, a base score is assigned to the issue. This initial score is marked as preliminary because it is often assigned without actually reproducing the issue described within the report. A temporal score is also assigned at this time, even though it usually plays a lesser role in the process. The exception would be dealing with an issue where a vulnerability can be triggered by a mobile autonomous code (for example, a virus or worm). If that is the case, and the report has sufficiently high base score, a PSIRT manager will immediately start working on the report.
Whatever the preliminary score may be, it is recorded with all known information at the time. The preliminary base score is a major component that determines how soon a PSIRT Incident Managers takes the report from the input queue. Higher priority cases (those cases with higher base scores) are usually selected first. To prevent reports with lower scores remaining in the input queue for too long, the next available Incident Manager may be asked to verify the older reports instead of a more recent report with a higher score.
When a PSIRT Incident Manager begins working on a report, the preliminary score may change. Although the score is assigned before all the facts about a vulnerability are known, the score does not change as often as might be assumed. Experience, knowledge of Cisco products, and how those products are deployed help Incident Managers assign the correct score at the onset of scoring. Liaisons with other groups within and outside of Cisco are also helpful.
To ensure the most accurate and consistent scoring, the scores (base and temporal) are verified by a second Incident Manager. Each report accepted by PSIRT has a primary and a backup owner. The primary owner actively works on the report while the backup owner monitors the situation and provides assistance when required. The primary duties of a backup owner include verifying the CVSS score assigned by the primary Incident Manager.
For reports in which these two scores do not match, the primary and backup Incident Managers reconcile any differences. Differences may occur when aspects of the report are understood differently, or when the backup Incident Manger can provide new insight or additional information that may affect overall report understanding. Whatever situation occurs, the primary and backup managers must agree on a single score.
This process produces the final score and, in virtually all instances, it is the score that will be presented in the Security Advisory or other PSIRT publication. During review, new information may be uncovered that changes the base score.
CVSS Usage Within IntelliShield
IntelliShield Alert Manager analysts provide base and temporal scores to each Vulnerability Alert that is produced by the service. This score is produced alongside the Cisco proprietary UCS (Urgency, Credibility, Severity) scoring that IntelliShield uses, and in many ways, the two scores overlap. By itself, CVSS provides a view into the direct impact of a vulnerability on the host platform running the affected software. The IntelliShield UCS score considers both the direct and indirect impacts of a vulnerability and can account for vulnerabilities that affect more than one host. Because the scores provide different information and consider different scopes, each score is provided on an alert. These scores complement each other and help provide a full picture of the impact of a vulnerability.
During initial analysis of a vulnerability, IntelliShield analysts check whether the primary product vendor has issued a CVSS score. If a vendor has provided a CVSS Base score, this score will be used in the IntelliShield Alert. Some vendors, such as the Cisco PSIRT organization, also provide temporal scores for their vulnerabilities. IntelliShield usually uses these vendor-provided temporal scores for the first version of an IntelliShield alert produced following the release of the vendor's temporal score. Once an IntelliShield analyst has produced a score, it is integrated into language within the Description section of the alert to align with the metrics of the Base and Temporal scores for a vulnerability. By comparing the CVSS metric to the Description section of an alert, a customer can verify that the scoring and alert information are accurate.
In some cases, third-party reports or IntelliShield testing may reveal inconsistencies with the vendor's interpretation of CVSS or application of the score. IntelliShield uses the vendor's base score, but the temporal score may be adjusted and a detailed explanation will be included in the IntelliShield Analysis section of the alert regarding the adjustment.
Because IntelliShield alerts are produced as living documents, one alert is produced per vulnerability to ensure that each has an accurate CVSS score. When new or updated information regarding a vulnerability is released, the IntelliShield alert is updated. Often, these updates will cause elements of the temporal score to change. Updates may include the release of public exploits or vendor patches.
Beyond providing the base and temporal decimal scores, IntelliShield also includes the shorthand CVSS vector used to derive those scores within the CVSS Calculator link in each alert header. The availability of both scores is especially effective for organizations that produce environmental scores for their networks. With a full shorthand vector from IntelliShield, organizations can apply security requirements that rely on specific base metrics. The end result is a flexible tool to assist in vulnerability management and risk assessment.
Cisco decided to use CVSS to provide customers with a single and common scoring system that is used by multiple vendors. In situations where vendors use their own proprietary scoring systems, it can be difficult for customers to determine the relative importance of reported vulnerabilities. The decision-maker who must choose how an 'Important' vulnerability in Microsoft's operating system relates to the 'Easy/Wide' confidentiality impact in Oracle database has a difficult task, especially if either is more or less severe than a vulnerability from Sun with no specific score. CVSS removes the obstacle of multiple scoring systems. Customers can use the same metrics to compare vulnerabilities to make timely, informed decisions on the relative impact to their environments.
This document is part of the Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.