Headline
How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.
Wednesday, February 21, 2024 08:54
Finding, managing and patching security vulnerabilities on any network, no matter the size, is a tall task.
In the first week of 2024 alone, there were 621 new common IT security vulnerabilities and exposures (CVEs) disclosed worldwide, covering a range of applications, software and hardware that could be on any given network.
Just looking at the raw number of security vulnerabilities that need to be mitigated or patched is going to be overwhelming for any IT team. So, at its most basic level, it’s easy to see why administrators and security researchers are drawn to the appeal of a singular data point that measures how severe a vulnerability is, distilled down to a scale of 0 – 10.
Most casual cybersecurity observers will be familiar with the basic terms like “critical,” “severe” or “moderate” when it comes to measuring how serious a particular vulnerability is – these are usually used in news articles or technical write-ups about a security issue when it becomes public and is based on a vulnerability’s CVSS score.
Now, the way those vulnerabilities are scored is changing, and many organizations are likely to adopt the newly created CVSS 4.0 this year with the hope of providing new context around how, exactly, vulnerabilities can be exploited and what type of risk they present to targets.
CVSS was created and is managed by the Forum of Incident Response and Security Teams (FIRST), a non-profit organization made up of incident response teams from government organizations and private companies.
FIRST describes the CVSS scoring system as “a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”
And while distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context and does not paint the whole picture of how to best manage vulnerable systems on a network.
**What’s new in CVSS 4.0? **
CVSS 3.1, the current model used by many organizations to measure vulnerability severity, has been around for about four years now. With CVSS 4.0, the creators are hoping to add additional context around how an attacker could exploit a certain vulnerability and what specific requirements need to be met before an adversary could carry out the exploit.
Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said in a recent episode of Talos Takes that the main takeaway for users who just want to focus on the severity score (and whether an issue is particularly critical) will be in a new “attack requirements” field for scoring a vulnerability. Vulnerabilities that require a targeted software be configured in a certain way outside of its default state to be vulnerable are likely to have lower severity scores under CVSS 4.0, according to Gamblin.
FIRST also says that CVSS 4.0 offers “finer granularity through the addition of new base metrics and values,” including providing readers and administrators with new information about what attack requirements exist for an adversary to be successful, and whether user interaction is required or not for a vulnerability to be exploited.
The formula also includes a greater focus on resiliency on the internet-of-things and industrial control systems space, which has become a great focus of the cybersecurity community.
Once CVSS 4.0 is out in the wild for long enough, FIRST is also likely to release an update in 4.1 that will fix any inconsistencies discovered during the rollout or to add additional missing context, though there is no concrete timeline for when that will happen.
CVSS 4.0 won’t start appearing on most vulnerability advisories users are used to reading until later this year, when organizations that handle the release and disclosure of vulnerabilities start adopting CVSS 4.0, like the National Vulnerability Database, which won’t happen until later this year.
Yves Younan, the leader of Talos’ Vulnerability Research Team, which discovers and discloses hundreds of new vulnerabilities every year, said it could be a year or more before Talos vulnerability advisories start using CVSS 4.0 as any problems are addressed. Talos also did not initially adopt CVSS 3.0 when it was released five years ago.
**What does a severity score mean, anyway? **
Generally, a higher CVSS score means a vulnerability is more serious than others and should be addressed sooner than others with lower severity scores.
For example, Log4shell (CVE-2021-44228), a critical remote code execution vulnerability in the popular Apache Foundation Log4j library, was assigned a maximum score of 10 out of 10 in December 2021 when it was first discovered. The infamous vulnerability was widely exploited across the globe and continues to still be an issue today.
While this score seems objective in measuring how serious an issue is, a CVSS score can be influenced by the researcher reporting the vulnerability and the vendor that needs to patch the issue.
Talos uses the CVSS calculator to create its own severity scores, according to Younan. Eventually, Talos waits for MITRE Corp. to assign a CVE and communicates with the affected vendor about releasing a patch. However, certain aspects of how the CVSS is calculated can be subjective to the organization scoring it, such as whether they consider a vulnerability particularly “easy” or “difficult” to exploit. One major advantage of CVSS 4.0 is that this determination has a much lower impact on the score compared to CVSS 3.1 where it would cause a significant change in the score.
That end score that makes it out into the public is particularly important, though, because a security issue being covered in the press or spread widely on social media can often lead to more attackers trying to exploit the issue on unpatched software or hardware, and therefore increased urgency for the need to patch the issue from admins.
The severity score on one individual vulnerability doesn’t tell the whole story about a potential exploit, either. Younan said many attacks and breaches are the result of adversaries chaining multiple vulnerabilities together to target a particular product or service. As Talos highlights in many of its Vulnerability Deep Dive posts, attackers can use a series of vulnerabilities with relatively low severity scores to eventually carry out a more serious attack or even completely take over a system.
**How do severity scores affect vulnerability management? **
Though severity scores are what will eventually make headlines, patching cadence and vulnerability management must take several factors into consideration.
Each organization will have its own approach for how to address patching and updating their systems with their individual needs, Gamblin said, meaning it’s not as simple as patching 10-out-of-10 severity vulnerabilities first, then 9.9 out of 10, etc.
Certain technologies, such as Cisco Vulnerability Management, can help administrators prioritize patching on their systems and see what vulnerabilities their networks are exposed to. Cisco Vulnerability Management has its own risk score that it uses to prioritize patching, and while the base CVSS score is a part of that calculation, Gamblin said the Cisco Risk Score won’t change because of the release of CVSS 4.0.
Gamblin urges all users and administrators to first patch for vulnerabilities in any software or hardware that’s directly exposed to the internet first, without consideration for whether the vulnerability received a “critical” score or not.
“Anything exposed to the internet should be patched because that’s where we see most attacks,” he said in the Talos Takes episode. “There are very few physical or local attacks these days.”
After that, patching should focus on specific vulnerabilities that could lead to remote code execution, because those are the issues attackers are most likely to exploit, he said. While remote code execution vulnerabilities do generally receive higher severity scores, this isn’t always the case.
It’s also important to prioritize patching any systems that customers or employees access on a day-to-day basis at an organization, Gamblin said, such as email clients or any software that employees have dedicated credentials to and stores sensitive information.
As we pointed out in the 2023 Year in Review report, network infrastructure is also being targeted more frequently, so it’s important to patch any edge devices that touch the internet like routers and switches.
For more on this topic, listen to a previous Talos Takes episode on patching strategies below, and read our recent post on securing network infrastructure.
Related news
A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…
Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4
The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
A lack of MFA remains one of the biggest impediments to enterprise security.
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.