CVSS Vulnerability Scoring Overview

Questions and Answers

The Environmental Metrics in CVSS modify the final score.

False (B)

What is the highest possible score that can be generated by the CVSS?

• 8.0
• 7.5
• 10.0 (correct)
• 5.0

List the four metric groups in CVSS.

Base, Threat, Environmental, Supplemental

A CVSS score between 4.0 and 6.9 is considered _____ severity.

Medium

Which metric group reflects the qualities of a vulnerability that change over time?

Threat Group (A)

What is required for an attacker to successfully exploit a vulnerability?

Target-specific secret (A)

The attack requirements metric captures the conditions of the vulnerable system that do not affect the success of the attack.

False (B)

Match the CVSS score ranges with their corresponding severity level:

0.0 = None 0.1 - 3.9 = Low 4.0 - 6.9 = Medium 7.0 - 8.9 = High 9.0 - 10.0 = Critical

CVSS provides a quantitative measure of software vulnerabilities.

False (B)

What does 'Privileges Required (PR)' describe?

The level of privileges an attacker must possess before exploiting a vulnerability.

An attack that requires an attacker to inject themselves into the logical network path is referred to as __________.

network injection

What does CVSS stand for?

Common Vulnerability Scoring System

Match the metrics with their descriptions:

None (N) = Attack does not depend on conditions Present (P) = Attack depends on specific conditions Privileges Required (PR) = Level of access before exploitation Exploitability Metrics = Metrics that capture conditions for attack success

How may an attack needing multiple attempts to succeed be classified?

Requires specific deployment conditions (B)

Secrets are pieces of information that can be obtained through reconnaissance.

False (B)

What is the role of prerequisites in attack success?

Prerequisites are conditions that must be met for an attack to succeed.

What does the Attack Vector (AV) metric reflect?

The context by which vulnerability exploitation is possible (B)

The Exploitability metrics reflect the direct consequence of a successful exploit.

False (B)

What is the score range produced by base metric values?

0 to 10

The Exploitability metrics include the _____ metrics and the Impact metrics.

Exploitability

Match the following terms with their descriptions:

Network (N) = The system is explorable over the network stack. Adjacent (A) = Exploration is limited to a logically adjacent topology. Impact metrics = Reflect the consequences of a successful exploit. Exploitability metrics = Reflect the ease of exploitation of a vulnerability.

Which attack vector allows for remote exploitation?

Network (N) (D)

Impact metrics reflect how vulnerabilities affect only the vulnerable system itself.

False (B)

What is the purpose of amending Threat and Environmental metrics?

To refine the resulting severity score.

What type of interaction is described as 'Active' in the context of a vulnerable system?

A targeted user performing specific interactions with the system (A)

The impact metrics only measure the effects of the vulnerability on the vulnerable system itself.

False (B)

What does the confidentiality metric measure in the context of a vulnerability?

The impact on the confidentiality of the information managed by the system.

In the impact metrics, a 'High' confidentiality score indicates a total loss of __________.

confidentiality

Match the following confidentiality metric values with their descriptions:

High (H) = Total loss of confidentiality affecting sensitive information Low (L) = Limited loss of confidentiality with some restricted information accessed

What is an example of an Active interaction?

Submitting a specific string into a web application (D)

A confidentiality loss is considered serious if an attacker gains control over only a small amount of restricted information.

False (B)

What factors should analysts consider when assessing impact metrics?

Analysts should consider the reasonable and final outcomes that an attacker can achieve based on the vulnerability.

What does the acronym CVSS stand for?

Common Vulnerability Scoring System (B)

Supplemental metrics will impact the final calculated CVSS score.

False (B)

What does the Modified Attack Complexity (MAC) metric indicate?

The complexity required to exploit a vulnerability

The abbreviated form for Modified Subsequent System Availability is ______.

MSA

Which metric captures whether an attacker can automate the exploitation of a vulnerability?

Automatable (D)

Match the following supplemental metrics with their descriptions:

Safety = Impact to human safety due to the vulnerability Automatable = Ability to automate exploitation across targets Recovery = Potential for recovery after exploitation Confidentiality = Impact on data confidentiality after a breach

A vector string can include the same metric more than once.

False (B)

What is the first part of a CVSS v4.0 vector string?

CVSS:4.0

Study Notes

CVSS: Common Vulnerability Scoring System

• A standardized framework for communicating the severity of software vulnerabilities, with numerical scores indicating vulnerability severity.
• The CVSS score ranges from 0 to 10, with higher scores signifying greater severity.
• CVSS is used to prioritize vulnerabilities, helping organizations focus on the most critical ones to mitigate risk.
• CVSS is an open framework, meaning it is freely available and can be adopted by anyone.

CVSS Scoring

• Base Metrics: Represent core vulnerability characteristics, constant across user environments.

• Exploitability Metrics: Reflect ease of exploitation. - Attack Vector (AV): Describes the path or context required for exploitation.

  • Network (N): Vulnerability can be exploited remotely across a network.
  • Adjacent (A): Vulnerability can be exploited within the same network topology, not remotely.
  • Local (L): Requires physical access to the vulnerable system.
  • Active (A): Vulnerability requires targeted user interaction. - Attack Complexity (AC): Describes the difficulty of exploiting the vulnerability.
  • High (H): Requires complex steps and significant technical expertise to exploit.
  • Low (L): Can be exploited with minimal effort. - Privileges Required (PR): Indicates the user privileges required to exploit the vulnerability.
  • High (H): Attacker needs elevated privileges, like administrator access.
  • Low (L): Attacker doesn't need special privileges. - User Interaction (UI): Indicates whether user interaction is needed to exploit the vulnerability.
  • None (N): Vulnerability can be exploited without user interaction.
  • Required (R): User interaction is required to exploit the vulnerability. - Attack Requirements (AT): Specifies the specific conditions or prerequisites needed for successful exploitation.
  • None (N): No specific requirements for exploitation.
  • Present (P): Requires specific conditions for exploitation.

• Impact Metrics: Reflect the consequences of a successful exploit on the vulnerable system and its downstream impact on subsequent systems.

  • Confidentiality (C): Measures the impact on confidentiality of information managed by the system.
    • High (H): Total loss of confidentiality, with a high impact on the system.
    • Low (L): Some loss of confidentiality, with a limited impact on the system.
    • Not Defined (X): Confidentiality impact is not defined.
  • Integrity (I): Measures the impact on the integrity of system data.
    • High (H): Total loss of integrity, with a critical impact on the system.
    • Low (L): Some loss of integrity, with limited impact on the system.
    • Not Defined (X): Integrity impact is not defined.
  • Availability (A): Measures the impact on the system's availability.
    • High (H): Total loss of availability, with a major impact on the system.
    • Low (L): Some loss of availability, with limited impact on the system.
    • Not Defined (X): Availability impact is not defined.

• Threat Metrics: Reflect the characteristics of a vulnerability that vary over time.

• Environmental Metrics: Reflect the characteristics of a vulnerability that are specific to a user's environment.

• Supplemental Metrics: Provide additional insight into vulnerability characteristics but do not modify the final score.

Vector String: Machine Readable Format

• CVSS V4.0 Vector strings, starting with "CVSS:4.0/", represent a set of CVSS metrics in a concise and machine-readable format.
• They are used to record or transfer CVSS metric information.

### Modified Base Metrics

• Allow analysts to override individual Base metric values based on specific user environment characteristics.
• These metrics can be used to provide more accurate and contextually relevant scores.

Supplemental Metrics

• Describe and measure additional attributes of a vulnerability, providing more comprehensive information.
• Include considerations like safety impact, automatability of exploitation, and recovery efforts.

Description

Explore the Common Vulnerability Scoring System (CVSS) in this quiz. Learn about its scoring framework, base metrics, and exploitability metrics designed to communicate and prioritize software vulnerabilities effectively. Understand how CVSS helps organizations mitigate risks related to vulnerabilities.