In an industry as dynamic as cybersecurity, eight years isn’t just a long time – it’s practically an eternity. New technologies emerge quickly, and motivated threat actors waste no time to catch up and develop their new attack methods. So, it’s safe to say the latest version of the industry’s Common Vulnerability Scoring System (CVSS), introduced on November 1st, was highly anticipated and greatly needed.
The new version, CVSS 4.0, was developed by 30 CVSS Special Interest Group (SIG) members. Skybox is proud to be an active part of the community that led to this new version. The updated scoring system aims to provide a more nuanced way to calculate risks since the previous CVSS version (3.1) was introduced in June 2015. The changes made affect both what is assessed and how it is assessed.
Here are our (4) takeaways from CVSS 4.0
(#1) More Precise Terminology
CVSS has always consisted of three metric groups – Base, Temporal (now called Threat), and Environmental. However, over time, the Base metric group mistakenly became synonymous with the overall score, so they’ve updated the names in CVSS 4.0 to reflect the specific risk groups for better clarity. There are now four specific score names, with the overall score, CVSS-BTE, stressing the importance of each metric group when determining risk.
The new CVSS 4.0 risk group scores are now named as follows:
- CVSS-B (Base metric group)
- CVSS-BT (Base and Threat metric groups)
- CVSS-BE (Base and Environmental metric groups)
- CVSS-BTE (Base, Threat, and Environmental metric groups)
Security teams can now better gauge risk based on score type. For example, a vulnerability may have a relatively low CVSS-B score but is known to be exploited in the wild; its CVSS-BT score would signal the security team that the said vulnerability is a more significant threat than it initially may seem. That higher risk may have been previously missed, but the new terminology stresses the differences between the metric groups, making it easier for security teams to prioritize remediations.
In addition to the updated scoring, CVSS 4.0 created a supplemental metric group to provide additional contextual information about the vulnerability. It is important to note that this metric group is optional and doesn’t impact the CVSS score.
By more accurately naming the scoring variables and emphasizing the modularity of its components, the CVSS score better reflects what is assessed. This helps security professionals gain a more comprehensive understanding of the risk in their environment and better prioritize what vulnerabilities need the most immediate attention.
(#2) Added Granularity
With CVSS 3.1, scores included an Attack Complexity (AC) metric to reflect the engineering skill needed by an attacker to exploit a vulnerability and the conditions on the affected system that make the attack possible. In CVSS 4.0, that metric was further broken down into two: Attack Complexity (AC) now refers only to engineering skill needed to circumvent existing defensive measures on the affected system; Attack Requirements (AT) reflects the prerequisite conditions of the vulnerable component that make the attack possible.
This change allows security teams to understand better what is under their control and how they can take steps to lessen risk. For example, an asset with a low AT score means a default configuration may not be enough to protect against an attack. In that case, a team may try to make it harder for an attacker to exploit a vulnerability by changing the device configuration for a relevant and high-priority threat.
In addition, to better reflect the potential damage that a vulnerability may have on an affected asset, the impact metrics of the CVSS-B score are now divided into Vulnerable System Impact and Subsequent System Impact. For each element of the CIA Triad (Confidentiality, Integrity, and Availability), the impact is assessed for the vulnerable component and the system where it belongs. The CIA Triad metrics break down into two subgroups that help security teams understand not only what is at stake but also the nature of the prospective damage a vulnerability may have on supposedly secured assets.
Another change was made in the Base metric group’s User Interaction (UI) metric. The options available are no longer “Required” or “None” but “Active,” “Passive,” or “None.” That terminology reflects the various ways in which a user can be tricked into assisting a successful attack. When user interaction is Passive, a successful exploit does not require the user to actively subvert protections built into the vulnerable system (ex., visiting a maliciously crafted website). When user interaction is Active, a successful attack would require an attacker to trick a user into performing an action that subverts the affected system’s protection mechanism, such as importing a maliciously crafted file and storing it in a specific directory. Pointing out the difference between these two kinds of user interaction allows security teams to understand better how a successful exploit of the vulnerability functions and focus on which protections should be enhanced and what behavior they should be aware of.
(#3) Removal of Redundancies
While many new pieces were added to CVSS 4.0, they also removed metrics that do not hold sufficient impact for security teams. Most notably, Scope, previously a component in the Base metric group, was retired. This was due to the need for more clarity about what it was supposed to reflect, which unintentionally caused many scoring inconsistencies across the industry. The pervasiveness of the damage that an exploited vulnerability may cause is now reflected in the impact metrics of the Base metric group (see above).
Additionally, the “Remediation Level” (RL) and “Report Confidence” (RC) metrics in the Temporal (now Threat) metric group were also retired.
(#4) Improved Simplicity
CVSS 4.0 included changes to what is being assessed and how some of the metrics are assessed. One significant change is that the Threat metric group now comprises only one metric – Exploit Maturity. While CVSS 3.1 had four options for defining that metric (Functional, High, Proof-of-Concept, and Unproven), CVSS 4.0 includes only three options. Since both Functional and High indicated the existence and availability of a functional exploit code, they were often thought to imply an exploitation in the wild; in reality, it wasn’t so clear-cut, and actual exploitation was highly likely under these circumstances. To clarify this, both options were dropped in CVSS 4.0, and a new option, “Attacked” (A) was added instead. That leaves only one option to indicate the possible state of affairs, improving the CVSS-BT score’s consistency across the industry.
Conclusion
With a rapidly evolving threat landscape, cybersecurity professionals must continuously work together to beat cybercriminals. Skybox was proud to participate in the community discussions again with the 30 CVSS SIG members, bringing to light many of the concerns and challenges seen with CVSS 3.1.
The new CVSS version offers a more precise, detailed, and straightforward way to assess cybersecurity risks. The team is hopeful these changes will enhance cohesiveness when describing and defining a vulnerability, provide a broader perspective on the interactions between different aspects of the vulnerability, stress the importance of the context in which a vulnerability could be exploited, and provide industry professionals with a more reliable and up to date method of assessing risk. Together, as a community, we will work to defend against cybercriminals.
