Vulnerability Management Why CVSS Alone is a Poor Metric for Prioritizing Vulnerability Patching and Remediation Efforts

Understanding CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities. CVSS scores are used widely in vulnerability management to help organizations prioritize their patching and remediation efforts. Understanding how CVSS scores are calculated, and their components is essential to grasp their limitations and the need for a more nuanced approach to vulnerability prioritization.

Calculation of CVSS Scores

CVSS scores are calculated based on three main metric groups: Base, Temporal, and Environmental. Each of these groups contributes to the overall score by evaluating different aspects of a vulnerability.

1. Base Score:
   The Base Score represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It includes factors such as:
   
   Exploitability Metrics: These measure the ease and technical means by which the vulnerability can be exploited (e.g., attack vector, complexity, privileges required, user interaction).
   
   Impact Metrics: These measure the potential consequences of a successful exploit (e.g., confidentiality, integrity, and availability impact).
   
   
   
2. Temporal Score:
   The Temporal Score adjusts the Base Score by considering factors that change over time. These include:
   
   Exploit Code Maturity: The availability and sophistication of exploit code.
   
   Remediation Level: The availability of a fix or workaround.
   
   Report Confidence: The credibility of the vulnerability report.
   
   
   
3. Environmental Score:
   The Environmental Score further adjusts the Base and Temporal Scores by taking into account the specific characteristics of a user’s environment. These factors include:
   
   Security Requirements: The importance of confidentiality, integrity, and availability for the user’s environment.
   
   Modified Base Metrics: Adjustments based on how the vulnerability impacts the user’s specific environment.

Limitations of CVSS Scores

While CVSS provides a useful starting point for assessing the severity of vulnerabilities, relying solely on CVSS scores for prioritization has several significant limitations.

1. Lack of context regarding exploitability and impact
   CVSS scores do not always provide sufficient context regarding the real-world exploitability and impact of a vulnerability. For example, a high CVSS score may indicate a severe vulnerability, but if there are no known exploits or the vulnerability is not accessible in the organization's environment, it may not be a high priority for remediation.
   
   
2. Overemphasis on severity without considering other critical factors
   CVSS scores focus heavily on the theoretical severity of vulnerabilities, often leading to the prioritization of vulnerabilities that are less likely to be exploited over those that pose a more immediate and practical threat. This overemphasis on severity can result in important vulnerabilities being overlooked.
   
   
3. Potential for mis-prioritization of vulnerabilities
   The reliance on CVSS scores can lead to the mis-prioritization of vulnerabilities. For instance, vulnerabilities with lower CVSS scores but higher exploitability or presence of active exploits may be deprioritized, leaving the organization exposed to significant risks and wasting the valuable time of security team members.

Findings from NetRise Research

The recent NetRise Supply Chain Visibility and Risk Study provides concrete examples of the limitations of CVSS scores in vulnerability prioritization and found that those ranked “Critical” by CVSS were not usually the most important for remediation.

In the study of 100 networking devices analyzed, each networking device had on average 1,120 CVEs. Across all 100 networking devices, 112,026 total CVEs were found and among these there were a total of 4,862 unique CVEs.

Next the study found that 1.8% of the 112,026 vulnerabilities were weaponized, or 2,022 vulnerabilities in total.

“Weaponized vulnerabilities” as a category include vulnerabilities present in the CISA KEV catalog, those known to be used by botnets, to spread ransomware, used by threat actors, or used in known attacks.

Most interesting is that the vast majority of weaponized vulnerabilities were High and Medium CVSS Severities, not Critical. This is the primary reason NetRise suggests not solely relying on CVSS Severity to drive patch management and supply chain detection and response efforts.

Lastly, the research looked at which of the weaponized vulnerabilities were also network accessible. Of the 2,022 weaponized vulnerabilities, 667 of those were found to be network accessible (or approximately 7 per device).

Weaponized and Network Accessible Vulnerabilities

Across all 100 networking equipment devices analyzed.

If we look at these metrics for a single networking device selected at random from the 100 analyzed, the research found 1,750 total vulnerabilities on this single device, of which 29 were weaponized, and only 9 that were both weaponized and network accessible.

Of these 9 most important vulnerabilities, 6 of them were rated Medium per CVSS scores (or 66%). This clearly demonstrates that if using CVSS scores solely to prioritize vulnerabilities, many of the most important vulnerabilities for mitigation would be very far down the list and likely never get addressed at all.

9 Weaponized and Network Accessible Vulnerabilities

From one randomly selected networking equipment device analysis.

The Need for a Comprehensive Approach

Given the limitations of CVSS scores, a more comprehensive approach to vulnerability prioritization is essential. This approach should incorporate additional risk factors and leverage detailed software analysis for accurate and effective vulnerability risk management.

1. Importance of considering weaponized and network-accessible data
   Incorporating data on weaponized vulnerabilities and their network accessibility helps identify those vulnerabilities that pose the highest practical risk. Vulnerabilities that are actively exploited and easily accessible over the network should be prioritized, regardless of their CVSS scores. This ensures that the most immediate and significant threats are addressed first.
   
   
2. The role of detailed software analysis and comprehensive visibility
   Detailed software analysis and comprehensive visibility into all software components are vital for accurate vulnerability prioritization. Generating and analyzing software bills of materials (SBOMs) allows organizations to understand the full scope of their software environments and identify hidden vulnerabilities that may not be captured by traditional scanning methods.
   
   
3. Incorporating other risk factors
   A comprehensive approach should also consider other contextual risk factors such as business impact. Understanding the potential impact of a vulnerability on business operations and the maturity of exploit code can help prioritize remediation efforts even further.
   
   
4. Continuous monitoring, reassessment, and dynamic prioritization
   The threat landscape is constantly evolving, making continuous monitoring and reassessment and dynamic prioritization essential. Regularly updating vulnerability assessments based on the latest threat intelligence and adjusting prioritization criteria ensures that organizations remain protected against emerging threats.
   
   

Conclusion

Relying solely on CVSS scores for vulnerability prioritization is insufficient for effective vulnerability management. The limitations of CVSS scores, as highlighted by the NetRise study, underscore the need for a more holistic and comprehensive approach to risk management. Organizations should prioritize vulnerabilities based on a combination of factors, including exploitability, network accessibility, business impact, and threat intelligence. By adopting a more complete approach to vulnerability prioritization and leveraging detailed software analysis to understand the entire software vulnerability and risk picture, organizations can enhance their security posture and protect against evolving threats.

The key takeaway is clear: CVSS scores provide a useful starting point, but they are not sufficient.

Organizations must adopt a more comprehensive approach to vulnerability management to ensure that the most important threats are addressed, and their security posture is continuously improved.

Originally published August 12, 2024, updated August 12, 2024.