Key Takeaways:
- CVSS v4 comes with new features, including added base metrics and new supplemental metric.
- CVSS v4 is more useful for assessing the severity of OT/ICS/Safety systems.
- CVSS v4 has new nomenclature and organizations should start planning the migration.
Intro#
CVSS essentially provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes.
On Nov 1 of 2023, the FIRST has officially launched CVSS v4.0, the latest version of Common Vulnerabiltiy Scoring System standard in replacing the CVSS v3.0 (released in June 2015). BTW, CVSS v3.1 was released in June 2019.
CVSS v3.1 has emphasize and clarify that “CVSS is designed to measure the severity of a vulnerabiltiy and should not be used alone to assess risk.”
CVSS v3.1 attracted criticism for lack of granularity in scoing scale and OT/ICS/Safety focus.
What’s New?#
Here I highlight some new features introduced in CVSS v4.0:
- New level of granularity with added Base Metrics and Values.
- Clearer insight into vulnerability impact with assessing effects and subsequent systems.
- Simplifying the Threat Metrics to focus on Exploit Maturity.
- New Supplemental Metric Group.
- New nomenclature to enumerate CVSS scores:
- Base (CVSS-B)
- Base + Threat (CVSS-BT),
- Base + Envrionmental (CVSS-BE)
- Base + Threat + Environmental (CVSS-BTE)
Below is the summary of the differences between CVSS v4.0 and v3.1:
| Feature | CVSS v4.0 | CVSS v3.1 |
|---|---|---|
| Base | 11 metrics | 8 metrics |
| Exploitablity 1. Attack Vector (AV) 2. Attack Complexity (AC) 3. Attack Requirements (AT) 4. Privileges Required (PR) 5. User Interaction (UI) | 1. Attack Vector (AV) 2. Attack Complexity (AC) 3. Privileges Required (PR) 4. User Interaction (UI) | |
| Vulnerable System Impact 6. Confidentiality (VC) 7. Integrity (VI) 8. Availability (VA) Subsequent System Impact 9. Confidentiality (SC) 10. Integrity (SI) 11. Availability (SA) | Impact 5. Confidentiality (C) 6. Integrity (I) 7. Availability (A) | |
| N/A | 8. Scope | |
| Threat | Threat: - Exploit Maturity (E) | Temporal: - Exploit Code Maturity (E) - Remediation Level (RL) - Report Confidence (RC) |
| Environmental | - Modified (11) - Consumer-assessed Safety (MSI:S, MSA:S) | - Modified (8) |
| Supplemental Group | - Safety (S) - Automatable (A) - Recovery (R) - Value Density (V) - Response Effort (RE) - Urgency (U) | None |
| OT/ICS/Safety Focus | Yes | No |
Notes#
The concept of CVSS is not just the Base score. The CVSS Base Score should be supplemented with an analysis of threat factor (change over time) and the environment factor (security controls).
Tools and Links#
- CVSS Calculator: v4.0 and v3.1
- CVSS v4.0 Specification
- CVSS v4.0 Presentation