SmartTECS Cyber Security Blog: Expert Insights & Security Trends Analysis for Digital Protection
Logo Logo
Home Posts About
Hero Image of content
Posted by smarttecs-lennart at April 9 2024 > Research

Merging from CVSS3.1 to CVSS4.0

2024/04/09
950 words
5 mins

The Common Vulnerability Scoring System (CVSS) serves as the industry standard for assessing the severity of security vulnerabilities. With the introduction of CVSS 4.0, there are significant changes that increase the precision and relevance of these assessments. Compared to CVSS 3.1, the new version brings significant innovations that will have a profound impact on the handling of security threats. This article analyses the differences between versions 3.1 and 4.0, highlights the most important changes and discusses their significance.

CVSS Basics

The Common Vulnerability Scoring System is a framework for assessing the severity of security vulnerabilities in information systems. It is based on a set of metrics that are divided into three main categories:

  • Basic Metrics: Assess the severity of a vulnerability based on its characteristics, such as access complexity and impact on confidentiality, integrity and availability.
  • Time metrics: Modify the baseline assessment based on time-dependent factors such as the availability of exploits or countermeasures.
  • Environment metrics: Adapt the assessment to the specific environment, taking into account the importance of the affected systems and existing protective measures.

This structured approach enables a differentiated assessment of the risks posed by security vulnerabilities and helps organisations to prioritise their responses accordingly.

New features in CVSS 4.0 compared to CVSS 3.1

While the basic structure of the Basic Metrics remains largely unchanged, CVSS 4.0 adds the “Attack Requirements” metric to the category. This innovation evaluates the conditions for a successful attack. In addition to the existing metric “Attack Complexity”, which measures the difficulty of developing a functioning exploit, it now also records whether a vulnerable component must be in a specific state for the attack to be successful. The removal of the “scope” metric, which was often seen as misleading and problematic in the past, and its replacement with a more detailed view of the affected systems, significantly improves the clarity and applicability of the framework.

Threat Metrics

The conversion of “Temporal Metrics” to “Threat Metrics “ represents a significant change. By focussing on the “Exploit Maturity”, the evaluation is simplified and at the same time the relevance of the score with regard to the actual threat situation is increased.

  • Attacked: Takes into account whether a vulnerability has already been exploited. This information provides insight into how attractive the vulnerability is to attackers and whether there is already a known method or tool that facilitates its exploitation.
  • Proof of Concept (PoC): The existence of a publicly available PoC increases the likelihood of exploitation as it gives attackers a foundation to build on.
  • Reported/Unreported: The existence of detailed instructions on how to exploit a vulnerability lowers the barrier to entry for potential attackers and therefore increases the risk of an actual threat.
CVSS 4.0 Threat Metrics

Environmental Metrics

The extension of the “Environmental Metrics” enables a more precise assessment of the impact on downstream systems, whereby the risk for the primary and other affected systems is better mapped.

  • Vulnerable System Impact Metrics: The critical role that the affected system plays within the organisation. Systems that support critical business processes or store sensitive information are given a higher priority.
  • Exploitability Metrics: Considers the effectiveness of existing security controls and safeguards that may be able to mitigate the impact of a vulnerability.
  • Subsequent System Impact Metrics: The assessment of the consequences that exploitation of the vulnerability could have on other systems within the network, especially if the vulnerability can be used to propagate attacks.
CVSS 4.0 Environmental Metrics

Supplemental Metrics

A completely new element in CVSS 4.0 are the “Supplemental Metrics”. These provide additional information that have no direct influence on the overall score, but can make a decisive contribution to risk assessment. For example, they enable an assessment of whether automated exploits are feasible or how urgently a manufacturer recommends rectifying a vulnerability, how long it takes to restore the system integrity or how time-consuming incident response management is for an incident that affects the corresponding system. With the introduction of these metrics, FIRST is demonstrating that CVSS is increasingly being used outside of traditional IT systems, for example in industrial control systems and IoT devices.

CVSS 4.0 Supplemental Metrics

Impact of CVSS 4.0 on cyber security

The update to CVSS 4.0 enables a more precise risk assessment. For developers and IT security teams, this means that security vulnerabilities can now be analysed in greater detail, leading to targeted prioritisation and remediation. The introduction of “Supplemental Metrics” improves communication about security risks, both internally between departments and externally with partners and customers. This promotes a deeper understanding of security threats and supports a more effective risk management strategy. End users benefit indirectly from the improvements, as a more accurate risk assessment leads to faster responses to threats. By prioritising security updates more efficiently, vulnerabilities can be fixed more quickly, which strengthens the protection of personal and business-critical data.

CVSS 4.0 reflects the adaptation to the increasing complexity of cyber-attacks and provides organisations with an advanced risk management toolset.

Conclusion

By simplifying the presentation of results. Unlike previous versions that provided different scores for different aspects of the assessment, CVSS 4.0 strives to reduce complexity and increase clarity by providing a single, comprehensive score at the end of the assessment process. This change aims to simplify decision-making for IT security teams and provide a more direct interpretation of the security posture. Consolidating to one overall score instead of three not only simplifies risk assessment, but also promotes more efficient communication across security risks by making core information more accessible and understandable.

References

[1] Common Vulnerability Scoring System Version 4.0, FIRST, https://www.first.org/cvss/v4-0/
[2] CVSS v4.0 Specification Document, FIRST, https://www.first.org/cvss/v4.0/specification-document
[3] Einstufung von Sicherheitslücken: Der CVSS-4.0-Standard ist da, heise online, https://www.heise.de/news/Einstufung-von-Sicherheitsluecken-Der-CVSS-4-0-Standard-ist-da-9352555.html
[4] Die wichtigsten Änderungen der neuen Schwachstellenbewertung CVSS 4.0, heise online, https://www.heise.de/hintergrund/Die-wichtigsten-Aenderungen-der-neuen-Schwachstellenbewertung-CVSS-4-0-9318903.html
[5] Here Comes CVSS v4.0, Dave Dugal (Juniper Networks) & Dale Rich (Black & Veatch), https://csrc.nist.gov/csrc/media/Presentations/2023/update-on-cvss-4-0/jan-25-2023-ssca-dugal-rich.pdf

#Research