The CVSS Fallacy – Can you trust the world’s most popular vulnerability metric @ Black Hat 2022

hello everyone today we’re going to talk
about the cvss fallacy and ask can you
trust the world’s most popular
vulnerability metric my name is brian
musali i’m a security research tech lead
at jfrog security
we’re going to talk about
what is the common vulnerability scoring
system why isn’t cvss an accurate metric
and we’ll take a look at a couple of
real-life examples
so what is the common vulnerability
scoring system it is a free and open
standard for assessing the severity of
software and hardware vulnerabilities
developed by the forum of incident
response and security teams
its current version is 3.1 which was
released in 2019
the cvss actually offers three rating
methods the first one is base score
which reflects the severity of a
vulnerability according to several
characteristics which we will discuss in
detail in the next slide
the second one is the temporal score
which adjusts the base severity of
vulnerability based on factors that
change over time such as availability of
exploit code
and the third
score is the environmental score which
adjusts both base and temporal
severities to a specific computing
environment
according to the presence or lack
thereof of mitigations in that
environment
so what is the cvss used for
um complex environments are full of
third-party software packages hardware
etc
whether it’s your organizational network
or the docker containers you use in your
production environment almost everything
in is composed of third-party software
or hardware components which can turn
out to be vulnerable at any time
this pack poses a risk on your
organization or your product and
requires the mediation measures to be
taken but remediation in production
environments may be costly in terms of
time and work
for this reason we would like to
prioritize vulnerability remediation in
product environments
enter cvss cvss gives us a score which
helps us understand how severe a threat
is and how much we should panic right
nobody likes being exposed to a hacking
attempt and since remediation requires
the work of your software developers or
your it or devops teams
it should be done correctly
so how is the base score calculated
so we have several metrics from which um
the exploitability score is composed and
another set of metrics for the impact
score these two combined give the base
score and the vector string which we can
see at the picture below
the axis vector metric shows how this
vulnerability may be exploited if it’s a
local attack or one that can be carried
out using a network connection
the access complexity metric refers to
the difficulty of exploiting the
vulnerability
the privileges required metrics
refers to the privileges that an
attacker must have in order to exploit
the vulnerability
the user interaction metric specifies
whether a human interaction other than
the attackers is required to exploit
this vulnerability and the scope metric
refers to the impact of this
vulnerability on other modules or
resources
the confidentiality
metric refers to the impact on the
confidentiality of information resources
managed by the
vulnerable component
high being complete loss of
confidentiality the integrity metric
refers to the impact on the components
protected resource
for example if an attacker is able to
modify files after exploitation
high being complete loss of integrity
and the availability metric refers to
the impact on the components
availability high being
complete loss of availability like in
denial of service
so why isn’t cvss an accurate metric
so crucial components that the cvss
fails to account for are code
prerequisites
like what are the vulnerable functions
or are all uses of these functions
vulnerable
this kind of information
can be expressed
can be expressed in the current base
score or attack or already vector string
configuration prerequisites like what is
the vulnerable configuration of the
service or is it the default
configuration or is it a common
configuration um
environment prerequisites like are all
uh windows or linux or mac os um are
they all vulnerable
let’s take a look at some examples to
see what i mean exactly
so
cve 2016 10749 it’s a buffer overflow in
c json
let’s take a look at the cve’s
description
the parse function
the parse string function in c json
before october 2nd 2016 has a buffer
over read as demonstrated by a string
that begins with a double quote
character and ends with a backslash the
base score for this vulnerability is 9.8
which is critical
is that so
let’s take a look um as we can see in
the exploit example in order to exploit
this vulnerability an attacker must
control the input of the c json parse
function
this means that the exploitability and
impact of this cve are highly contextual
it depends on how the vulnerable
function is used in our product or
environment
if the cjson library is installed but is
installed but nobody uses it it’s really
really not interesting right so on the
other hand it’s very interesting if a
piece of software uses the c json parse
function with user controlled input
um the attack vector in the vector
string reads network but this is
actually not
so accurate the cvss base core doesn’t
take into account whether the attack
vector is context dependent meaning it
requires the vulnerable software
component to call this function with
user input
user input in this case is the key to
understanding whether the cv is relevant
for me and should cause the panic a
critical cde should cause
the same goes for the privileges
required metrics which says none in this
case but the privileges that are
required to exploit this vulnerability
are dependent on the context in which
the library is used
it may only be exploitable in a system
that requires a prior authentication
and the same goes for impact the impact
score of course
impact may also be context dependent and
rely on the
um on on the
permissions in which a vulnerable
process or service
runs
um
[Music]
let’s take a look at another cve
um
the next one is an out of bounds right
vulnerability in apaches mod cell module
it’s a filter module which offers the
same capabilities as news stream editor
command line tool but for
http requests and responses
again we see it received a score of 9.8
which is critical but is it really
um
let’s see um mod said is not used by
default
and actually it’s quite rare it’s it’s a
it’s a rare modded filter module to be
used uh so in order for apache to be
exploitable it must be configured to use
the said module
as we can see in this configuration this
mod set module may be defined
as an input filter for a certain
endpoint in this case it’s the http root
directory meaning all requests to the
server will be handled by this module
but this is this is extraordinary
in reality the correct vulnerable
endpoint
must be guessed by an attacker or they
should have access to apaches
configuration file which is very very
very unlikely
so i suggest that the attack complexity
shouldn’t be low in this case
and of course the cvss score doesn’t
take into consideration other
mitigations such as limiting the request
size which can help in this in the case
of this cve
another requirement for successful
exploitation of the cve is that
is the size of the data that’s being
sent to the server it requires over two
gigabytes of data
to be sent to the server um
this is another thing that isn’t
expressed in the cvss but is crucial in
terms of mitigation and remediation this
vulnerability can be mitigated by using
the limit request body size directive in
apaches configuration which is extremely
easy to add
so in my opinion
this really really reduces the risks
from critical
9.8 to something much lower
okay so conclusions
cvss is useful for initial initial
evaluation but fails to account for uh
several prerequisites like code
prerequisites
um
when a specific function is vulnerable
the attack vector value
should be contextual in my opinion but a
contextual option doesn’t exist so
everybody just uses network which is
very inaccurate and
causes confusion or maybe not confusion
but causes uh
cds to
get um really high
uh
base scores exploitation scores and the
same goes for impact score the impacts
for scores are
very much contextual in many times um
they rely on the
um
on the on the specific impact that um
vulnerability may have uh if it’s the
privileges that the process has a
service has
um
[Music]
configuration prerequisites our
prerequisites are also
um
not being taken into account or how
common is the vulnerable configuration
or is it the default configuration
we can specify all that information in
the cvss base core and in the
vector string
and also environment prerequisites like
um
windows or linux or mac os are they all
vulnerable like there are certain
libraries or uh software services um
that can be that that can run on
all three of them but or other operating
systems but are they all vulnerable just
the same um we can’t really tell by the
base score or the base um by the
exploitability score or the impact score
um
so the key uh thing is context context
context
understanding the full impact and
severity of a vulnerability requires
full context
um
this is what we need in order to best
utilize the cvss score in our
organization when we prioritize
um what needs to be remediated and what
needs to be fixed
um
[Music]
here’s an example from jfrog’s x-ray in
which you can see contextual analysis
uh you can see that other than the cvss
score shown to the user there’s also a
jfrog severity metric and the contextual
analysis field
which tell the user whether the cv is
actually applicable in their case
below you can see that this depends on
the client’s first party code actually
using the vulnerable functions in a way
that poses a real threat to their
environment
the client is given specific pointers to
the vulnerable code with the exact file
and line and so they can
this helps them
remediate
this vulnerability in the best possible
way whether it’s
changing just the parameters that are
sent to the function which make it
vulnerable or making sure that um not um
like that
it doesn’t the user input doesn’t um
find its way into the vulnerable
function in case
user input may be a problem
so
bottom line is
we should always
consider the context the full context of
cve and
unfortunately cvss is not enough
to understand and help us prioritize
how we should
direct our resources in remediation
[Music]
if you have any questions feel free to
email me at brian m jfrog.com
[Music]
thank you very much