CVSS scores are widely relied upon by enterprises to gauge how important it is to prioritize a vulnerability. CVSS scores provide a convenient means by which vulnerabilities can be compared for purposes of prioritization. Despite this convenience, there are a few pitfalls that can lead an organization to be misled by CVSS scores.
The attractiveness of CVSS scoring is quite apparent. The CVSS framework, now on its third major version, is maintained by a nonprofit organization (Forum of Incident Response and Security Teams), which has over 500 member organizations globally. Scores are based on an open, standardized methodology that provides a simple (0-10) numeric indicator of the severity of a vulnerability. Because the scores are published in NIST’s National Vulnerability Database (NVD), they are widely accessible.
A complete CVSS score is comprised of three "Metric Groups" - Base, Temporal, and Environmental.
Base Metrics do not change over time - they are characteristics inherent to the vulnerability, and they are not modified based on attributes such as real world exploits or compensating controls.
Temporal metrics, as the name implies, change over time. These include attributes such as maturity and availability of exploit code, as well as the availability of patches.
Finally, environmental metrics are specific to the organization subject to the vulnerability, and include attributes related to business criticality of the exposed asset, and mitigations or compensating controls that are in place.
So how exactly can CVSS scores be misleading?
The vast majority of the time that you hear about the severity of a vulnerability, the CVSS score being quoted is a "Base" score only, with no "Temporal" or "Environmental" attributes accounted for in the score. In fact, the severity of the vulnerabilities listed in the NVD, the most common reference point for CVSS scores, leverage "Base" scores only.
The reliance on Base CVSS scores leads to misleading conclusions, and massive amounts of waste in the typical enterprise.
A vulnerability may be listed as "Critical," but if it has never been exploited in the wild, is it really worth diverting precious resources to patch it?
Or perhaps your organization has compensating controls in place that eliminate the ability for adversaries to exploit the vulnerability. In this case, would you still prioritize this "Critical" CVE over a "High" CVE for which you know you are exposed?
CVSS scores are a powerful tool for the enterprise to leverage when prioritizing efforts and resources, but effective vulnerability management must account for not only the widely reported "Base" score severities, but "Temporal" and "Environmental" factors as well. Only the complete view gives you an accurate picture of risk and the ability to prioritize those efforts that will have maximum return on your information security efforts.