What do you understand by the word Vulnerability?? Liability? Inability to withstand the situation? A weak spot, easy to be exploited? Well, all of them are true. The vulnerability can crop out in terms of physical, social, psychological, technical, financial, legal or any other sector and it is crucial to be assessed to determine its severity and potential impact so that possible security measures could be taken.
The same is true with the case of software application vulnerabilities. Thus, it is very important to identify them first in order to process further in the direction of preventing their impact. Here comes the role of CVSS. Let’s move forward to know what is this CVSS-
Overview About CVSS
The CVSS (Common Vulnerability Scoring System) is the standard scoring system used to estimate the criticality of the vulnerabilities present in the software application.
In technical language, CVSS is an open framework that calculates the severity of software vulnerabilities in the form of a numerical value (called Base Score), ranging from 0 to 10. The score value reflects whether the vulnerabilities present in the software are low, medium, high or critical in nature. However, the whole procedure of calculating the Vulnerability Score is quite complex; first, you have to write a whole lot of code, mention the metrics in string form, apply the formula and then you will get the Base Score.
But these all efforts can be reduced immensely with the help of CVSS Calculator. We’ll get a detailed report about CVSS Calculator in this blog-
CVSS Calculator: Introduction
As technology is ruling over time, thousands of amazing applications, packages, techniques get released every day and help human minds by significantly reducing their efforts. CVSS Calculator is one of those many tech-applications.
As you can easily deduce from the term ‘CVSS Calculator’, it calculates the Vulnerability Score in an application. From the point of view of a developer, it can greatly diminish your endeavors of calculating the Vulnerability Score. All you need to do is to follow the below-given 4 steps-
- Install the npm package of the CVSS calculator.
- Hover over the base parameters.
- Select appropriate options from the available metrics (as shown in the image below).
- Click on the ‘Generate CVSS’ key.
And that’s it. You will be provided with the final score. How simple is that!!
Base Matrix Group/ Base Parameters
Before going through the procedure to install the npm package of the calculator, it would be great to refresh our memories about base parameters.
The Base Matrix Group basically reflects the intrinsic characteristics of a vulnerability that are uniform and constant over time, irrespective of user environments. It is comprised of two sets of metrics, together known as Base Parameters, that are-
-
Exploitability Metrics
-
Impact Metrics
Exploitability Metrics -
The Exploitability Metrics represent the properties of the vulnerable components and the ease by which they can be exploited. In the following sections, we’ll have a look upon various exploitability metrics that define the characteristics of the vulnerability that accomplish successful exploitation-
Attack Vector (AV)
This metric evaluates the context by which the vulnerability can be exploited. More remote the attacker is, the larger will be the base score. Instead of writing the whole string, you can just select the metric value from the available options, that are as under-
- Network: <Value 0.85>
- Adjacent: <Value 0.62>
- Local: <Value 0.55>
- Physical: <Value 0.2>
Attack Complexity (AC)
This metric reflects how complex/easy it is to exploit the vulnerability i.e. the base score will be greatest for the least complex attacks. You need to select one of the values from ‘Low’ <Value 0.77> and ‘High’ <Value 0.44>.
Privileges Required (PR)
It determines the privilege level the attacker must possess for the successful exploitation of the vulnerability. The base score will be highest in case of no privileges. The possible values are:
- None: <Value 0.85>
- Low: <Value 0.62>
- High: <Value 0.27>
User Interaction (UI)
It describes whether a vulnerability can be exploited without the participation of a separate user or not. The values it contains are: None <Value 0.85> and Required <Value 0.62>.
Scope (S)
It captures whether or not the vulnerability has any impact upon the components beyond its security scope. The base score is lowest when no change occurs. There are two values basically i.e. Changed and Unchanged.
Impact Metrics -
The impact metrics reflect the impact and consequences of a successfully exploited vulnerability on the components that are affected to the worse and directly associated with the attack, in one way or another. Nevertheless, the final impact is determined by the combined effect of all the three impact-metrics together, described below.
The 3 possible values for each of the impact metrics are as following- High: <Value 0.56>, Low: <Value 0.22> and None: <Value 0>
Confidentiality (C)
This metric scales the amount of confidential information that has been compromised in the impacted component due to the exploitation attack. The term ‘Confidentiality’ refers to limiting the disclosure of sensitive information to authorized users only. The Base Score is directly proportional to the loss of confidentiality. Higher the confidentiality loss, the greater the Base Score value.
Integrity (I)
Integrity metrics measure the impact of the exploited vulnerability on the integrity of the information, used by the impacted components. When the impact is highest, the Base Score value will be greatest.
Availability (A)
The availability metric describes the impact on the availability of the target system. Attacks that consume network bandwidth, processor cycles, memory or any other resources affect the availability of a system. When the consequence of the impacted component is highest, the Base Score value will be greatest.
How to Calculate the Base Score??
The Base Score reflects the severity of vulnerability as per its exploitability and impact parameters. Earlier, before the release of this package, we have to use all our mathematics knowledge in order to determine the below-given parameters and finally to calculate the Base Score.
Let’s see how-
Base Score depends upon three parameters known as Impact Sub Score (ISS), Impact and Exploitability. So, first, we need to determine the value of these parameters and then only we can use the formula of Base Score.
- Impact Sub Score (ISS) -
[ISS= 1- [(1- Confidentiality) *(1- Integrity) *(1- Availability)]]
- The Impact value can be determined with the formula-
- If Scope is Changed, Impact= [7.52 *(ISS-0.029)- 3.25 *[(ISS-0.02) ^15]]
- If Scope is Unchanged, Impact= [6.45 *ISS]
- Exploitability can be determined from the formula-
[Exploitability = 8.22 × Attack Vector × Attack Complexity × Privileges Required × User Interaction]
After determining all these parameters, the Base Score can easily be found out as under-
- If ISS <=0, the Base Score will be 0.
Else,
- If Score Unchanged=> [Base Score = Roundup (Minimum [(Impact + Exploitability), 10)]]
- If Score Changed=> [Base Score = Roundup (Minimum [1.08 *(Impact + Exploitability), 10)]]
CVSS Score:
After determining the Base Score, we used to check out the severity level of the vulnerabilities on the basis of tagging the score with the rating scale as mentioned below:
- None: <0>
- Low: <0.1 to 3.9>
- Medium: <4 to 6.9>
- High: <7 to 8.9>
- Critical: <9 to 10>
But, with the introduction of the CVSS Calculator, this whole calculation process, of determining the base score, got limited to a click only. Let’s check out the how-to-install this calculator below-
Installation Process:
The npm package installation process for CVSS Calculator has been described below in a few easy steps-
- Enter the following command on the Command Prompt-
npm install cvss-v3.1-react
- After installation, you need to import cvss-v3.1-react-
import CvssV3 from ‘cvss-v3.1-react’
- Now, include the cvss-v3.1-react component with the command, as given below-
const severityVector = “CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L”;
//severityVector is optional variable. It can be used to initialize the calculator.
<CvssV3 severityVector={severityVector} onChange={(data)=>{
//In data variable, you will get cvss score and cvss vector
}}/>
You can customize the styles based on your requirements as per the details, given in this article. Check out the npm package of CVSS Calculator
Parting Words:
This was all about the CVSS Calculator, we hope you find it beneficial!! Stay connected with our page for more blogs about Latest Tech Releases. It’s time to part ways but before taking your leave we would like to tell you that we are looking forward to your valuable feedback & suggestions about this blog. Also, you can ask your related queries in the comment box.