Common Vulnerability Scoring System (CVSS) scores are often the first ratings people see for a newly released vulnerability. It’s a good starting point. But there are often times when the CVSS score either doesn’t reflect the real risk or, more to the point, doesn’t reflect the risk to a particular organization. With that in mind, this article will explore the reasons why CVSS cannot be relied on alone, and some ways to get better visibility into the contextual cyber risk posed to organizations.
Case study: CVE-2023-35352 in Microsoft RDP
Let’s take a look at a recent example:
CVE -2023-35352 in Microsoft RDP has a base CVSS(v3.1) score of 7.5 and a temporal score of 6.5. The lower temporal score stemming from Microsoft releasing patches for this vulnerability on “Patch Tuesday,” 11 July 2023.
By the current CVSS calculations, its base value is a 7.5, based on the factors that go into the calculation. Based on Microsoft’s reporting, we have the following:
- Vector: Network
- Complexity: Low
- Privileges required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality impact: None
- Integrity impact: High
- Availability impact: None
While the temporal score adds the following factors:
- Exploit Code Maturity: Unproven that an exploit exists
- Remediation level: Official fix
- Report confidence: Confirmed
That gives us a 7.5 and a 6.5 respectively which, by CVSS scoring, gives us a base score of HIGH and a temporal score of MEDIUM. And herein lies the issue. RDP is a protocol that allows a remote user to directly interact with a desktop. While Microsoft rated the scope “unchanged,” as the vulnerability is against the RDP service itself, a successful attack would give access to the desktop which potentially lets the attacker control the machine and move laterally with ease.
The disconnect between CVSS scores and real-world risk
The temporal score of 6.5 reflects the fact that Microsoft has released a patch which reduces the risk considerably – provided the patch is deployed to vulnerable systems. But the challenge with these scores is that they may not reflect the reality of the threat, or how much of a risk an organization may face.
To be clear, with this specific CVE, we don’t have contradictory evidence that there are exploits in the wild or that the CVSS score is objectively wrong. But it is a good example to show why there are cases where the CVSS score doesn’t reflect the reality of the situation. In fact, Microsoft themselves rate this vulnerability as Critical, showing they take it seriously.
Unfortunately, this is just one example of the mathematically derived risk score not reflecting the likely real-world risk. In some cases, it’s too high. But it’s often lower than it really should be.
One of the key features of risk-based vulnerability management is addressing this issue to give the people responsible for reacting to vulnerabilities like this the perspective they need. Based solely on the CVSS scores here, the team would likely give this RDP vulnerability a lower priority than they might otherwise. Depending on their available resources, that might mean delaying patch deployment or implementing compensating controls.
Addressing the issue: risk-based vulnerability management
An effective risk management platform will include the tools needed to adjust the ratings for any given vulnerability based on context, as well as the base or temporal scores. If the organization has certain applications, hosts, goes, business groups, etc., that are particularly critical, the risk management tool can adopt the ratings accordingly.
Likewise, it could show a reduced relative severity for hosts or applications that are already protected by compensating controls or are otherwise more risk accepting. Conceptually, this lets the organization focus their available resources on the issues that will matter most. That’s an important factor to consider, since few organizations have the resources to tackle every vulnerability as soon as it’s revealed.
That’s why the Vulcan Cyber risk management platform is designed to take the organization’s environmental context into account when it prioritizes vulnerabilities. It can deliver a clearer picture of the situation than comes from the scores alone or a vulnerability scanner’s recommendations that are often based on that score.
In this case, it was easy to see the discrepancy between the raw CVSS score and the real-world risk as determined by Microsoft. But it’s not always that easy, and not every vendor is as forthcoming in assessing the risk.