CVSS v2 Official
Anyone who's worked with CVSS knows that it has some serious flaws... Today we can change that statement to had some serious flaws, at least until we find problems with CVSS v2 which was announced today (via SSAATY). The incorporated changes from v1 are fairly substantial and a huge step in the right direction.
They include:
- AccessComplexity changed from a high/low rating to a high/medium/low rating.
- ImpactBias moved from the base metric to the environmental metric.
- Vulnerabilites giving root (or equiv.) access means each CIA component is set to 'complete', while user access would be rated as 'partial'
- AccessComplexity rewritten to indicate that it means difficult to exploit with working exploit code, not difficulty to generate exploit code.
- In the environmental metric, TargetDistribution has changed from none/low/high to none/low/low-medium/medium-high/high
- AccessVector has changed from Local/Remote to Local Access/Local Network Access/Network Access
- In the environmental metric, CollateralDamagePotential has changed to none/low/low-medium/medium-high/high.
- In the base metric, AccessVector/AuthenticationVector now include No Auth/Single Auth/Multiple Auth
- Wording changes to indicate that CVSS should always be applied to the service that is directly vulnerable and not any secondary systems or indirectly affected users.
- Wording changes to indicate that CVSS should always affect the configuration that is most likely used ("most probable"), not the best practice. The example given is a web browser. More often than not browsers are owned by administrator when best practice would tell us otherwise. If you can't determine "best probable", then the default configuration should be used.
- Explanation of proper method of handling multiple methods of exploiting a vulnerability. The score should be calculated for each method and the highest score should be used.
- CIA measurements for ImpactBias are now Low/Medium/High
- The Difficulty and Impact sub-equations are now combined with a waiting of .4 for Difficulty and .6 for Impact.
The detailed version change history can be found here.
Full CVSS v2 Documentation can be found here.
CVSS v2 is a big improvement over the mess that is CVSS v1. On their History Page http://www.first.org/cvss/history.html they admit that Vendors were experiencing some wide variance in scores. There is even some mention of XSS and possible ways to score it.
CVSS v2 won’t end the controversy, but at least I can say CVSS Score without doing little “air quotes” with my hands.
It is good to see this standard moving forward again.
I agree – great step forward. I have dome some v2 scoring and it was MUCH more what I would expect
CVSS v2 is a big improvement over the mess that is CVSS v1. On their History Page http://www.first.org/cvss/history.html they admit that Vendors were experiencing some wide variance in scores. There is even some mention of XSS and possible ways to score it.
CVSS v2 won't end the controversy, but at least I can say CVSS Score without doing little "air quotes" with my hands.
It is good to see this standard moving forward again.