What makes a CVSS 10 critical vulnerability?
Every IT security vulnerability has a security context that defines how it can be exploited and the degree of advantage that an attacker can gain by exploiting it. For example, a vulnerability may be exploitable remotely with just a network connection to the target system, or it may require physical access to the target system.
Additionally, a vulnerability may give an attacker elevated privileges and unauthorized access to protected data. It may allow arbitrary code execution, or merely allow the attacker to impact the system's availability causing it to crash or go offline. The contextual details of a vulnerability will allow defenders to prioritize vulnerabilities according to their severity and patch the most critical security gaps first, spending their valuable resources more efficiently.
But what is the context of the worst cybersecurity vulnerabilities? What characteristics deem a vulnerability to be assigned the maximum CVSS (Common Vulnerability Scoring System) score of 10 and receive the classification of "Critical"?
In this article, our ethical hackers examine the metric components that comprise the CVSS version 3 score and uncover what makes a vulnerability as bad as it gets.
Before we examine what characteristics cause a vulnerability to receive the highest severity classification, we should first clarify what a CVE and CVSS score are:
The Mitre Corporation created the Common Vulnerabilities and Exposures (CVE) standard which was first introduced in 1999. At its core, CVE is a standardized system for identifying and cataloging vulnerabilities in computer software and hardware and provides a structured way to track information about security vulnerabilities.
CVE ensures interoperability using a standard naming and severity scoring scheme (CVSS), enabling different cybersecurity products and services to share information about vulnerabilities reliably and more efficiently.
The CVSS is a framework for assessing the severity of security vulnerabilities. Version 3 of CVSS was introduced in 2015 and extends the earlier CVSS version 2 by providing greater context and precision when describing the potential impact of a vulnerability.
Critical features of CVSS version 3 include:
Expanded Metrics: CVSS version 3 includes additional metrics to better describe the characteristics of a vulnerability, such as Attack Vector (AV), Attack Complexity (AC), and User Interaction (UI)
Temporal Metrics: CVSS version 3 also introduces Temporal metrics to account for the evolving nature of vulnerabilities. These metrics account for factors like the availability of patches or workarounds, which can change over time and affect the vulnerability's exploitability and potential impact
Environmental Metrics: CVSS version 3 is also designed to allow organizations to tailor the score to fit the specific context of their own local IT environment. This is accomplished by incorporating factors like the importance of an affected system and the sensitivity of the data it handles into the CVSS calculation
A CVSS score of 10 represents the highest level of criticality for a vulnerability. It represents a vulnerability that is easy for attackers to exploit for the maximum compromise of the target system. To reach this top-tier score, several key metric components within a CVSS vector must all align to the most severe possible values.
Let's examine what makes a CVSS 10 critical vulnerability by looking at the CVSS components and their most severe classifications:
Attack Vector = Network (AV:N): The AV metric describes the required access for exploiting a vulnerability. The highest-scoring classification for AV is "N" for Network, which means that the vulnerability can be exploited via a network connection, and the attacker does not need physical access to the target system. Network-based vulnerabilities are considered more critical because they can be exploited remotely
Attack Complexity = Low (AC:L): The AC metric assesses the complexity required for an attacker to exploit the vulnerability successfully. The highest-scoring classification for AC is "L" for Low. This implies that the attack is easy and does not require complex exploit code. This makes it easier for low-skilled threat actors such as script kiddies to exploit
Privileges Required = None (PR:N): The PR metric evaluates the level of privileges an attacker needs to exploit the vulnerability. The highest-scoring classification for PR is "N" for None. This means that the attacker does not require any special privileges to exploit the vulnerability. Vulnerabilities that do not require elevated privileges are generally more critical because access to a low-level account is generally easier to obtain than access to a highly privileged one such as an admin or root account
User Interaction = None (UI:N): The UI metric considers whether user interaction is necessary for the exploit to be successful. The highest-scoring classification for UI is "N" for None. This indicates that the vulnerability can be exploited without requiring human actions to trigger the exploit
Scope = Changed (S:C): The S metric determines the extent of the impact once the vulnerability is exploited. The highest-scoring classification for S is "C" for Changed. This means that the vulnerability's impact extends beyond the immediate component, such as the application or system where it resides. Therefore, the vulnerability can lead to broader security consequences within an IT environment such as allowing an attacker to access other systems on the network
Confidentiality Impact = Complete (CI:C): The C metric measures the impact on confidentiality if the vulnerability is successfully exploited. The highest-scoring classification for C is "C" for Complete. This signifies that exploiting the vulnerability would result in a complete loss of confidentiality and could lead to stolen data, passwords, or other sensitive information
Integrity Impact = Complete (I:C): The I metric assesses the impact on data integrity if the vulnerability is exploited. The highest-scoring classification for I is "C" for Complete. This indicates that the exploitation of the vulnerability would lead to a complete loss of data integrity, meaning if exploited an attacker could modify data on the victim's system
Availability Impact = Complete (A:C): The A metric evaluates the impact on system availability if the vulnerability is exploited. The highest-scoring classification for A is "C" for Complete. This implies that exploiting the vulnerability would result in a complete loss of system availability
Temporal Metrics represent the state of the global cybersecurity threat environment with respect to a specific vulnerability. The most severe possible values for each of CVSS Temporal metrics are:
Exploit Code Maturity = High (E:H): If highly mature exploit code is readily available the severity of a vulnerability is increased because attackers can easily find proof of concept code and start attacking immediately. The "High" classification indicates that high-quality, widely available exploit code exists, making exploitation highly probable
Remediation Level = Unavailable (RL:U): This means that there is no official solution or workaround available to mitigate the vulnerability, meaning that defenders have no way of protecting the affected system or software. This means the vulnerability cannot be mitigated without deleting access to the impacted system
Report Confidence = Confirmed (RC:C): The confirmed report confidence classification indicates that the vulnerability details are confirmed by reliable sources, increasing confidence in the report
Each organization is responsible for calculating its own Environmental Metric values since these metrics are aimed at adjusting the CVSS score according to the context that the vulnerability has within each organization's business operations and IT infrastructure.
The most severe possible values for each of these Environmental Metrics are as follows:
Collateral Damage Potential = High (CDP:H): The most severe Collateral Damage Potential value is "High", indicating that the exploitation of the vulnerability is very likely to cause extensive collateral damage to other systems or data. This classification would apply to a target containing susceptible information such as service account credentials, API keys, TLS certificates, or public key infrastructure
Target Distribution = High (TD:H): The most severe Target Distribution value is "High", indicating that the vulnerability has the potential to impact a large number of systems. For example, if a service such as an email server software was deployed across a large multinational corporation's network and various locations, it would be classified as Target Distribution = High
Confidentiality Requirement = High (CR:H): The most severe Confidentiality Requirement value is "High", indicating a high requirement for confidentiality, and the data is sensitive in the environment. This would apply to a system that contains susceptible proprietary information, customer personally identifiable information (PII), or payment card data that an organization has a strict legal or compliance obligation to protect
CVSS includes Base Metrics like Attack Vector, Attack Complexity, and Impact scores, as well as Temporal Metrics and Environmental Metrics. Understanding the key components of a CVSS 10 Critical Vulnerability is essential for cybersecurity professionals who must intake vulnerability intelligence and evaluate the contextual risk a particular vulnerability poses to their company's business operations and IT infrastructure.
This knowledge empowers defenders to prioritize and address the most severe security threats effectively, safeguarding their systems and data from the highest-risk vulnerabilities.
Looking to learn more from our ethical hackers? Reach out today for your free, zero-obligation quote or subscribe to our newsletter for more educational resources.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
© 2024 Packetlabs. All rights reserved.