CVSS Explained

What Is CVSS?

The common vulnerability scoring system (CVSS) is open and free to industry for evaluating the seriousness of the software security vulnerabilities and is used in vulnerability management software. CVSS gives scores to vulnerabilities per the seriousness of the threat. Scores are computed considering several metrics. Scores are given between 0-10, with most severe score being 10.

First and CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the scare was calculated.

CVE vs CVSS

Common Vulnerability Scoring System (CVSS) is a universal metric that measures the severity of a security vulnerability. This makes it an integral part of vulnerability scanning tools. Common Vulnerabilities and Exposures (CVE) is a list of publicly known and reported vulnerabilities.

What is CVSS Used For?

Organizations used to adopt their own ways to create a score for security vulnerabilities. However, these didn’t include crucial details about how each score was measured and weighted. Not having a baseline for scoring created an overall problem from organization to organization.

The US National Infrastructure Assurance Council (NIAC) developed CVSS and the standards to measure the impact of severity in an IT environment. CVSS is an open framework, so organizations have access to the measuring criteria used to create scores, enabling everyone to have a clear understanding of the vulnerability scores.

Organizations use this system to gauge the impact of vulnerabilities that are discovered. These organizations use the scale to meet security requirements, regulations, standards, and compliance. This system makes it easy to prioritize security tests and measure the most severe vulnerabilities, so they can be prioritized.

Do All Vulnerabilities have a CVSS?

If it’s a publicly known vulnerability, CVSS has a score for it. The scores range from 0.0 to 10.0, which are based on a large number of varied, grouped metrics.

What Are the Three Metrics Groups of CVSS?

Base metric group

The base metric group shows the qualities of vulnerability that are consistent over a period of time and among different user environments. It is further made up of two sets of metrics.

Exploitability Metric

It shows how easily a vulnerability can be exploited. Referred to as “exploited component”. They have 4 components – attack vector, attack complexity, privileges required, and user interaction.

Impact metrics

Impact metrics show the result of a successful exploitation of a vulnerability referred to as “impacted component”.

Temporal metric group

The temporal metric group shows the characteristics of a potential threat or vulnerabilities that may change after sometime however may not change across users.

Environmental metric group

The environmental metric group shows the characteristics of vulnerability that are important and unique to a specific user’s environment. Affected users calculate this measure usually.

Below each metric is discussed in detail.

Understanding the CVSS Score: Base Metrics

Base metrics are a representation of the vulnerability. These characteristics never change and aren’t dependent on exploitability or based on an organizational security program that’s been implemented. The rankings are listed in the National Vulnerability Database and are exclusive to base CVSS scores.

Base CVSS scores provides an easy starting point for patching and remediation, but it is also limited because it doesn’t account for real world exploits, patching availability, or mitigating organizational controls in place.

What are CVSS Metrics Based Off Of?

Exploitability – Exploitability metrics are based on the characteristics of the vulnerable component, with four sub sections; attack vector, attack complexity, privileges required, and user interaction.

Attack Vector – this metric is based on the level of access required to exploit a vulnerability. A higher score represents that an exploit can be executed remotely outside of the organization vs a lower score requires an attack to be at a physical on-premise location.

Attack Complexity – this metric is based on things outside of an attacker’s control, such as key theft or a middle-man attack. The higher score is based on extra effort the attacker needs to take outside of the cyber attack itself.

Required Privileges – this metric is based on the attacker’s privileges to exploit a vulnerability. A higher score represents the level of administration privileges that are required to carry out an attack, whereas a lower score represents little to no privileges required. part.

User Interaction – this metric is based on if the attacker needs to recruit a willing or unknowing person in order to complete the attack. A higher score represents no additional participation needed.

Scope – Scope metrics are based on the number of components needed to exploit a vulnerability. The higher score if one exploit attack can lead into a deeper backend system attack.

Impact – Impact metrics are based on actual outcomes from an attack result. There are three sub sections that weigh into this metric; confidentiality, integrity, and availability.

Confidentiality – this metric is based on the amount of data the attacker has access to. The higher score equals the most data the attacker can access, lower means no data can be reached.

Integrity – this metric is based on the ability of the attacker to alter data on the exploited system. The score is high if the attacker can completely or severely modify the data.

Availability – this metric is based on the system loss once it’s exploited. A higher score means the system will no longer be accessible by authorized users because of an attack.

1. Exploitability metric

1.1 Attack vector – shows how the vulnerability can be exploited.

Value	Description
Attack Vector
Network (N)	Attacker exploits vulnerability only through OSI layer 3 and are called “remotely exploitable”.
Adjacent (A)	Attacker exploits vulnerability only through shared physical network.
Local (L)	Attacker exploits the vulnerability locally or may depend on user interaction.
Physical (P)	Vulnerable component must be physically touched or controlled by the attacker.

1.2 Attack complexity (AC) – This metric depicts the situations that are not under the attackers control and are required to exploit vulnerability.

Value	Description
Attack Complexity
Low (L)	Attacker can be successful more than once against the vulnerable component.
High (H)	Attacker must be more prepared to execute a successful attack on the vulnerable component.

1.3 Privileges Required (PR) shows the amount of privileges the attacker must have to exploit the vulnerability successfully.

Value	Description
Privileges required
None (N)	The attacker doesn’t need access to files or setting to attack. Attacker is unauthorized.
Low (L)	Attacker requires privileges to attack usually affects files and owned settings. Attacker has low authorization.
High (H)	Attacker needs privileges that give them control and affects component wide files and settings.

1.4 User interaction (UI) it is a user oriented metric. It determines whether a separate user must be present or the attacker or alone exploit the vulnerability.

Value	Description
User Interaction
None (N)	Exploitations of vulnerability can be done without any interaction from any user.
Required (R)	The user can do exploitation of vulnerability only after any action.

1.5 Scope scope refers to the group of privileges that are characterized by a computing authority when giving access to computing resources. These privileges are appointed based on a technique of approval and identification.

Value	Description
Scope
Unchanged (U)	The impacted component and the vulnerable component are the same. Resources affected are controlled by the same authority.
Changed (C)	The impacted component and the vulnerable component are different. The same authority does not control resources affected.

2. Impact Metrics

2.1 Confidentiality Impact (C) this metrics limits access to information and reveals information only to authorized users. Also, prevents disclosure of information to unauthorized users.

Value	Description
Confidentially impact
High (H)	All resources of the impacted component are disclosed to the attacker due to total loss of confidentiality.
Low (L)	Attacker can’t control the restricted information that is obtained. Some loss of confidentiality.
None (N)	No loss of confidentiality.

2.2 Integrity impact (I) Measures the true nature of the information and how much it can be trusted. Successful exploitation of vulnerability is measured through impact to integrity.

Value	Description
Integrity Impact
High (H)	Total loss of integrity or protection. Attacker can alter any file.
Low (L)	Attacker can modify a file but cannot control the consequences.
None (N)	No loss of integrity.

2.3 Availability impact (A) Refers to how much information resources are accessible.

Value	Description
Availability Impact
High (H)	Attacker can deny full access to resources in the impacted component. Total loss of availability.
Low (L)	Attacker cannot deny totally. Partial or full resources are available only for a certain period.
None (N)	No loss of availability.

Temporal Metrics

1. Exploit code maturity (E) Exploit codes that are publicly available and are easy to use gives advantage to a potential attacker. This metric is based on the current state of techniques that measures the possibility of the vulnerability attack.

Value	Description
Exploit code maturity
Not defined (X)	The score will not be influenced if given this metric value.
High (H)	Autonomous agents deliver exploit code on a regular basis and works in all situations.
Functional (F)	If the vulnerability exists, the exploit code will work.
Proof-of-concept (P)	Modifications are required to use such code by a professional attacker.
Unproven (U)	No code is available.

2. Redemption level (RL) – The remediation level of a vulnerability is an imperative component for prioritization. The average weakness is unpatched when first distributed.

Value	Description
Redemption level
Not defined (X)	The score will not be influenced if given this metric value.
Unavailable (U)	It is either impossible to apply or there is no solution.
Workaround (W)	User provides their own solution unofficially.
Temporary fix (T)	Temporary fix is available and is official.
Official fix (O)	Official fix is available by the vendor.

3. Report confidence (RC) – At times only the presence of vulnerabilities is made public without giving specific details. This metric helps in measuring the credibility of the information and amount of confidence in the existence of the vulnerability.

Value	Description
Report confidence
Not defined (X)	The score will not be influenced if given this metric value.
Confirmed (C)	Source code and reports are available in detail to verify the research independently.
Reasonable (R)	Important details are published but there is no full access to source code to verify research independently.
Unknown (U)	Reports indicate presence of vulnerability. Less confidence in reports that are available.

Environmental metrics

1. Security requirements (CR, IR, AR) – This metric helps in customization of CVSS score based on the affected IT to a user’s organization. Characterized as following:

Confidentiality (CR)
Integrity (IR)
Availability (AR)

Value	Description
Security requirements
Not defined (X)	The score will not be influenced if given this metric value.
High (H)	Very serious consequences on the organization and associates due to loss of CR, IS, AR.
Medium (M)	Serious consequences on the organization and associates due to loss of CR, IR, AR.
Low (L)	Limited consequences on the organization and associates due to loss of CR, IR, AR.

2. Modified base metrics – It helps the adjustment of base metrics in accordance with the modification that is already present in the analyst’s environment.

Modified Base Metric	Value
Security requirements
Modified Attack Vector (MAV)	Same as base metrics above and not defined (default).
Modified Attack Complexity (MAC)
Modified Privileges Required (MPR)
Modified User Interaction (MUI)
Modified Scope (MS)
Modified Confidentiality (MC)
Modified Integrity (MI)
Modified Availability (MA)
Low (L)	Limited consequences on the organization and associates due to loss of CR, IR, AR.

Company Profile

Fortra’s Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. We specialize in DAST – our product, beSTORM will help you secure your network and applications, comply with your NERC CIP policy requirements and exceed industry and government standards.

CVE Explained

About CVE ( Common Vulnerability Exposures/Enumeration)

Common vulnerabilities and exposure gives common names to openly known security issues or vulnerabilities. The objective of CVE is to make it simpler to impart information over different databases and make available a common platform to evaluate security tools.

What is a CVE scan?

CVE depends on freely accessible data. For the duration of the life of the CVE list, MITRE corporation has depended on external information sources to recognize vulnerabilities. CVE provides information on vendor patches and fix information which it might have obtained from unverified third party.

AVDS actively checks for these patches and fixes and notifies the user about the updates. AVDS also tests if the patches and fixes don’t compromise or harm the user system in any way. AVDS tests a user’s system with every possible CVE listed in its database (provided by Securiteam) which is updated every day. AVDS also maintains consistent standard and accuracy, thus helping to reduce the overall false positives.

With the help of CVE, AVDS provides information such as vulnerability details, risk level, the impact on system, and solutions. Assigning a CVE number does not mean that it will end up being an official CVE entry, there might be duplicate CVE number or even false entries. The AVDS team independently validates each CVE for especially unique features and authenticity.

CVE Identifier creating process starts with the identification of possible security vulnerability. The information is then allotted a CVE identifier by CNA (CVE numbering authority) and listed by the CVE editor (the MITRE corporation) on the CVE website posted under the CVE List.

CVE Identifier

MITRE corporation’s documentation characterizes CVE identifiers as one of kind, common identifiers for openly known data security vulnerabilities released to the public in a form of a software package. Following are the CVE Identifiers:

CVE names
CVE numbers
CVE-IDs
CVE’S

Difference between Vulnerabilities and Exposures

Vulnerability	Exposures
Allows the hacker to intrude a system or network due to an error in the software code.	Provides the hacker access to the data that can be sold or misused.
Allows the hacker to execute commands with unauthorized permissions.	Allows the hacker to get into data gathering activities.
Allows the hacker to get information which is restricted.	Allows the hacker to conceal activities.
Allows the hacker to act like another entity.	Used as a main entry point by hackers to access the framework and information.
Allows the hacker to deny a service.	This is viewed as a major issue in security policy.

CVE community

Following are the major contributors to the CVE community

CVE board – The CVE Board incorporates individuals from various cyber security-related associations globally, like government offices, research organizations and other security specialists. Through open discussions, the board decides the entries on the CVE List.
CVE sponsor – US-CERT sponsors CVE at the U.S. department of homeland security. Sponsors page consist of all the past sponsors.
CVE Numbering authorities – CVE numbering authorities (CNAs) allocate CVE identifiers to newly found problems without including MITRE.
CVE-compatible products and services – various organizations globally have incorporated CVE identifiers to make their cyber security products and services “CVE-compatible”

CVE Vulnerability Scanner

Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. Our product lines, AVDS (network and SCADA vulnerability management) and beSTORM (software security testing), will help you secure your network and applications, comply with your security policy requirements and exceed industry and government standards.

SQL Injection Scanner Tools

What is SQL Injection?

SQL injection is currently the most common form of website attack in that web forms are very common, often they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.

What is SQL?

Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.

Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.

How SQL Injection Works

Prospects, customers, employees and business partners may all have the right to store or retrieve information from your database. Your site probably allows any site visitor to submit and retrieve data. Legitimate access for visitors includes site search, sign up forms, contact forms, logon forms and all of these provide windows into your database. These various points of access are quite possibly incorporated in ‘off-the-shelf’ applications or may be custom applications set up just for your site. These forms and their supporting code have likely come from many sources, were acquired at different times and possibly installed by different people.

SQL injection is the use of these publicly available fields to gain entry to your database. This is done by entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow a hacker to use them as an entry point to your database at which point the data in the database may become visible and access to other databases on the same server or other servers in the network may be possible.

Web site features such as contact forms, logon pages, support requests, search functions, feedback fields, shopping carts and even the functions that deliver dynamic web page content, are all susceptible to SQL injection attack because the very fields presented for visitor use MUST allow at least some SQL commands to pass through directly to the database.

Get a demo and see how you can defend against SQL injection attacks.

Schedule a Demo

SQL Injections Risk

Since databases control many web site functions, nearly all websites invite input from visitors and so many web forms are vulnerable, SQL injection has become and for years remained the most common form of website hacking tool used. Additionally, so many criminals are now using SQL injection that new server, application and code weaknesses are being discovered almost daily.

How Common are SQL Injection Attacks?

Our own records indicate that most (over half) of the web sites we have been asked to scan had SQL injection risks of either High or Medium levels. A high level of risk is one that is effectively an unlocked, unguarded door. A medium risk is one that when combined with one or more other factors could mean trouble. An even larger number of sites had Low risk issues. What you need to know: The percentage of sites that have at least one major risk is actually increasing.

Even though SQL injection has been a known issue for years, there are several factors causing the rate of risk to increase. First is that more companies are offering more website interaction with visitors and this trend is increasing dramatically. Second is that as more hackers gain skills in SQL injection, they are discovering more applications and services that are susceptible to attack and are developing new attacks on old applications. The result is a nearly exponential increase in the opportunities to use this attack method.

Am I at Risk for an SQL Injection Attack?

Your risk of being successfully attacked using SQL injection is based on these factors: the size of your business and the age, status of updates and patches on your applications and the skill and number of your technical staff. It boils down to whether you are an interesting target and whether your web server, the applications on it and your website code are well designed, well integrated and have all the current patches and updates.

Your site is in immediate danger if your company stores data of high value, if your company or entity is operating in a highly contested field of business, or if your site has political or social importance or value. Naturally if you have something of monetary value then you are a target. But you are also a target if your site is an opinion leader in a contentious environment. We have been asked by bloggers for help because the subject matter covered there had drawn SQL injection attacks. Explore common use cases for DAST here.

SQL injection attacks are now being solicited online. An upset customer, competitor, or even ex spouse can now easily hire a ‘script kiddie’ – or worse, a talented hacker – to attack a site. The chance of the hacker getting caught is low. The chance that the upset party can cause damage to your site without being fingered as the responsible party is high.

You are at risk of SQL injection if you have any equipment or applications which have not been routinely updated and patched, or if you have code on your site that was not correctly written. The age of equipment, the applications and the code is a rough indicator of risk. Another is the number of servers involved, number of applications and number of web site access points. If you are using hosted servers or if you are using outsourced technical resources, then a third party review of your site security is important. And even in-house staff can be so pressed for time and short on resources that updates and patches can get delayed or old legacy code get used without proper review.

SQL Injection Example

Every time a web site visitor enters data into a form on your site a SQL query is generated and delivered to your database. In the case of a simple logon form the username and password is presented to the database and if valid, the database responds with an answer and user is allowed access (or not). So, no matter how simple the form or web process, database access is required and a response is expected.

Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of the expected information. The intent is to secure a response from the database that will help the hacker understand the database construction, such as table names. The next step would be to access and view data in important tables or to add data to tables, such as adding new accounts or user names and passwords. The third step, roughly, would be to use access to the database to discover and change security settings on a server that would allow a hacker administrative access.

Any dynamic script language including ASP, ASP.NET, PHP, JSP, and CGI is vulnerable to attack. The only equipment needed is a web browser. There are tools widely available online that will semi-automate the process of searching for weaknesses, and there are many forums in which hackers share exploits and help each other overcome obstacles.

SQL Injection Outcomes

As you can imagine, a hacker gaining administrative access to your server means that you will have effectively lost all of the data on that server to the invader. Worse yet there is now a beachhead behind your firewall from which attacks on other servers and services can now be made. In this way SQL injection can provide access to all company or personal data.

From a hacker’s point of view a component part of the hack that is almost as important as the break-in is maintaining secrecy. Setting off an ‘alarm’ of some sort is the last thing they want to do. Their infiltration work takes time and often the value of stolen data drops if the theft is discovered (information of value in identity theft or credit card theft for example). Thus SQL injection hacks are often discovered months and in some cases years after their initiation.

Alternatively, if outright damage is the intent then there is no shortage of bad things that can be done to a database once one has gained access to running commands. An entire table can be permanently deleted using a single SQL command. However a more sophisticated SQL injection attack could involve massive corruption of large databases and even destruction of backup copies.

Defense Against SQL Injection

Because web sites require constant access to the database, firewalls provide little or no defense against SQL injection attacks. Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443.

Antivirus programs are equally ineffective at blocking SQL injection attacks. They are intended to spot and stop an entirely different kind of incoming data.

The most commonly used SQL injection defense is made up of two components. First there is routine updating and patching of all servers, services and applications which of course has many advantages and is common practice. Then there is producing and using well written and well tested website code that disallows unexpected SQL commands.

These two defenses are by definition enough to halt any SQL injection attack. So, why are web site vulnerabilities and risks on the rise and why are successful attacks occurring more often? The answers are each simple, and combine into a daunting list:

The number of servers, applications and volume of code on web sites is increasing
These servers, applications and code languages interact with each other in sometimes unpredictable ways
The number and frequency of updates and patches is increasing
IT departments are doing more work with fewer staff and some activities such as updates get postponed
IT staff turnover and layoffs sometimes leave camouflaged holes in security routines
Automatically installing every patch and update that comes along often produces unwanted side effects
Legacy code is often re-used when sites are updated, sometimes keeping code written to old standards in use long after it was obsolete
The number of people attempting to do hacks and the number of tools available to simplify hacking are both going up almost exponentially

More and more companies with huge risk factors and large web ‘footprints’ are coming to conclude that patching everything and hiring more staff to watch the work of existing staff is no longer viable.

Web Site SQL Injection Scanner Tool Solution

The new solution to SQL injection attacks (and all other web-based attacks) is to focus limited and valuable IT time on the serious risks that are actually present, rather than to use a shotgun approach and apply every possible fix to every server, every application and every page of code whether it was needed or not. This new approach is like having a doctor evaluate a patient and proscribe the ONE medicine that is needed to produce a cure, rather than have the patient go directly to the pharmacy to get every possible medicine and take them all at once.

Thus greater security is accomplished through using web application testing tools, such as beSECURE, as an SQL injection scanner tool to examine (scan) a web site using a list of thousands of known attacks and then report on the relatively few (usually less than a dozen) serious issues.

Web site scanning works on the basis of spotting and reporting KNOWN risks. Common hacking is very ‘public’ activity. The tools are widely promoted. Techniques are broadly disseminated in public forums. Even new methods become public within hours or days of their first use, thanks to groups who watch for and then broadly warn others.

BeSECURE, the automated vulnerability detection system, is a web-based service that uses a compilation of all known risks into families and all families into a single database that has taken many years to compile and many hours a day to maintain. Using this database beSECURE can evaluate any web site and produce a report of REAL and PRESENT risks rated according to their relative importance – often within hours and without disturbing ongoing site activities.

Now, you can take your valuable IT man hours and directly address real risks such as SQL injection rather than spend hundreds of hours installing patches and updates, most of which you don’t need or that handle risks that are so small as to be negligible.