The CVSS Deception: How We’ve Been Misled on Vulnerability Severity

The CVSS Deception: How We’ve Been Misled on Vulnerability Severity

MediaVideo
Yanac

Since 2014, 170K+ CVEs have been published with a ~4.5x growth in yearly disclosures, and an average disclosure rate of ~80/day in 2023. The sheer volume makes it untenable for organizations to address all vulnerabilities. It is common to rely heavily on CVSS score/rating for prioritization without giving it a second thought. Being generic, CVSS has implicit tradeoffs that plague its use, and more importantly can lead to a false sense of security. We present six such empirically validated operational challenges to be on the look-out for:

C1 – Underrated severity due to CIA (Confidentiality, Integrity, Availability) aggregation. We show ~10% CVEs are potentially underrated posing significant risk. CVE-2020-8187 a 7.5 (under)rated vulnerability disclosed amid COVID crisis had the potential to bring organizations to a grinding halt.

C2 – Exploit Maturity metric leads to unmanageable operational burden. We show that 462K+ disparate data points need to be analyzed for this metric alone, even then it is a point in time accuracy at best with high probability of incorrectly lowering of score.

C3 – Lack of APT and exploitability consideration is a missed opportunity. In contrast to C2, this can be easily achieved even with incomplete data.

C4 – No consideration for Privacy as a first-class concern despite its significance. The use of generic confidentiality metric is potentially masking privacy impact in thousands of CVEs.

C5 – Inadequate dependency consideration not accounting for prerequisites is affecting the prioritization of at least 11% CVEs.

C6 – Scoring discrepancy due to formula error surfaces for specific vectors affecting 100+ CVEs.

For C1, C2, C4 and C6 we offer executable guidance on usage & monitoring for vectors and patterns to avoid getting caught out.

For C3 and C5, we propose conceptual design and call on the community for extensions to address the open challenge.

By:
Ankur Sand | Vice President, JPMorganChase
Syed Islam | Executive Director / Principal Cybersecurity Architect, JP Morgan Chase & Co
Michael Davis | Global Chief Security Architect, JP Morgan Chase & Co
Joshua Tigges | Sr Principal Cybersecurity Architect,, JP Morgan
Marty Grant | Security Operations Director, JP Morgan
Rusty Clark | Cyber Intelligence Director, JP Morgan

Full Abstract and Presentation Materials:
https://www.blackhat.com/eu-24/briefings/schedule/#the-cvss-deception-how-we39ve-been-misled-on-vulnerability-severity-42509Black HatRead More