Evaluating the Severity of Security Vulnerabilities using CVSS

CVSS

During a pentest, you may come across more than one vulnerability in a target. When reporting these vulnerabilities, it is important to rank them according to the impact that they would have on the target if the vulnerability was exploited. Without ranking the vulnerabilities, it would not be easy to prioritise those vulnerabilities that pose the greatest risk and would need to be remediated timeously. The Common Vulnerability Scoring System (CVSS) can be used to calculate a score that will help with ranking a vulnerability. CVSS is an open standard for assessing the severity of security vulnerabilities. Below is a severity rating scale consisting of a rating and score for CVSS v3.1 which ranges from 0.0 to 10.0:

RatingCVSS Score
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

The overall score is usually comprised of the Base score. The Base score can be refined by including the Temporal and Environmental score, which would indicate a severity rating relevant to a user’s environment at a certain point in time. However, the Temporal and Environmental scores are optional. This post will focus on calculating the Base score.

CVSS Calculator

An online CVSS calculator is available from FIRST and can be used to calculate the CVSS score of a vulnerability. The CVSS calculator includes the below Base score form:

Base score form

The Base score is composed of Exploitability and Impact metrics. Exploitability metrics comprise Attack Vector, Attack Complexity, Privileges Required and User Interaction while Impact metrics consist of Confidentiality, Integrity and Availability. To learn more about a metric, open the CVSS calculator and move your mouse cursor over the metric and a text box will appear with a summary of the metric.

Scoring a Single Vulnerability

This example will be based on the well-known SMB remote code execution vulnerability (CVE-2017-0144), which is found in the Blue machine from Hack the Box. Using the CVSS calculator to score this vulnerability results in a High severity rating with a score of 8.1/10:

Remote code execution score
  • Attack Vector: Network – as this is a remote code execution vulnerability, it is exploitable remotely over the network
  • Attack Complexity: High – the exploit may be unreliable and may not run successfully on the first attempt, i.e. it may require to be re-run more than once
  • Privileges Required: None – this is a pre-authenticated exploit and so the attacker does not need to be authenticated to exploit the vulnerability
  • User Interaction: None – besides the attacker, there are no users who are involved in this attack
  • Scope: Unchanged – successful exploitation of the vulnerability does not impact another component other than the vulnerable component (SMB service)
  • Confidentially, Integrity, Availability: High – successful exploitation of the vulnerability results in full system compromise. As a result, there is a complete loss of the confidentiality, integrity and availability of the information

After scoring the vulnerability, the below vector string will be generated (as illustrated in the above figure):

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This vector string is an alternative way to represent the above metrics and their corresponding values (for example, AV:N = Attack Vector: Network).

Scoring Chained Vulnerabilities

There are times where multiple vulnerabilities will need to be exploited together to obtain a higher impact such as remote code execution. While CVSS was designed to score individual vulnerabilities, it can be used to score multiple vulnerabilities that are chained together.

In this example, I will be using the Cronos machine from Hack the Box, which is vulnerable to SQL injection and command injection. Cronos is vulnerable to SQL injection in the login page which can be exploited to gain access to the Net Tool page that is vulnerable to command injection. The below demonstration indicates how a chained score can be calculated using the CVSS calculator:

Vulnerability 1: SQL Injection

SQL injection score

The exploitation of the SQL injection vulnerability has a low impact on confidentiality as the exploitation gives access to the Net Tool page, but has no impact on integrity or availability.

Vulnerability 2: Command Injection

Command injection score

The command injection vulnerability can be leveraged to gain a low-privileged shell on the target and so there is a low impact on confidentiality, integrity and availability.

Chaining the Vulnerabilities

Before chaining the two vulnerabilities, we first need to list the individual CVSS scores:

SQL injection: Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Command injection: Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Next, we need to calculate the exploitability of the chained vulnerabilities by logically combining the exploitability metric values from each vulnerability. This is indicated in the below table for Attack Vector, Attack Complexity, Privileges Required and User Interaction. For instance, Privileges Required (PR) for the chain is None (N) as the attacker does not require any privileges to exploit the vulnerability at the start of the chain. If there is a change in Scope then this change will be included in the chain, which isn’t the case here. Finally, we assign an impact to the chained vulnerability which is equal to the impact metric values of the final vulnerability in the chain, i.e. command injection.

Vulnerability 1: SQL injectionVulnerability 2: Command injectionChain
Attack Vector (AV)NNN
Attack Complexity (AC)LLL
Privileges Required (PR)NLN
User Interaction (UI)NNN
Scope (S)UUU
Confidentiality (C)LLL
Integrity (I)NLL
Availability (A)NLL

Inserting the above metric values for the chain into the CVSS calculator gives the below chained score:

Chained score

While both the SQL injection and command injection vulnerabilities individually result in a Medium severity, chaining them together results in a High severity and thus a higher impact. The same process as the above example can be followed to calculate the chained score for more than two vulnerabilities. It is recommended to list the chained score along with the individual vulnerability scores: that way it will be easier to determine the impact of the individual vulnerabilities as well as the impact of the chained vulnerabilities. By evaluating the severity of security vulnerabilities in this manner, vulnerabilities can be prioritised and remediated before they can get exploited by an attacker.