This preview shows page 1. Sign up to view the full content.
Unformatted text preview: score the Access Vector of these vulnerabilities
SCORING TIP #7: If the vulnerability exists in an authentication scheme itself (e.g., Pluggable
Authentication Module [PAM], Kerberos) or an anonymous service (e.g., public FTP server), the metric
should be scored as “None” because the attacker can exploit the vulnerability without supplying valid
credentials. Presence of a default user account may be considered as “Single” or “Multiple”
Authentication (as appropriate), but may have Exploitability of “High” if the credentials are publicized.
126.96.36.199 Confidentiality, Integrity, Availability Impacts
SCORING TIP #8: Vulnerabilities that give root-level access should be scored with complete loss of
confidentiality, integrity, and availability, while vulnerabilities that give user-level access should be
scored with only partial loss of confidentiality, integrity, and availability. For example, an integrity
violation that allows an attacker to modify an operating system password file should be scored with
complete impact of confidentiality, integrity, and availability.
SCORING TIP #9: Vulnerabilities with a partial or complete loss of integrity can also cause an impact to
availability. For example, an attacker who is able to modify records can probably also delete them.
3.2 Equations Scoring equations and algorithms for the base, temporal and environmental metric groups are described
below. Further discussion of the origin and testing of these equations is available at www.first.org/cvss.
3.2.1 Base Equation The base equation is the foundation of CVSS scoring. The base equation is:
BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise
AccessVector = case AccessVector of
requires local access: 0.395
adjacent network accessible: 0.646
network accessible: 1.0 AccessComplexity = case AccessComplexity of
Authentication = case Authentication of
requires multiple instances of authentication: 0.45
requires single instance of authentication: 0.56
requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of 14 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS none:
0.660 IntegImpact = case IntegrityImpact of
0.660 AvailImpact = case AvailabilityImpact of
0.660 3.2.2 Temporal Equation If employed, the temporal equation will combine the temporal metrics with the base score to produce a
temporal score ranging from 0 to 10. Further, the temporal equation will produce a temporal score no
higher than the base score, and no less than 33% lower than the base score. The temporal equation is:
TemporalScore = round_to_1_decimal(BaseScore*Exploitability
Exploitability = case Exploitability of
not defined: 0.85
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14