CVSS Exploitability (E) and Remediation Level (RL) Risk Matrices

by Cody Dumont
May 1, 2014

The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the risk of discovered vulnerabilities.  The scoring system has three metric types, the second being “Temporal Metric”.  This dashboard provides four risk analysis matrices, two risk-based heat maps, and two with published exploit ratios.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends.

The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

The temporal metric is comprised of three metrics; this dashboard focuses on the first two: the exploitability metric and remediation level metric.  The exploitability metric represents the current state of exploit techniques and availability of code.  As the exploit code becomes easier to use and the number of attackers increase, the severity of the vulnerability will also increase.  The remediation level of a vulnerability will factor into prioritization.  When initially published, a vulnerability is unpatched.  During the life cycle of the vulnerability, the remediation level will change through the respective stages.  The higher risk is in direct proportion to the lesser the degree that a fix is official and permanent.

The exploitability metric has the following values:• Unproven (U) - No exploit code is available, or an exploit is entirely theoretical.

  • Proof-of- Concept (POC) - The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
  • Functional (F) - The code works in most situations where the vulnerability exists.
  • High (H) - The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus).
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.

The remediation level metric has the following values:

  • Official Fix (OF) - A complete vendor solution is available.
  • Temporary Fix (TF) - There is an official but temporary fix available.
  • Workaround (W) - There is an unofficial, non-vendor solution available.
  • Unavailable (U) - There is either no solution available or it is impossible to apply.
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric.

With respect to the “Not Defined” metric, this metric is included in the heat map as many vulnerabilities have this designation, and we would not want to delete data in your risk assessment.  If your organization does not use this metric, then you can delete the bottom row.

The matrices on the left reflect the host count, while the matrices on the right show the vulnerability count.  The cells in the heat map matrices are set to different colors.  The colors reflect the level of risk for the hosts or vulnerabilities, with yellow being the lowest risk and purple being the highest risk.  

The matrices with ratio bars also change color based on thresholds.  

  • 0% = White
  • 1% – 25% = Yellow
  • 26% – 50% = Orange
  • 51% – 75% = Red
  • 76% – 100% = Purple