CVSS Temporal Ratio

by Cody Dumont
May 15, 2014

In conjunction with CVSS Temporal score heat maps, SecurityCenter can also provide a more detailed analysis such as exploitability.  This dashboard uses a heat map approach and provides an analysis of the vulnerabilities and notes if a published exploit is available.  

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the risk of discovered vulnerabilities.  The scoring system has three metric types, the second being “Temporal Metric”.  The temporal metric is comprised of three metrics:

  • Exploitability - The exploitability metric represents the current state of exploit techniques and availability of code.  As the exploit code becomes easier to use and the number of attackers increase, the severity of the vulnerability will also increase. 
  • Remediation Level - The remediation level of a vulnerability will factor into prioritization.  When initially published, a vulnerability is unpatched.  During the life cycle of the vulnerability, the remediation level will change through the respective stages.  The higher risk is in direct proportion to the lesser the degree that a fix is official and permanent.
  • Report Confidence (RC) - When a vulnerability is published, the details maybe limited, however as the vulnerability is confirmed by other researchers or by the vendor, details may become more publicized. The urgency to mitigate is higher when the details are more public.   The risk is increased as the details are made public and validated by reputable sources.

The exploitability metric has the following values:

  • Unproven (U) - No exploit code is available, or an exploit is entirely theoretical.
  • Proof-of- Concept (POC) - The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
  • Functional (F) - The code works in most situations where the vulnerability exists.
  • High (H) - The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus).
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

The remediation level metric has the following values:

  • Official Fix (OF) - A complete vendor solution is available.
  • Temporary Fix (TF) - There is an official but temporary fix available.
  • Workaround (W) - There is an unofficial, non-vendor solution available.
  • Unavailable (U) - There is either no solution available or it is impossible to apply.
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

The report confidence metric has the following values:

  • Unconfirmed (UC) - There is a single unconfirmed source or possibly multiple conflicting reports.
  • Uncorroborated (UR) - There are multiple non-official sources, possibly including independent security companies or research organizations.
  • Confirmed (C) - The vulnerability has been acknowledged by the vendor or author of the affected technology.
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

With respect to the “Not Defined” metric, this metric is included in the heat map as many vulnerabilities have this designation, and we would not want to delete data in your risk assessment.  If your organization does not use this metric, then you can delete the bottom row. 

The matrices on the left reflect the host count, while the matrices on the right show the vulnerability count.  The matrices with ratio bars also change color based on thresholds. 

  • 0% = White
  • 1% – 25% = Yellow
  • 26% – 50% = Orange
  • 51% – 75% = Red
  • 76% – 100% = Purple

The componets with this dashbaord are:

  • CVSS Temporal Ratio - Lower Risk Metrics Published Exploit Host Ratio: This component displays a table with the exploitable host ratio for the lower range of temporal risk metrics, while maintaining a perpetual risk elevation found in heat maps.  
  • CVSS Temporal Ratio - Higher Risk Metrics Published Exploit Host Ratio: This component displays a table with the exploitable vulnerability ratio for the higher range of temporal risk metrics, while maintaining a perpetual risk elevation found in heat maps.  
  • CVSS Temporal Ratio - Lower Risk Metrics Published Exploit Vulnerability Ratio: This component displays a table with the exploitable vulnerability ratio for the lower range of temporal risk metrics, while maintaining a perpetual risk elevation found in heat maps.  
  • CVSS Temporal Ratio - Higher Risk Metrics Published Exploit Vulnerability Ratio: This component displays a table with the exploitable vulnerability ratio for the higher range of temporal risk metrics, while maintaining a perpetual risk elevation found in heat maps.