CVSS Version 2 Scoring with Nessus and the Passive Vulnerability Scanner

On Wednesday, August 15th, 2007, Tenable Network Security will begin converting CVSS base scores for Nessus and the Passive Vulnerability Scanner (PVS) plugins from version 1 to version 2. This blog entry discusses how some of the plugin severity and risk ratings will be changing due to our adoption of the new and more accurate CVSS version 2 standard.

CVSSv1 and CVSSv2

Recently, the Forum of Incident Response and Security Teams (FIRST) released new guidelines for scoring vulnerability severity levels. The original standard was CVSS v1 (for version 1) and the new standard is CVSS v2. CVSS version 2 is more accurate than vulnerability severity ratings scored under version 1. It also gives more emphasis to remote, unauthenticated denial of service and compromise vectors.

Tenable Network Security uses the CVSS base score to select Nessus and PVS severity ratings for vulnerability plugins. Values from 1 through 3 receive a Low/Informational rating; 4 through 6 receive a Medium/Warning rating and 7 through 9 receive a High/Hole severity level. CVSS scores of 10 have a severity level of "High/Hole" but also have their Risk factor marked as "Critical".

We will synchronize existing Nessus and PVS plugins with the CVSS v2 base scores in NIST's National Vulnerability Database starting August 15th. Once we implement this change and you update your plugins, you should notice an immediate change in the way scores are displayed in your reports. For example, with v1 you might now see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)

Under v2, you will see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:N)

In some cases, though, we are unable to sync scores with the NVD so the switch to CVSSv2 scores for some plugins will not occur immediately. This may happen because a Nessus or PVS plugin checks for a vulnerability for which there is no CVE entry, or because NIST has not scored the entry manually (NIST labels these "approximated" scores). In these cases, Tenable will re-score the plugins using the v2 standard as time permits.

Tenable will also begin to use CVSS v2 scoring on all new plugins starting August 15th, 2007.

For Nessus and the PVS, the new scoring methodology affects the severity ratings for many of the plugins which had been previously scored with the CVSS v1 methodology. There are several severity ratings that will change when the new scoring goes into effect. This means that some systems that have been scanned and did not have "High" or "Hole" vulnerabilities may in fact show vulnerabilities with this severity level if re-scanned. Similarly, some serious vulnerabilities do not have as high of a severity under the new scoring.

Detailed Severity Changes

Changes in the vulnerability scoring of note include:

• The scores for 79 plugins remain the same across v1 and v2. With four exceptions, these are for critical vulnerabilities, with a score of 10.0.
• The risk factor and reporting functions for 293 plugins will have a change.
• The risk factor for 30 plugins will actually go down. In one case, it's because the vulnerability requires adjacent network access rather than just remote access.
• Approximately 133 plugins covering issues that can be exploited by an unauthenticated remote attacker without any access complexity and that have one of C, I, or A scored as "partial" will see their risk factor go from Low (with a v1 score of 2.3) to Medium (v2 score 5.0) due to the increased weighting given the remote access vector in CVSSv2 scoring.
• 14 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker without any access complexity and with one of C, I, or A scored as "complete" will see their risk factor go from Low (with a v1 score of 3.3) to High (v2 score 7.8), again due to the increased weighting given the remote access vector in CVSSv2 scoring.
• 17 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker with a medium access complexity and with one of C, I, or A scored as "partial" (eg, XSS flaws) will go from a Low risk factor (with a v1 score of 1.9) to Medium (v2 score 4.3) due to the increased weighting given the remote access vector in CVSSv2 scoring.

Example CVSSv1 and CVSSv2 Scoring

Here is an example comparison of relative scores between CVSSv1 and CVSSv2 for a 'cPanel' path disclosure bug:

v1: 1.9 (AV:R/AC:H/Au:NR/C:P/I:N/A:N/B:N)
v2: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

In this example the change in scoring was from 1.9 to 2.6. It is "more" severe than before, but would still be reported as an informational or low vulnerability.

A good example of the another vulnerability jumping a dramatic amount in its severity rating is one that effects the Kaspersky Antivirus solution. Nessus plugin 24758 checks for a CPU DOS. The CVSS v1 and v2 scores are below:

v1: 3.3 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

If the anti-virus solution is running on a mail server, then exploitation could be achieved remotely, without authentication and without any user interaction. CVSSv2 takes these factors into higher consideration when scoring vulnerabilities which results in a "high" score of 7.8.

Learn More About CVSS

For more information about the Common Vulnerability Scoring System, please visit the CVSS Special Interest Group's web site located at http://www.first.org/cvss/.