Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVSS Version 2 Scoring with Nessus and the Passive Vulnerability Scanner

On Wednesday, August 15th, 2007, Tenable Network Security will begin converting CVSS base scores for Nessus and the Passive Vulnerability Scanner (PVS) plugins from version 1 to version 2. This blog entry discusses how some of the plugin severity and risk ratings will be changing due to our adoption of the new and more accurate CVSS version 2 standard.

CVSSv1 and CVSSv2

Recently, the Forum of Incident Response and Security Teams (FIRST) released new guidelines for scoring vulnerability severity levels. The original standard was CVSS v1 (for version 1) and the new standard is CVSS v2. CVSS version 2 is more accurate than vulnerability severity ratings scored under version 1. It also gives more emphasis to remote, unauthenticated denial of service and compromise vectors.

Tenable Network Security uses the CVSS base score to select Nessus and PVS severity ratings for vulnerability plugins. Values from 1 through 3 receive a Low/Informational rating; 4 through 6 receive a Medium/Warning rating and 7 through 9 receive a High/Hole severity level. CVSS scores of 10 have a severity level of "High/Hole" but also have their Risk factor marked as "Critical".

We will synchronize existing Nessus and PVS plugins with the CVSS v2 base scores in NIST's National Vulnerability Database starting August 15th. Once we implement this change and you update your plugins, you should notice an immediate change in the way scores are displayed in your reports. For example, with v1 you might now see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)


Under v2, you will see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:N)


In some cases, though, we are unable to sync scores with the NVD so the switch to CVSSv2 scores for some plugins will not occur immediately. This may happen because a Nessus or PVS plugin checks for a vulnerability for which there is no CVE entry, or because NIST has not scored the entry manually (NIST labels these "approximated" scores). In these cases, Tenable will re-score the plugins using the v2 standard as time permits.

Tenable will also begin to use CVSS v2 scoring on all new plugins starting August 15th, 2007.

For Nessus and the PVS, the new scoring methodology affects the severity ratings for many of the plugins which had been previously scored with the CVSS v1 methodology. There are several severity ratings that will change when the new scoring goes into effect. This means that some systems that have been scanned and did not have "High" or "Hole" vulnerabilities may in fact show vulnerabilities with this severity level if re-scanned. Similarly, some serious vulnerabilities do not have as high of a severity under the new scoring.

Detailed Severity Changes

Changes in the vulnerability scoring of note include:

  • The scores for 79 plugins remain the same across v1 and v2. With four exceptions, these are for critical vulnerabilities, with a score of 10.0.
  • The risk factor and reporting functions for 293 plugins will have a change.
  • The risk factor for 30 plugins will actually go down. In one case, it's because the vulnerability requires adjacent network access rather than just remote access.
  • Approximately 133 plugins covering issues that can be exploited by an unauthenticated remote attacker without any access complexity and that have one of C, I, or A scored as "partial" will see their risk factor go from Low (with a v1 score of 2.3) to Medium (v2 score 5.0) due to the increased weighting given the remote access vector in CVSSv2 scoring.
  • 14 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker without any access complexity and with one of C, I, or A scored as "complete" will see their risk factor go from Low (with a v1 score of 3.3) to High (v2 score 7.8), again due to the increased weighting given the remote access vector in CVSSv2 scoring.
  • 17 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker with a medium access complexity and with one of C, I, or A scored as "partial" (eg, XSS flaws) will go from a Low risk factor (with a v1 score of 1.9) to Medium (v2 score 4.3) due to the increased weighting given the remote access vector in CVSSv2 scoring.

Example CVSSv1 and CVSSv2 Scoring

Here is an example comparison of relative scores between CVSSv1 and CVSSv2 for a 'cPanel' path disclosure bug:

v1: 1.9 (AV:R/AC:H/Au:NR/C:P/I:N/A:N/B:N)
v2: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

In this example the change in scoring was from 1.9 to 2.6. It is "more" severe than before, but would still be reported as an informational or low vulnerability.

A good example of the another vulnerability jumping a dramatic amount in its severity rating is one that effects the Kaspersky Antivirus solution. Nessus plugin 24758 checks for a CPU DOS. The CVSS v1 and v2 scores are below:

v1: 3.3 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

If the anti-virus solution is running on a mail server, then exploitation could be achieved remotely, without authentication and without any user interaction. CVSSv2 takes these factors into higher consideration when scoring vulnerabilities which results in a "high" score of 7.8.

Learn More About CVSS

For more information about the Common Vulnerability Scoring System, please visit the CVSS Special Interest Group's web site located at http://www.first.org/cvss/.


Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security