Continuing on from our CVSS introduction post last week, we will now explore the first of the metrics used to compile the score, the Base Metrics. Remember that the Base score is specified by vendors or analysts, unlike Environmental metrics, which are scored by the end user. Base metrics include 2 subgroups, Exploitability and Impact.
Under Exploitability, the first metric is Attack Vector (AV). This reflects the access required to exploit the vulnerability, for example network or physical access. Next is Attack Complexity (AC). This covers how repeatable the attack is and depends on conditions outside of the attacker’s control that allow for exploitation. The next one is Privileges Required (PR). This could include needing administrator privileges that are harder to get, or it could include hard coded credentials that make exploitation easier. Finally in Exploitability is User Interaction (UI). This includes vulnerabilities that depend on some user-initiated process.
Scope (S) is sometimes separated into its own subcategory. This metric is based on the effects an exploited vulnerability may have on components outside of the expected authority. For example, a vulnerable application could allow interference with a database that’s normally not associated with the application.
Impact Metrics include Confidentiality (C), Integrity (I) and Availability (A). Confidentiality is measured by the disclosure of information to unauthorized users after exploit. Integrity is based on the level of data modification possible by an attacker. Finally, Availability depends on the access of a service after an attack, for example denying access to a webservice after exploitation.
Next time, we will explore the Temporal metrics and how vulnerability statuses change over time.