FIRST (Forum of Incident Response and Security Teams) officially announced CVSS v4 on November 1, 2023, eight years after the release of Common Vulnerability Scoring System version 3 (CVSS v3).
“This latest release of CVSS 4.0 aims to provide the highest accuracy vulnerability assessment for both industry and the public,” FIRST said in a statement. said . .
What's New in CVSSv4.0?
The main innovations in CVSS v4.0 are as follows.
Nomenclature
The CVSS framework consisted of 3 metric groups: Base, Temporal, Environmental. But over time, the Base score became synonymous with the CVSS score. A new naming method was adopted to emphasize that CVSS is not expressed only with the Basic score.
CVSS-B | Key metrics |
CVSS-BE | Basic and Environmental measurements |
CVSS-BT | Core and Threat metrics |
CVSS-BTE | Core, Threat, Environmental metrics |
Additional Metric Group
FIRST aims to provide information that will help users in risk analysis with new metrics called “Additional Metric Group”. The Additional Metric Group can be used optionally, but it is stated that it has no effect on the calculation of the CVSS score.
Safety (Emniyet) | Does exploiting this vulnerability have a security impact on the organization? |
Automatable | Can attackers automate exploitation of this vulnerability? |
Recoveryİyileşmek) | Can systems/components recover after an attack? |
Provide Urgency | What is the vendor rating for this vulnerability? |
Value DensityDeğer Yoğunluğu) | What resources will the attacker gain control of with a single exploit? |
New Base Metric
The Attack Requirement (AT) metric is intended to provide a greater level of detail than that provided by the "Attack Complexity (AC)" metric. This new metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.
- Attack Complexity – Reflects the exploit engineering complexity required to evade or evade defense or security-enhancing technologies. (Defensive measures)
- Attack Requirements – Reflects the prerequisite conditions of the vulnerable component that enable the attack.
Removed Base Metric
The Scope metric introduced in CVSS v3.0 has been removed. FIRST explained the reason for the removal as a lack of clarity regarding its use. This led to inconsistent ratings between different product providers. Due to the removal of the metric, the impact metrics were expanded into two sets.
- Vulnerable System Impact – Confidentiality (VC), Integrity (VI), Availability (VA)
- Impact of Subsequent System(s) – Confidentiality (SC), Integrity (SI), Availability (SA)
What are the effects of CVSS 4.0 on Cyber Security?
CVSS 4.0 aims to provide more holistic and accurate assessments by considering a wide range of factors, including the overall likelihood of exploitation and the potential impact of a successful attack.
While there may be a discrepancy between the theoretical impact of any security vulnerability and the risk it poses in the real world, the new version plays an important role in reducing subjectivity with clearer metrics, improving misdirection towards less critical vulnerabilities, and facilitating easier evaluation of security vulnerabilities. Together with accurate assessments, it has a significant impact on security practitioners in better prioritizing security vulnerabilities and allocating resources for improvements. With its detailed metrics and modular approach, it results in more accurate risk identification of security vulnerabilities, as it allows organizations to adapt their scoring systems to different factors in different environments. This is effective in determining the order of actions to be taken according to the risk severity of security vulnerabilities. In general, it takes an active role in prioritizing security findings according to the real threats they represent.
Source:
https://www.first.org/newsroom/releases/20231101
https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf
https://blog.qualys.com/product-tech/2023/11/02/cvss-v4-is-now-live-and-what-do-you-need-to-know
