Skip to content

Instantly share code, notes, and snippets.

@norsec0de

norsec0de/idiots-guide-to-cvss.md

Last active June 28, 2024 15:30
Show Gist options
  • Save norsec0de/df2aa7c4603ff4ff7ea416d9ee97b47e to your computer and use it in GitHub Desktop.
Save norsec0de/df2aa7c4603ff4ff7ea416d9ee97b47e to your computer and use it in GitHub Desktop.
Download ZIP
The Idiots Guide to CVSS
Raw
idiots-guide-to-cvss.md

Idiots Guide to CVSS

CVSS is a formula used by legends that provides risk severity for discovered vulnerabilities. It's an objective representation of the risk that prevents idiots from arguing with you.

There are 3 sections to the CVSS:

  • Base Score: This section is where the severity of the vulnerability is determined and is only section that actually matters
  • Temporal Score: This section provides additional information to other people, who are responsible for security, but don't know how to use Google.
  • Environment Score: This section is for idiots who are not responsible for security, but want to feel included, to tell the rest of us how precious and sensitive their app is.

Base Score

The Base Score has 8 metrics that are used to calculate the "exploitability" of the vulnerability. This set of metrics describes if the person that will inevitability breach your organisation is a toddler, teenager, adult, ninja or russian.

The Base Score metrics are their descriptions are:

  • Attack Vector (AV): From where can your shit be popped?
  • Attack Complexity (AC): Is the attacker using Windows or Linux to pop your shit?
  • Privileges Required (PR): Does the attacker need to login before popping your shit?
  • Scope (S): After popping your shit, can the attacker pop someone else's shit?
  • Confidentiality (C): Will your shit end up on pastebin.com after it gets popped?
  • Integrity (I): Will you need to hire more humans to double-check your shit after it gets popped?
  • Availability (A): Will your shit only work via Email or Teams after it gets popped?

The following options for each of the Base Score metrics are:

Attack Vector (AV)

  • Network (N): Even the Russians can pop your shit
  • Adjacent (A): Anyone on your network can pop your shit
  • Local (L): Only people logged in with SSH or RDP can pop your shit
  • Physical (P): Someone needs to be holding your shit to pop it

Attack Complexity (AC)

  • Low (L): Anyone with Metasploit can pop your shit
  • High (H): Only people with Linux can pop your shit

Privileges Required (PR)

  • None (N): No login is required to pop your shit
  • Low (L): Logged in users can pop your shit
  • High (H): Only friends of IT can pop your shit

User Interaction (UI)

  • None (N): Nobody else is needed to pop your shit
  • Required (R): Gullible people are needed to pop your shit

Scope (S)

  • Unchanged (U): Nobody else's shit will get popped as a result of your incompetence
  • Changed (C): Somebody else's shit will get popped as a result of your incompetence

Confidentiality (C)

  • None (N): Only you care about the data in your shit
  • Low (L): A handful of people care about the data in your shit
  • High (H): Everyone cares about the data in your shit

Integrity (I)

  • None (N): No backups are restored after your shit gets popped
  • Low (L): Some backups are restored after your shit gets popped
  • High (H): College students are given 'work experience' to come in and re-enter everything manually from logs after your shit gets popped

Availability (A)

  • None (N): Nobody noticed that your shit got popped
  • Low (L): A handful of Teams messages came through after your shit got popped
  • High (H): IT brings you a personal printer and you revert to working like it was 1998 after your shit got popped

Temporal Score

The Temporal Score has 3 metrics that provide context to the vulnerability for those who pretend to work in security but don't know how to use Google. This set of metrics describes where the exploit can be downloaded from and whether the vendor is using the "it's not a bug, it's a feature!" excuse.

The Temporal Score metrics are their descriptions are:

  • Exploit Code Maturity (E): Where can the attacker download the exploit to attack your shit?
  • Remediation Level (RL): Does the vendor care about your shit?
  • Report Confidence (RC): Did the pentester learn how to pop your shit at a security conference?

The following options for each of the Temporal Score metrics are:

Exploit Code Maturity (E)

  • Not Defined (X): The exploit was written just for your shit, therefore, it gets the same score as a High (H)
  • Unproven (U): The exploit code that popped your shit was found on Twitter
  • Proof-Of-Concept (P): The exploit code that popped your shit was found on GitHub
  • Functional (F): The exploit code that popped your shit was found on Exploit-DB
  • High (H): The exploit code that popped your shit was found on Google, has a cheesy nickname, a theme tune, a logo, its own website, and will be written about in the next 8 upcoming issues of CIO magazine. If this has already been published in CIO magazine, you should be ashamed of yourself for not patching this sooner!

Remediation Level (RL)

  • Not Defined (X): The way your shit got popped was so genius that nobody actually knows how to fix it, not even the pentester. This gets the same score as Unavailable (U)
  • Unavailable (U): The vendor isn't impressed enough by your shit to do anything about it and have therefore issued a press release stating that it's supposed to do that. 0-days would also have the Unavailable (U) rating, however, if a pentester did find an 0-day in your shit, it won't be in this report...check back in 9 months if they're living under a different name in Bora Bora
  • Workaround (W): Your shit can be used if you revert to the code base you were using just after your last pentest
  • Temporary Fix (T): Your shit can be fixed by running sudo shutdown and waiting for the vendor to do something about it
  • Official Fix (O): Your shit can be fixed by running Windows Update and sudo apt -y update

Report Confidence (RC)

  • Not Defined (X): No information showing your shit getting popped is in the report, be afraid, see "Remediation Level > Unavailable" above regarding 0-days
  • Confirmed (C): The report contains a PoC, screen shots and a video of your shit getting popped
  • Reasonable (R): The report contains a PoC and screen shots of your shit getting popped
  • Unknown (U): The report contains only screen shots of your shit getting popped

Environmental Score

This section of the CVSS standard only exists because civilization demands inclusivity. It was forced into the standard through HR complaints and lawsuits, and we genuinly don't know what it means or how to use it.

If you want additional information about this section, we suggest engaging with the triggered people in your organisation or writing a letter to the editors of CIO magazine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment