AusCERT Bulletin Impact/Access Assessment to CVSS Migration – Member Information

Introduction

AusCERT has provided Impact/Access assessments for bulletins for many years to assist members in responding to bulletins. Our Impact/Access was introduced at a time when this type of information was not easily accessible in a standardised format. Since then the industry has moved on and the Common Vulnerability Scoring System (CVSS) is now considered the defacto standard for assessing security vulnerabilities. In our AusCERT Member Bulletin survey we asked you, our members, whether you’d prefer us continue to use Impact/Access or move to CVSS.  AusCERT has now migrated to providing CVSS completely replacing Impact/Access.

We expect this will provide numerous benefits to our members. Here we will discuss what this change means for you and what the new bulletin format looks like. If you have any questions about the change and how it might affect your use of the bulletin service please let us know. We consider this migration to CVSS a work in progress and encourage member feedback on any part of the service including the current interim format and modifications going forward.

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.  Common Vulnerability Scoring System – Wikipedia (downloaded 28/Jan/2021)

CVSS is a published standard used by numerous vendors and security researchers around the world with the complete specification, user guide, examples and other details available at the CVSS SIG.

Vulnerabilities are assessed and rated according to various characteristics such as attack vectors, attack complexity, privileges required, user interaction, impact and so on. The assessment produces a CVSS Base score, derived from a vector string which summarises the vulnerability metrics.

The current version of CVSS is v3.1/v3.0. Although some organisations still produce CVSS v2, AusCERT will collect and summarise an advisory by collection of CVSS 3.1/3.0. It’s important to note that v2 varies significantly from v3 when viewing the CVSS.

CVSS assessments are done by a variety of organisations including National Vulnerability Database (NVD) and vendors such as Cisco, Red Hat, SUSE and so on. In this document CVSS Source will refer to the organisation providing a specific CVSS assessment for a CVE.

CVSS Format for AusCERT Bulletins

Bulletins redistributed by AusCERT from Product Security Incident Response Teams (PSIRTs) typically identify specific vulnerabilities using an assigned Common Vulnerabilities and Exposures unique identifier (CVE). The CVE has the form CVE-YYYY-DDDD where YYYY is a year and DDDD is a number containing at least four digits (zero padded), for example CVE-2022-0123.

AusCERT’s Impact/Access was a summary of the vulnerability statement that accompanied each CVE in a Bulletin. This has been removed making way for a CVSS v3 Base Score and Vector String that reflects that most impactful CVE in the Bulletin. Also the source of the collected CVSS will be identified as reference. In case a CVSS is not available when the bulletin is processed this will be reflected in our CVSS (Max) statement as discussed further on.

There may potentially be many CVSS assessments provided by different groups for a specific CVE. AusCERT will try to identify which CVSS sources may be applicable to a CVE including:

• CVSS provided by a vendor
• CVSS provided by NVD
• CVSS provided by any other relevant authority

AusCERT relies on CVSS assessments created by external entities hence CVEs or CVSSs will not always be available. Therefore bulletins will fall into one of the following categories

• All CVEs have a CVSS (Complete)
• Some CVEs are missing a corresponding CVSS (Partial)
• No CVEs have a CVSS (None)

NOTES

• Different CVSS providers can produce different CVSS scores for the same CVE. Generally if the PSIRT is also the CVSS source then their assessment may better represent the vulnerability of the CVE in their product’s implementation.
• The severity of a CVE in a particular organisation’s environment can differ significantly from the generic base score produced by a third party. A CVSS score is not an absolute indicator of risk (and was not designed to be) but it can definitely help inform your vulnerability mitigation processes and priorities.

We’ll now discuss the format of the CVSS information with examples provided.  Based on feedback, we may modify the format to better meet member or operational requirements.

CVSS Summary

The CVSS information will appear in the Comments field of the bulletin and take these forms

• All CVSS available

CVSS (Max): BaseScore CVE-ID VectorString

CVSS Source: CVSS-Source


• Partial CVSS (add * to BaseScore)

CVSS (Max): BaseScore* CVE-ID VectorString
CVSS Source: CVSS-Source
* Not all CVSS available when published


• No CVSS

CVSS (Max): None available when published

NOTES

• AusCERT will try to find a suitable CVSS when publishing a bulletin by reviewing the most likely sources such as  vendors and NVD. However as we try to publish bulletins in a timely manner it is possible we may not identify a published CVSS source or that a missing CVSS will become available after we have published the bulletin. In any case, we would always encourage readers to review the latest revision of the bulletin from the vendor to assist making the best remediation decisions.
• More information regarding specifically which CVEs did not have a published CVSS is an enhancement that is being considered. If this would be useful to you please let us know.
• AusCERT is exploring ways that members will be able to process bulletins more effectively including making more of the data easily machine accessible. If you have any suggestions we are keen to hear them.

Email Subject Summary

In a similar way the format of the CVSS in a bulletin email subject will be

• All CVSS available
  • Subject: [OS] Vulnerability Title: CVSS (Max): BaseScore
• Partial CVSS (add * to BaseScore)
  • Subject: [OS] Vulnerability Title: CVSS (Max): BaseScore*
• If there is no CVSS for any CVEs then
  • Subject: [OS] Vulnerability Title: CVSS (Max): None

Examples

This section gives examples based on published ESBs and what they would look like in the new format.

Complete CVSS

Original ESB-2022.0387

               ESB-2022.0387
         Security update for qemu
              28 January 2022

===========================================================================

           AusCERT Security Bulletin Summary
           ---------------------------------

Product:          qemu
Publisher:        SUSE
Operating System: SUSE
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-20196 CVE-2020-13253

Reference:        ESB-2022.0373
                  ESB-2021.0366
                  ESB-2020.3138
                  ESB-2020.2866

Original Bulletin:
   https://www.suse.com/support/update/announcement/2022/suse-su-20220210-1

Comment: CVSS (Max): 6.5 CVE-2021-20196 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: NVD

Subject: ESB-2022.0387 - [SUSE] qemu: CVSS (Max): 6.5

Partial CVSS

Original ESB-2022.0381

               ESB-2022.0381
     Advisory (icsa-22-025-01) GE Gas Power ToolBoxST
              27 January 2022

===========================================================================

          AusCERT Security Bulletin Summary
          ---------------------------------

Product:          GE Gas Power ToolBoxST
Publisher:        ICS-CERT
Operating System: Network Appliance
                  Windows
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-44477 CVE-2018-16202

Original Bulletin:
   https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01

Comment: CVSS (Max): 8.6* CVE-2018-16202 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
         CVSS Source: NVD
* Not all CVSS available when published

Subject: ESB-2022.0381 - [Network Appliance] GE Gas Power ToolBoxST: CVSS (Max): 8.6*

No CVEs or CVSS found

Original ESB-2022.0376

                    ESB-2022.0376
          Xen Security Advisory CVE-2022-23033
                   27 January 2022

===========================================================================

            AusCERT Security Bulletin Summary
            ---------------------------------

Product:          Xen
Publisher:        Xen
Operating System: Xen
Resolution:       Patch/Upgrade
CVE Names:        CVE-2022-23033

Original Bulletin:
   http://xenbits.xen.org/xsa/advisory-393.html

Comment: CVSS (Max): None available when published

Subject: ESB-2022.0376 - [Xen] Xen: CVSS (Max): None

Feedback

This bulletin format change was designed to help members more effectively process vulnerability and vendor advisories provided by AusCERT. Please let us know what you think of the format, if you envisage any difficulties with the migration to the new format, and any other feedback you think will assist us in making the bulletin service more valuable for you. Improvements to the CVSS format and bulletins in general are being planned so by contacting us with your preferences we are able to prioritise our development of the service to meet member needs. In particular, ideas which would allow easier automation and analysis of bulletins are welcome. Please direct feedback to auscert@auscert.org.au.