CVSS 9.8

To understand this post, I assume you have some passing knowledge of the CVSS calculator and understand how variables within the CVSS calculator change scores.

‍

In computer security scoring, there is one, and only one, number that really stands out to me. One that is memorable and strange. It’s the CVSS score of 9.8. Not CVSS 10.0 or 9.5 or any other number. Specifically 9.8. There are some very, very strange things about this number that are important to know about. It all starts with the foundations of the CVSS calculator.

‍

There are three versions of the CVSS calculator: CVSS versions 2.0, 3.x, and 4.0.  Each version has certain permutations that make some scores  easier to get to, and some impossible to get to.  Many people think CVSS scores can be any number from 0.0 to 10.0 (101 possibilities), but in practice there are many scores that are extremely likely to be reached, and others that are actually mathematical impossibilities. Weirder yet, those numbers are different between the three versions of the calculator. Here’s CVSS version 2.0:

‍

‍

On the horizontal axis is the CVSS score, and on the vertical axis is the number of possible CVSS calculator combinations that can mathematically get you to any given score. Basically, this graph brute forces all possible combinations of the CVSS calculator and shows how many ways, if possible, to get to any given score.  The grey lines are scores that are impossible to achieve. Notice, for instance, that you cannot get to any CVSS score below 0.8 (except 0.0), nor 18 scores below 10.0 on this graph mathematically. Now let’s look at CVSS version 3.x.

‍

‍

This graph shows that in CVSS version 3.0 there is exactly one combination that allows the calculator to get the CVSS score of 9.8.  Just one!  And 9.5 and 9.7 are not possible to achieve. Now how about CVSS version 4.0?

‍

‍

Like CVSS version 2.0, there is no way to get to many CVSS scores in version 4.0, but of particular interest is a score of 9.8 because, out of the three different versions and thousands of combinations amongst all three versions, there is literally only one combination that gets you to that CVSS score. So that should mean that we almost never see that score, right?  Negative.

‍

‍

A CVSS score of 9.8 is one of the most common, and definitely within the top 5 most likely scores to get amongst the total population of 350k+ CVEs to date.  Odd, right? It gets more odd. Now let’s look at the same data but normalized by the number of possible combinations. So for any one combination of CVSS scores, how likely is it that you will wind up on that singular number? Let’s take a look:

‍

‍

The ratio of CVSS 9.8 compared to the number of combinations is wildly off the charts. It’s not even close to any of the other scores. A CVSS score of 7.8 is a very common score as an example, yet it’s only got a ratio of 200:1 compared to a CVSS score of 9.8, which has got a ratio of 23,939:1. That is two orders of magnitude greater than the next highest ratio’ed score. Oh, but it gets weirder! 

‍

Let’s take a look at what the bad guys are up to, and take a look at and combine all of the public KEVs that we can.

‍

If you look at the one CVSS score of 9.8, which has a very unique vector string, and analyze it against all of the other vector strings, it represents more than a quarter of all of the vulnerabilities that have ever been publicly reported as a KEV. This is while CVSS 9.8 only represents something like 7% of the total population of scored CVEs.

‍

Why CVSS score of 9.8 and not CVSS 10? Well, I did some hunting, and I think it comes down to the following set of graphs. These graphs comprise all of the CVSS vectors from all of the public KEVs I could find, broken down into each of the major parts of the attack vector string. This is what real adversaries are using:

‍

‍

There is exactly one graph that stands out to me, and it’s maybe not the one you would have guessed. Its scope. A scope of “Unchanged” is a lower CVSS score than the scope of “Changed”. It’s the difference between a CVSS 9.8 and a CVSS score of 10.0. Why would bad guys wildly preferentially prefer a CVSS score of Unchanged over Changed?

‍

I think it comes down to what that actually means during an attack. Let’s say you land on a box after exploiting it, but for a variety of reasons you are either not in the same scope or your scope is complicated by being expanded beyond where you landed, because your scope has changed to somewhere else or has expanded. Is that a good thing? I would wager that, no, no, that is not what an attacker would want most of the time. The CVSS v3 calculator’s description of scope having changed is described as, “An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.”

‍

Attackers almost always want to be exploiting the same box they have landed on, and want to pivot from it elsewhere on command. So in practice, if the scope is “Unchanged”, then it is ostensibly better for the adversary, and worse for the defender, than the typical CVSS 10.0, or at least that is what appears to happen in practice.  Even though a CVSS score of 10 is much easier to arrive at mathematically, it’s less utilized by the adversaries… by a long, long margin.

‍

So it seems to me that the CVSS calculator got it wrong. It was thinking hypothetically, and not thinking about it from the adversary’s perspective. So if I had to pick only one CVSS score to focus on, 9.8 would be my pick. You’re still fixing way too many vulnerabilities that aren’t likely to get exploited if you fix EVERY CVSS score of 9.8 because a lot of them have never been used, but it sure beats fixing all of the CVSS scores of 10.0 that it appears the totality of attackers rarely use.

‍

Enterprise Preview participants using Evidence Scan today will be first to activate Mythos-era Warranty.

→ Get more info: https://www.rootevidence.com/mythoswarranty