Does CVSS v3 evaluate the impact of vulnerability on the host?

Question

Recently after checking out the Heartbleed vulnerability I was taking a look at its CVSS score (AV:N/AC:L/Au:N/C:P/I:N/A:N) and noticed the following (partial) addendum:

CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization’s risk acceptance.

After taking a look at CVSS v3 specification document I was not able to find a piece of text that quite explained whether the scoring system evaluates the impact similarly to its predecessor. If so, does CVSS v3 still evaluate a vulnerability based on the impact it has on the host?

The reason I ask is because Heartbleed seems to be rated way lower than what it deserves to be rated (relevant) and was wondering whether this would re-occur in a future vulnerability using CVSS v3.

Answer 1

Yes it does. A CVSS 3 base score is calculated using eight factors:

• Impact is determined by: scope, confidentiality, integrity and availability.
• Likelihood is determined by: attack vector, attack complexity, privileges required and user interaction.

A good place to learn about these is the online calculator.

The problem with CVSS and Heartbleed is that it doesn't account for chained vulnerabilities. The real concern is that an attacker uses Heartbleed against your VPN server, steals credentials, uses the credentials to connect, then wreaks havoc on your network. Using CVSS you only consider the first bit, so there is no impact for confidentiality and integrity. And with CVSS 2 the confidentiality impact is "partial" not "complete".

CVSS 3 works a bit better; I score Heartbleed as 8.6. Impact ratings are now low/high instead of partial/complete. Heartbleed is certainly high confidentiality impact, even if it's not complete. They also introduce the somewhat obscure "scope" factor. Heartbleed has changed scope, as you're accessing memory outside the intended scope of an SSL connection. However, CVSS 3 still doesn't account for chained vulnerabilities.

There are also CVSS temporal and environmental scores which add additional factors. The idea is they help you measure things like "this particular box is great risk right now". However, I've found temporal and environment scores to be rarely used and not particularly helpful.

Answer 2

No it doesn't. CVSS v3 does still evaluate impact, but relative to the impacted component and not necessarily the host.

Consider the case where you totally hack a web application, where you gain administrative rights and can read and manipulate all data. This would have serious impact relative to the application (i.e. the component), but low impact on the host or the operating system. In CVSS 2 the impact was rated relative to the host, but in CVSS 3 it is rated relative to the impacted component.

CVSS v2.0 presented difficulties for vendors when scoring vulnerabilities that would fully compromise their software, but only partially affect the host operating system. In v2.0 vulnerabilities are scored relative to the host operating system, which led one application vendor to adopt a "Partial+" impact metric convention. CVSS v3.0 addresses this issue with updates to where the impact metrics are scored and a new metric called Scope (discussed further below).

When scoring vulnerabilities in CVSS v3.0, the Exploitability metrics are scored relative to the vulnerable component. That is, they are scored by considering the component that suffers the coding flaw. On the other hand, the Impact metrics are scored relative to the impacted component.

Source

Heartbleed is one of the CVSS examples, so that is a pretty authoritive source on the correct CVSS score of Heartbleed.