4

According to cvedetail graph Vulnerability Distribution By CVSS Scores, we can see that CVE with a CVSS in range 8 to 9 are the less represented of all range. Even compared to the low score ranges which seems to be generally less populated.

It's really strange because it make like a gap: the range 8 to 9 represent 0.40% of all the ranking and the two other adjacent ranges represent respectively 22.2% and 13.1%.

Why this disparity ? Is it due to the construction of CVSS score ?

Whysmerhill
  • 562
  • 4
  • 14
  • 3
    My best guess is that it just rarely happens that a vulnerability is "really really bad", but not "absolutely critical". –  Dec 17 '20 at 11:10
  • The reason might well be social, see https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368 and https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379 for the limitations of CVSS and security scores more generally – Martin R. Albrecht Dec 20 '20 at 11:27

2 Answers2

2

Disparity is due to such attacks being very specialized as reflected by the CVSS calculator.

One gross simplication of the calculator is that it is derived from the Impact of the vulnerability and how easy it is to Exploit. Easy to exploit and high impact will get you a score near 10. Hard to exploit and low impact will get you a score near 0.

CVSS 8-9 refers to specialized scenarios where impact is absolutely devastating (i.e. high impact across all of Confidentiality, Integrity, Availability) but hard to exploit. Or easier to exploit but high impact to only one of the CIA aspects.

It is interesting that vulnerabilities in practice (as reported by cvedetails) don't tend to be that specialized, or if they are then they're not being reported.

HTLee
  • 1,772
  • 15
  • 30
  • 1
    I think I understand your point but I'm not convinced by your conclusions. If I follow your logic vulnerabilities hard to exploit & devastating or easier to exploit & high impact on only one CIA are really rare/not existing. I'm not a vulnerability specialist, but I think it's not representing very well the reality (which should be the purpose of CVSS no ?) – Whysmerhill Dec 20 '20 at 18:40
1

EDIT: After playing with the CVSS calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

I found that there are two linked items that can cause a vulnerability to jump a whole point: Privileges Required (PR) and User Interaction (UI). It stands to reason that if there is no user interaction then it doesn't require privileges to begin the attack. Conversely, if user interaction is required then privileges must be low or high. These items can make any high severity exploit jump from 8 to 9.

Let's look at how the score is calculated, which is quite complex. It involves the following equation to combine the Exploitability and Impact:

Base Score = Roundup(Min(Impact + Exploitability, 10)) if Scope is Unchanged

Base Score = Roundup(Min(1.08 · (Impact + Exploitability), 10)) if Scope  is Changed

To get the maximum Exploitability the vulnerability must have:

Attack Vector (AV) = Network
Attack Complexity (AC) = Low
Privileges Required (PR) = None
User Interaction (UI) = None

TRANSLATION: This says that the exploit must be something fully automated that any Script kiddie can run. It must come across the network, function from a non-privileged account, and have no indication to the user that an exploit is running.

Next we calculate the Impact. To get the highest impact score the vulnerability must:

Have a scope that changes and meet the following impacts:

Confidentiality (C) = High
Integrity (I) = High
Availability (A) = High

The highest Base Score is then 9.8 when Scope is unchanged and 10.0 when Scope is changed.

TRANSLATION: What this says to me is that the exploit must exfiltrate the data, change the data, and make it unusable. The only thing that comes to mind is a some sort of ransomeware that steals the data before it encrypts.

Now that you understand how the sausage is made I hope you understand how rare such an exploit would be.

To learn more, see here: https://debricked.com/blog/2020/02/28/what-is-the-cvss-score/

HackSlash
  • 268
  • 1
  • 10
  • 2
    The question asks why cves with a score of between 8 and 9 are so much rarer compared to cves with a score of between 7 and 8 or between 9 and 10. I'm not sure how your answer explains this discrepancy – nobody Dec 17 '20 at 18:58
  • @nobody Ok, I added a more clear theory of one way that an exploit can jump points. There are likely many cases like this where a common combination of elements cause the score to jump. At the high end of the spectrum there are only a few things that can cause the score to change. – HackSlash Dec 17 '20 at 19:18
  • 2
    I'm don't really agree with your conclusion that no UI means no privs. Consider an example in which a web app vulnerability in stackexchange might allow a moderator to execute code on stackexchange's servers without requiring any interaction from stackexchange's staff. This would require privileges but no user interaction. – nobody Dec 17 '20 at 19:23
  • 2
    @nobody you are talking about privilege escalation, that would already be a lower rated item because it's run from an user who is logged on which is a user interaction by definition. The high rated ones are network based attacks that bypass the need to log in. Like I said, at the high end there are fewer variables that can change in the equation. Play around with the calculator. Maybe you can find other cases where the score jumps. – HackSlash Dec 17 '20 at 21:15