JFrog advocates for a comprehensive overhaul of vulnerability risk metrics.
ANALYSIS Recent research has underscored the weaknesses in the existing CVSS scoring system, pointing out that current metrics might contribute to “overhyping” certain vulnerabilities.
The phenomenon of “overinflated” ratings can distract cybersecurity teams, causing them to prioritize issues that may not genuinely impact their organizations over those that are more critical.
Stay updated with the latest security vulnerability research and insights
A detailed study conducted by JFrog revolved around assessing the widely used Common Vulnerability Scoring System (CVSS), a standardized method for evaluating the severity of security issues. This framework is managed by the non-profit Forum of Incident Response and Security Teams (FIRST), while the National Vulnerability Database (NVD) assigns CVSS scores to confirmed vulnerabilities.
JFrog’s research, which targeted the risk posed by security issues in open source software, found that public CVSS impact metrics might oversimplify the actual risk related to vulnerabilities due to a lack of context and various other factors.
Critical assessment
The report (PDF), titled “Analysis of Open Source Security Vulnerabilities Most Impactful to DevOps and DevSecOps Teams,” reveals a “discrepancy” between public severity ratings and JFrog’s internal evaluations of the top 50 CVEs from 2022.
According to JFrog’s security experts, in the majority of cases, their own CVE (Common Vulnerabilities and Exposures) severity assessments were found to be lower than those published by the NVD, indicating that vulnerabilities are frequently exaggerated.
As an example, a buffer overflow relating to X.509 certificate verification, CVE-2022-3602 (CVSS 7.5), was initially a significant concern; however, the release of the exploit’s technical details revealed its minimal real-world impact, as noted by the researchers.
In fact, 64% of the examined top 50 CVEs received a lower JFrog severity rating, and 90% either matched or received a lower rating.
Context-dependent
JFrog argues that many NVD security ratings are “unearned” as they do not reflect the actual complexity of exploitation as reported. Several of the evaluated vulnerabilities necessitated intricate configuration environments or specific conditions to achieve a successful attack.
Another point of critique raised by JFrog is the potential absence of context when setting CVE attack complexity metrics. Factors like the deployment of vulnerable software, the surrounding network environment, usage patterns of the software, and the potential for vulnerable APIs to process untrusted data should all be considered. Consequently, severity ratings may end up being assigned either too high or too low.
Misdirection of priorities risk
JFrog noted that ten of the most widespread vulnerabilities impacting enterprises in 2022 typically garnered low severity ratings. Hence, these vulnerabilities are treated as lower priority by IT teams and maintainers of open-source projects, leading to delays or, worse, complete neglect in remediation efforts.
If a bug is thought to be too trivial to address, developers might refrain from crafting a patch, which could subsequently elevate the number of systems affected over time. Conversely, if a CVSS rating is high but the actual impact is deemed trivial, the perceived threat level could be misleading.
In an interview with The Daily Swig, Shachar Menashe, senior director of security research at JFrog, suggested that an update to the CVSS standard is necessary to incorporate fields that would provide additional context, such as exploitability in standard configurations and the presence of context-dependent attack vectors.
Menashe mentioned:
“Since CVSS is widely adopted, revising it is the most logical approach. CVSS v4.0 has been under development for an extended period, yet a definitive release date is still pending.
“Moreover, the NVD needs to be more open to including CVSS scores submitted by CNAs, which are often overlooked. There’s also a fresh benchmarking scheme called EPSS; however, its reliability has yet to be established, and its implementation remains unclear, necessitating patience to evaluate its effectiveness in the future.”
Subscribe to Daily Swig Deserialized, our biweekly roundup of web security, bug bounty, and hacking culture updates
Numerous cybersecurity professionals acknowledge the shortcomings of the current CVSS system, with practical experience often compensating during vulnerability assessments. The quantitative analysis conducted by JFrog supports the intuitive sense many infosec experts have regarding the urgent need for a revision of the vulnerability scoring system.
FIRST responder
In response to JFrog’s criticisms, Chris Gibson, executive director of FIRST, remarked that “scoring providers typically offer ‘reasonable worst-case’ base scores and expect users to adjust them through mitigation (lower) to arrive at a final score.”
Factors such as temporal threat information, asset importance, compensatory controls (e.g., firewall filters), and other environmental scores are “intended to lower the score to a more suitable level,” according to Gibson.
Gibson noted that third parties, including JFrog, could assist users by providing threat intelligence (temporal score), allowing for better utilization of the full CVSS score to prioritize patches and assess technical risks effectively.
When asked about possible enhancements, Gibson shared that CVSS v4.0 is “on the horizon” and will introduce a mechanism for product developers to include supplementary urgency ratings. This will lead to “a more accurate representation of the urgency of the vulnerability in their implementation, rather than depending solely on the worst-case scoring from the OSS library provider.”
“The CVSS framework can be beneficial as long as its limitations are recognized. For instance, the CVSS might evaluate a vulnerability without taking into account significant contextual elements such as the environment in which the vulnerability exists and its potential commercial or operational implications.”
Prashanth Samudrala, VP of product management at AutoRABIT, stated to The Daily Swig: “The system is dependent on currently accessible information, potentially resulting in decisions made on incomplete or inaccurate data. While the CVSS framework can be advantageous, it should be applied alongside other evaluation methods for a well-rounded assessment.”
YOU MAY ALSO LIKE
Based on an article from ports wigger: https://portswigger.net/daily-swig/cvss-system-criticized-for-failure-to-address-real-world-impact
