JFrog emphasizes the need for a comprehensive overhaul of vulnerability risk metrics.
ANALYSIS Recent research has shed light on the shortcomings of the current CVSS scoring system, indicating that existing metrics may be inflating the severity of certain vulnerabilities.
The so-called “overinflated” ratings are potentially consuming precious resources of cybersecurity teams, diverting their attention from the vulnerabilities that genuinely threaten their organizations in favor of issues perceived as critical across the board.
Stay updated with the latest research and analysis on security vulnerabilities
An in-depth analysis conducted by JFrog, a security tools vendor, examined the widely used Common Vulnerability Scoring System (CVSS), which serves as an open industry standard framework for evaluating the severity of security issues. This system is overseen by the non-profit Forum of Incident Response and Security Teams (FIRST), while the National Vulnerability Database (NVD) provides CVSS scores for confirmed vulnerabilities.
JFrog’s analysis, which focused on the risks associated with security flaws in open-source software, found that publicly available CVSS impact metrics may be overly simplistic, lacking essential context and other relevant factors regarding the risks posed by vulnerabilities.
Critical Evaluation
<paccording to="" the="" report (PDF), titled “Analysis of Open Source Security Vulnerabilities Most Impactful to DevOps and DevSecOps Teams”, there exists a “discrepancy” between the public severity ratings and the internal assessments made by JFrog for the top 50 CVEs of 2022.
Security researchers from JFrog pointed out that in many instances, their assessments of CVE (Common Vulnerabilities and Exposures) severity are lower than the ratings assigned by the NVD, leading to concerns that numerous vulnerabilities are being exaggerated.
For instance, a buffer overrun vulnerability in X.509 certificate verification, CVE-2022-3602 (rated CVSS 7.5), raised significant concern until the technical exploit details were released, which indicated minor real-world implications, according to the researchers.
A total of 64% of the top 50 CVEs received a lower severity rating from JFrog, while 90% had a rating that was lower or equal to that of the NVD.
Context Matters
JFrog argues that many NVD security ratings are “unjustified” as they are not as straightforward to exploit as portrayed. Additionally, numerous analyzed vulnerabilities necessitate intricate configuration environments or specific conditions to successfully execute an attack.
Another concern raised by the cybersecurity firm is the potential absence of context when establishing CVE attack complexity metrics. Various factors—including software deployment, network environment, and usage of the software or any vulnerable API that might parse untrusted data—should all be evaluated. This leads to severity ratings that might be inaccurately high or low.
Risk of Misalignment in Priorities
JFrog also noted that ten of the most common vulnerabilities in 2022 affecting enterprises were often assigned low severity ratings. Consequently, they were treated as lower priority by enterprise IT teams and open source project maintainers, leading to delays or total neglect of remediation efforts.
Neglecting a bug perceived as too minor can lead developers to avoid creating a patch, which JFrog argues can exacerbate the number of affected systems over time. Conversely, if a CVSS rating is elevated but the real-world impact is minimal, the perceived threat may be misleading.
In a conversation with The Daily Swig, Shachar Menashe, senior director of security research at JFrog, proposed that the CVSS standard should be updated to incorporate fields that provide additional context, such as exploitability in default configurations and whether context-dependent attack vectors exist.
Menashe elaborated:
“As CVSS is widely utilized, this represents the path of least resistance. The development of CVSS v4.0 has taken quite a long time, yet it still lacks a definitive release date.
“Moreover, the NVD should be more receptive to CVT-submitted CVSS scores, which are frequently overlooked. While there exists another emerging comparative system – EPSS – its applicability remains to be demonstrated, and its implementation appears opaque; thus we must wait and judge based on future empirical results.”
Subscribe to Daily Swig Deserialized, our new bi-weekly summary of web security, bug bounties, and hacking culture updates.
Numerous cybersecurity experts recognize the limitations of the current CVSS framework, with practical experience often filling the gaps during vulnerability evaluations. JFrog’s quantitative research supports the prevailing sentiment among many infosec professionals that the existing vulnerability scoring system requires reform.
FIRST Responders View
When asked about JFrog’s criticisms, Chris Gibson, the executive director of FIRST, stated that generally, “scoring providers give ‘reasonable worst-case’ base scores and depend on consumers to adjust (lower) the final score.”
Factors like temporal threat information, asset criticality, and compensating controls, such as firewall filters, are “intended to adjust the score to a more relevant and applicable level,” according to Gibson.
“Third parties, including JFrog, can assist consumers by providing threat intelligence (temporal scores), enabling the use of the comprehensive CVSS score for accurately tracking patch priorities and technical risks.”
Upon discussing possible improvements, Gibson mentioned that CVSS v4.0 is “expected soon” and would feature a method for product developers to offer supplementary urgency ratings, resulting in “a more precise representation of the urgency of the vulnerability in their respective implementations, rather than leaning on the worst-case scoring of the OSS library provider.”
“The CVSS system can be advantageous as long as its limitations are acknowledged. For instance, CVSS may evaluate a vulnerability without taking crucial contextual elements, such as the environment in which it occurs and its potential commercial or operational repercussions, into account.”
Prashanth Samudrala, VP of product management at AutoRABIT, shared with The Daily Swig: “The system draws on information that is presently available, which may lead to decisions being made based on incomplete or incorrect data. Although the CVSS system can be beneficial, it ought to be employed alongside other assessment methods for achieving a precise evaluation.”
ADDITIONAL RESOURCES ‘The majority of web API flaws are overlooked by conventional security tests’ – Insight from Corey J Ball on securing a neglected attack vector
Based on an article from ports wigger: https://portswigger.net/daily-swig/cvss-system-criticized-for-failure-to-address-real-world-impact
