nCircle VERT Blog

CVSSv2 is the Common Vulnerability Scoring System organized by FIRST (http://www.first.org/cvss/cvss-guide.html)

** NOTE: all discussion below is about CVSS Version 2, not Version 1 **

CVSS scores are calculated from CVSS Vectors.
CVSS vectors consist of 3 parts;
- Base Vector
- Temporal Vector
- Environmental Vector

FIRST provides links to CVSS calculators so that you can dynamically rate an unscored vulnerability.
There are at least 2 working CVSS calculators available;
- NIST/NVD
- Information-Technology Promotion Agency, Japan
The NVD link unfortunately goes to their CVSSv1 calculator ... this is where the trouble starts ...

FIRST (the authority on the subject) lists the following Temporal Vector Metrics;
- Exploitability
- Remediation Level
- Report Confidence

A Temporal Vector looks like this;
E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND]

Exploitability has the following possible values;
- Unproven (U)
- Proof-of-Concept (POC)
- Functional (F)
- High (H)
- Not Defined (ND)

This is where things really get messy - These are the Vector Definitions as found in 4 specifications:
- E:[U,POC,F,H,ND] (according to FIRST Spec)
- E:[U,P,F,H,ND] (according to NVD)
- E:[U,P,F,H] (according to FIRST Historical)
- E:[U,POC,F,H,ND] (according to ITPA-J)

** NOTE: These are directly from the specifications **

FIRST's Official Spec lists;
- E:[U,POC,F,H,ND]
- With Values: Unproven (U), Proof-of-Concept (POC), Functional (F), High (H), Not Defined (ND)

NVD's Vectors Definition lists;
- E:[U,P,F,H,ND]
- With Values: U = Unproven, P = Proof-of-concept, F = Functional, W = Widespread, ND = Not Defined

FIRST's Historical Section lists;
- E:[U,P,F,H]
- With Values: U = Unproven, P = Proof-of-concept, F = Functional, W = Widespread

ITPA-J's calculator lists;
- E:[U,POC,F,H,ND]
- With Values: Undefined (ND), Unproven, Proof-of-concept, Functional, Widespread

NVD's calculator will only accept H for High, not W for Widespread. It will accept P for Proof-of-concept as well as POC (this permits incorrect data).

NVD CVSSv2 Calculator Tests
[E:W BROKEN]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:W/RL:O/RC:C)
[E:H FIXED]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C)
[E:POC CORRECT]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:O/RC:C)
[E:P ACCEPTABLE according to NVD]
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:P/RL:O/RC:C)

ITPA-J's calculator calls H Widespread and maps W and P to Undefined.

ITPA-J CVSSv2 Calculator Tests
[E:H MISLABELED - shows up as Widespread]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:W MAPPED to Undefined]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:W/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:P MAPPED to Undefined]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en
[E:POC CORRECT]
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?name=CVE-9999-9999-Example&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H)&g=999&lang=en

Well now you can see where people might have gotten confused ...

I vote we all just use FIRST's Official Spec
- E:[U,POC,F,H,ND]
- With Values: Unproven (U), Proof-of-Concept (POC), Functional (F), High (H), Not Defined (ND)

---

REFS

FIRST Official CVSSv2
http://www.first.org/cvss/cvss-guide.html#i2.2.1

FIRST Historical CVSSv2
http://www.first.org/cvss/history.html#c7

NVD CVSSv2 Calculator
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

NVD CVSSv2 Broken Metrics
http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2

ITPA-J's CVSSv2 Slightly Broken Calculator
http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi