Vulnerability ratings are the foundation for a good risk-based vulnerability management program, especially if they're from a trusted party.
Red Hat champions the notion of risk-based vulnerability management.
For every vulnerability affecting our software, Red Hat Product Security analysts assess them by taking into account how the reported vulnerability is actually exposed and potentially exploitable in our products in order to issue our rating.
It's worth noting that Red Hat ratings of vulnerabilities aren't reliant solely on CVSS scores, unlike NVD. Score accuracy is important, but not reflective of objective industry-standard four-point rating scales such as those that vendors like Red Hat employ.
This is discussed further in other papers, including the Open Approach to Vulnerability Management whitepaper.
While this example is specific to SBOMs, that same trust in vendor data can be extended to things like CVSS scores; that authority doesn't start and end with SBOMs alone.
Further, organizations like NVD consider a vulnerability in all contexts so by definition must be overly broad; after all, open source software is available on multiple operating systems and can be built in a wide variety of ways.
The vendor can be precise on impact and exploitation of a vulnerability to their specific product: how it's used, configured, composed and compiled.
Digging further into the available 2023 data, out of the 29,065 CVEs published, 24,462 were assigned a 2023 CVE. 13,681 of those CVE entries do not have a Common Vulnerability Scoring System base score provided by the CVE Naming Authority.
Comparing this to NVD, using their JSON feed they have 24,460 2023 CVEs, 912 without a base score assigned.
Given grub2 is only used at boot, there's a fairly limited window of opportunity to take advantage of the vulnerability that, if exploited, could render the device unable to boot.
Red Hat rated this vulnerability as Moderate, with a CVSSv3 base score of 7.0.
NVD gave it a score of 9.8 but also lists Canonical as the CNA that assigned the CVE, and Canonical provided a score of 8.1.
Since grub2 is used by others, a quick search shows that Amazon also gave it a 7.0, as did SUSE. Upstream gave it a score of 7.0.
This is true for the other 2,555 scores that were increased and the 998 that were decreased and that's not even accounting for differences with vendors.
Finally, given that CVSS base scores tend to be used as a risk metric alone, it's worth noting that the above criticality ratings by NVD and CVE.org are based on CVSS base scores.
These scores are not being used in the way they are intended.
As per FIRST, and authors of CVSS, CVSS scores are meant to prioritize vulnerabilities to remediate by measuring severity, not risk.
NVD makes the exact same statement in their vulnerability metrics page.
It is time to put the final nail in the coffin of CVSS base scores representing risk.
This Cyber News was published on www.redhat.com. Publication date: Wed, 24 Jan 2024 21:43:04 +0000