CWE Base Score Calculation03 May 2018
CWE stands for common weaknesses enumeration. It is used as a tool to standardize the degree of weakness that a vulnerability in an environment poses. Compared to CVE (Common Vulnerabilities and Exposures), CWEs are normally related to how an instance of the program is configured, rather than vulnerabilites with the underlying program itself. The score of each CWE is calculated by the CVSS: Common Vulnerability Scoring System.
Score Severity Chart
|Severity||Base CWE Score Range|
|Low||0.1 - 3.9|
|Medium||4.0 - 6.9|
|High||7.0 - 8.9|
|Critical||9.0 - 10|
Breakdown of base score metrics
Each section contains the metric’s potential values in order of decending value. Each metric has an abreviation associated to see a CVSS score breakdown at a glance.
A calculator for CVSS score can be found at nvd.nist.gov. In addition I will explain how the base scoring works.
Exploitability metrcis pertain to the specific circumstances that a vulnerability is exploitable.
Attack Vector (AV)
Attack vector is a description of how the attacker reaches the vulnerable entity.
- Network (AV:N)
- The vulnerability is accessable over OSI layer 3 (Network).
- Generally these are considered remotely exploitable because the attacker is not restricted in physical location.
- Adjacent Network (AV:A)
- The vulnerability is accessable over OSI layer 2 (Data Link).
- This attack vector could be bluetooth or same subnet of the network.
- This means that if the attacker must cross a router, then they would not a threat.
- Local (AV:L)
- The vulnerability relies on components not bound to the network stack.
- For example, if the vulnerability requires the attacker to have write permissions to a file.
- Physical (AV:P)
- The attacker must be able to touch the target or a device directly connected to the target.
Attack Complexity (AC)
The amount of control the attacker has on variables that will affect the outcome of the attempted exploit.
- Low (AC:L)
- The attacker can expect reliable results when exploiting the vulnerability.
- High (AC:H)
- The outcome of the attempt relies on variables outside of the attacker’s control.
Privileges Required (PR)
The access level required to exploit the vulnerability beforehand.
- None (PR:N)
- The attacker does not require any level of escalated privilages.
- Low (PR:L)
- The vulnerability requires the attacker to be minimally authenticated.
- The vulnerability may only require access to non-sensitive resources.
- High (PR:H)
- The attacker must have control over system wide settings or files.
User Interaction (UI)
Does the vulnerability require the user’s permission or interaction?
- None (UI:N)
- Required (UI:R)
- The user is required to click a link, or open a specific program.
Does the attacker gain more access to the system by using this vulnerability?
- Unchanged (S:U)
- The attacker gains no extra priviledges or access.
- Changed (S:C)
- The attacker gains access to data they did not have access to previously.
Impact metrics are an attempt to explain how badly the target is affected by the vulnerability, if an attacker exploits it.
Confidentiality Impact (C)
Will the organization hosting the vulnerability leak information that could be used for evil?
- None (C:N)
- No information was lost in the attack.
- Low (C:L)
- The attacker either does not have control of information obtained.
- The amount of data that can be obtained is restricted.
- The information lost is not critical.
- High (C:H)
- All information is lost.
- Only some access is gained, but the information leak presents a serious issue.
Integrity Impact (I)
Can the attacker change data that they have access to.
- None (I:N)
- No information can be modified in the attack.
- Low (I:L)
- The attacker either does not have control of information imodified.
- The amount of data that can be modified is restricted
- The information lost is not critical.
- High (I:H)
- All integrity is lost.
- Only some data is modified, but the information leak presents a serious issue.
Availability Impact (A)
Will the attack be able to restrict others from utilizing resources?
- None (A:N)
- No, the attacker cannot deny access to the resource.
- Low (A:L)
- The attacker can only reduce performance, even if repeated exploitation is possible.
- The attacker is still restricted in how they can deny service.
- High (A:H)
- The service can be fully blocked.
- If not fully blocked, the consequences are a serious issue.
- Perhaps the attacker cannot close already established connections, but block new ones.
Optional Base Score Tweaks
There are also Temporal Score Metrics and Environmental Score Metrics, but they only modify the base score. The base score is what the temporal and envirenmental scores are based on.
- Temporal Score Metrics
- Changes to the base score based on what tools can be used to exploit or patch the vulnerability in the present day.
- Environmental Score Metrics
- These metrics closely resemble the base score metrics, but focus on the environmental circumstances required.