What is SSVC, a new metric for security vulnerability assessment?

Introduction

As of the end of the first quarter of 2024 (March 31), more than 190,000 vulnerabilities have been registered in the National Vulnerability Database (NVD) of NIST (^*1) (^*2). From January 1 to March 31, 2024, 12010 vulnerabilities were registered, which means that approximately 130 vulnerabilities are registered per day.

Once the vulnerability information is disclosed, the attacker launches an attack targeting the system where the vulnerability remains. In the past, there have been cases where an attack was started on the day the vulnerability information was disclosed, and the time between disclosure of information and the start of a cyberattack has become shorter. It is not possible to respond quickly to all the huge number of vulnerabilities disclosed. Therefore, in order to prevent serious incidents from occurring due to a delay in vulnerability response, it is important to prioritize and respond to the many vulnerabilities disclosed in a day. In addition, correct use of indicators is required to quickly and accurately evaluate vulnerabilities and determine priorities.

• (^*1) National Institute of Standards and Technology (NIST: National Institute of Standards and Technology)
• (^*2) IPA Information Processing Promotion Organization "JVN iPedia Vulnerability Countermeasure Information Database, 1st Quarter 2024 (January-March) (Japanese)"

Vulnerability Assessment by CVSS and Challenges

The Common Vulnerability Scoring System (CVSS) is one of the metrics often used for vulnerability assessment. CVSS is a common evaluation method adopted by many vendors and security organizations. This article mainly describes CVSS version 3.1, which is still widely used today. The CVSS version 3.1 standard is released to the public and consists of three evaluation metrics: Basic Metrics, Temporal Metrics, and Environmental Metrics.

Basic Metrics is the most commonly used metric for evaluating the risk of the vulnerability itself. Based on each evaluation item such as attack category, complexity, and required privileges, 0.0-10.0 values called CVSS Base Score can be calculated. In addition, five levels of risk are defined according to the values. Many vendors publish CVSS Base Score and parameters for each evaluation item, but sufficient knowledge is required to correctly understand the meaning of the parameters for each evaluation item.

Temporal Metrics are for evaluating the current status of vulnerabilities and are values that change over time. Although Temporal Metrics are sometimes provided by vendors, they are often unevaluated and difficult to use.

Environmental Metrics are for evaluating the usage environment of a target product and must be evaluated individually by organizations and individuals. Because it requires specialized knowledge, it is difficult to use and currently rarely used.

For the above reasons, only the basic value indicated by 0.0-10.0 of the Base Score and the risk level defined in five levels are often used as indicators. However, there is no policy definition corresponding to these values and risk levels, and other metrics are required to prioritize vulnerabilities and determine specific measures.

CVSS version 4.0, which was released in November 2023, allows finer granularity evaluation compared to CVSS version 3.1. However, it is the same as CVSS version 3.1 in that the final evaluation results are expressed in numerical values, and different metrics are required to consider specific measures.

About SSVC

SSVC (Stakeholder-Specific Vulnerability Categorization) is an alternative evaluation method to CVSS. SSVC is a vulnerability evaluation metric proposed to address CVSS issues. In SSVC, three types of decision trees (Suppliers, Deployers and Coordinators) are provided for each stakeholder. The decision trees for suppliers (those who provide patches) and deployers (those who apply patches) are eventually classified into four categories (defer, scheduled, out-of-cycle, immediate) that indicate specific countermeasures. This article shows the utilization of SSVC using deployers as an example.
There are four branching items in the decision tree for deployers: Exploitation, Utility, Exposure, and Human Impact (Figure 1). Exploitation and Utility have same items in the decision tree for suppliers and evaluate the degree of vulnerability risk and the current situation. Exposure and Human Impact are judgment items that depend on each system and can be evaluated according to the environment.

In this way, SSVC is characterized by the fact that the evaluation results lead directly to the countermeasures, and that the vulnerability level, status, and usage environment can be comprehensively evaluated in a single decision tree.

Figure 1: Decision tree corresponding to the deployer (^*3)

• (^*3) Carnegie Mellon University “Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (version 2.0) (PDF: 533KB)"

Vulnerability assessment using SSVC

We evaluated several vulnerabilities assessed to be dangerous by NTTDATA-CERT using SSVC (Table 1). Since the results depend on the system environment, this report assumes "Systems where the organization's operations can continue in the event of an outage, but where service levels may be degraded" as a prerequisite. The judgment results in Table 1 are simple judgments based on the assumption of a specific environment, so please understand them as an example.

Let's take the Citrix vulnerability (CVE-2022-27510) as an example. NTTDATA-CERT makes decisions based on general effects that are not based on individual systems. NTTDATA-CERT concluded that the impact is significant depending on the information handled by the system because of the possibility of access to highly confidential resources without authentication and called attention to update the corresponding products. This is equivalent to the out-of-cycle response in the supplier decision tree. However, if the deployer decision tree is used in consideration of the confidentiality of the data handled, it can be assessed from the table below that there is no problem with regular updates. In this way, by using SSVC, not only the response recommended by the vendor or security organization, but also the assessment that is appropriate for each environment can be made.

Table 1: Vulnerability judgment results using SSVC

Assessment using SSVC requires prior preparation. Prior preparation is broadly divided into “preparation for correctly utilizing information” and “organizing system environment and usage”.

The items that fall under "preparation for correctly utilizing information" are Exploitation and Utility. These items are common to the supplier decision tree and can be used as a reference when SSVC becomes available from vendors. Therefore, the more vendors provide SSVC, the easier it is for deployers to make decisions using SSVC. Utility consists of two types of decision factors: Automatable and Value Density. The Automatable decision in Table 1 was made based on the Attack Vector (AV), Attack Complexity (AC), and User Interaction (UI) of CVSS v3.1. In this way, when SSVC is not provided, decisions can be made based on other information. For example, in the case of the Citrix vulnerability, based on the results of CVSS v3.1, we determined that the attack can be automated because it can be attacked through the network (AV: N), attack condition complexity is low (AC: L), and it can be affected without user interaction (UI: N). The person who actually applies the patch needs to understand CVSS and other vulnerability information so that they can use it.

Items that fall under "Organizing system environment and usage" are Exposure and Human Impact. These items can be determined quickly by organizing system information and environment. For example, exposure is an item that questions the degree of external exposure of a system. However, there are multiple factors to determine such as access restrictions and network configuration, so the results of assessment may differ depending on the person. It is desirable to discuss and define it in advance, rather than making a judgment in an emergency. Similarly, it is possible to define Human Impact in advance because it depends on the use of the system and the information to be handled.

From what we mentioned above, when using SSVC, it is possible to make a quick assessment by correctly understanding the disclosed vulnerability information and determining the evaluation of system-dependent items in advance. If vulnerability information can be quickly received from vendors and the evaluation of system-dependent items has been completed, it is possible to derive an assessment result directly related to a course of action immediately after vulnerability information disclosure.

Conclusion

For many vulnerabilities disclosed every day, organizations and individuals need to make a quick assessment and take appropriate actions. Appropriate use of metrics is effective for this purpose. CVSS, which is commonly used today, is relatively easy to obtain because many vendors provide it. It is useful when you want to get information quickly or compare vulnerabilities. On the other hand, SSVC is effective as a means to derive concrete countermeasures. Although the number of organizations that use SSVC is still small and it is difficult to determine, it is possible to conduct a vulnerability assessment that leads directly to a quick and concrete countermeasure policy. In particular, it is effective in prioritizing vulnerability measures when system management is properly implemented.

CVSS and SSVC have different characteristics, but both methods must be used with a thorough understanding of their respective assessment metrics. When vulnerability information is provided by a vendor, timely use of that information will help make quick assessment. In addition, it is important for individuals and organizations that use systems to organize the configuration and usage of the systems they handle. For this purpose, it is necessary to be able to keep track of the current status even when system components change, such as when hardware is replaced or software is updated. Correctly identifying and managing the system configuration, you can take prompt action regardless of the metric used for vulnerability assessment.