Modify CyHy VS to include CVSSv3+ and VPR scoring

[chelsgr]

Summary

The CyHy Team would like to add CVSSv3 and Tenable’s Vulnerability Priority Rating (VPR) risk scoring information to the VS reports. CyHy is planning to make requested changes to the report which may include related updates in the future redesign, but for now the MVP includes collecting data for CVSSv3+ (currently CVSSv3.0 and CVSSv3.1) and referencing Tenable’s Vulnerability Priority Rating (VPR) by making minimal changes to reporting to reflect the new information.

Motivation and context

Using CVSSv3+ moving forward is the most critical change, which will align our rating with the intended model and assist coordination efforts across multiple groups (especially the Disclosures team). Given these updates, stakeholders will be provided as much information as possible to help in their remediation prioritization efforts.

VPR scoring provides a score from 0-10 that is calculated by (60%) CVSS impact score + (40%) exploitation likelihood based on dark web/mentions on social media/exploit kits available/paste site repos/POC/age of vuln/attack vector/days since last threat activity/etc. The VPR changes are lower in priority than the CVSSv3 changes, so if any complications arise specific to VPR please identify whether a decision should be made by the CyHy team.

Acceptance criteria

• [x] CVSS versions 2.0, 3.0, and 3.1 base scores are pulled into the database for all CVEs
• [x] VPR data is captured and stored when a CVE has an associated VPR score
• [x] CyHy VS reports edits include language changes and utilization of the most recent version’s base score where the severity determination is based off of the latest available (if not 3.1, then 3.0… if not 3.0, then 2.0… if not 2.0, then Nessus severity rating)
• [x] Update findings.csv to use the most recent version’s base score, specify which version being referenced in a new column, and add another new column to show the VPR score when one is available

[chelsgr]

Flagging a point that came up in a prior discussion within the Dev team. This question was raised: is there a guarantee that legacy CVEs got a v3 version? If not, then we can’t just back date everything.

Referencing: https://nvd.nist.gov/vuln-metrics/cvss

There are currently no plans to associate CVSS v3.0 vector strings to CVEs that were already analyzed in the NVD prior to 12/20/2015. A subset of CVEs from before this time may be given CVSS v3.0 vector strings due to special cases or existence as examples in the CVSS v3 documentation.

For those which have CVSSv3 but already have tickets, it seems the CyHy Team is asking for the database and related code to be modified to store CVSSv2, CVSSv3.0 and CVSSv3.1, with the report always referencing the latest available. Does that approach to the changes make sense for the implementation perspective? For those requirements, see: https://github.com/cisagov/cyhy-system/issues/63

[chelsgr]

VPR Update:

As a response to our initial requirements analysis discussion for this project, I sent the following to the CyHy team:

During requirements analysis, to date the Dev team identified two questions:

• Is the VPR score tied to a finding or the CVE?
• Do they know of findings that have multiple CVEs or VPRs?

In our contextual review, the Dev team suggested consideration of whether CISA wants to change the FAQ version language for CVSS timeline associated directives: https://www.cisa.gov/directives More specifically: https://www.cisa.gov/binding-operational-directive-19-02

FAQ: "Which version of the Common Vulnerability Scoring System (CVSS) does CISA use? Cyber Hygiene scans uses a combination of CVSSv2.0 and Nessus severity ratings. The CVSSv2.0 base score and associated severity rating is the primary rating used, with a 10.0 base score rated as critical (following Nessus’ 'critical' rating). We use Nessus’s severity ratings when the National Vulnerability Database (NVD) has not provided a Common Vulnerabilities and Exposures (CVE) severity rating for certain vulnerabilities.

Agencies, where capable and practical, are encouraged to apply environmental scoring to Cyber Hygiene results so that the findings are more meaningful to their specific architectures, missions, and assets and can better assist in prioritizing remediation efforts."

The CyHy team has provided the following response:

As far as we are aware, the VPR score is tied to a finding. It is partially based on the CVSSv3 score, but it may also be available even for CVE-less findings.

There are definitely instances of findings with multiple CVEs (we already see this in our use of CVSSv2, and the way we are scoring is based on the “primary” CVE used by Nessus for that finding). There should only ever be one VPR score per finding.

Thank you for flagging the FAQ on BOD 19-02, we would ensure to work with the Capacity Building team to update it as we get closer to implementation of CVSSv3+ scoring in the reports. I envision there will be a transition/grace period for the BOD compliance tracking side of things.

Not every plugin will have VPR scoring… I envision we just leave the VPR column blank in such cases.

[chelsgr]

This project has been delivered through the code deployed this afternoon.