Vulnerability assessment: Open source developer renews criticism of CVSS and CVE

Contents

Daniel Stenberg, inventor and main developer of the open source command line tool cURL, has once again criticized the CVE (Common Vulnerabilities and Exposures) ecosystem in a blog post. The focus of his current criticism: the vulnerability assessment system CVSS (Common Vulnerability Scoring System), which is closely linked to CVE.

In Stenberg's opinion, the CVSS scoring process already harbors a high risk of misjudgement per se. However, this risk is exacerbated by the fact that specially authorized bodies such as the US authority CISA can add their own score calculations to any existing CVEs.

In the past, the subsequent "enrichment" of CVE entries with missing additional information such as CVSS scores was the task of the NVD (National Vulnerability Database). However, following a massive backlog of unprocessed CVEs, this has primarily been the responsibility of the US cyber security authority CISA since last year. In a GitHub repository for the so-called "Vulnrichment Project", it systematically completes all outstanding and new entries.

Rejection of CVSS

Stenberg publicly protested against what he considered to be an incorrect CVE entry back in September last year. He has also expressed fundamental criticism of CVSS in earlier blog posts.

In a new post with the dramatic title "CVSS is dead to us ", the developer explains that the cURL team has been using its own, slimmed-down rating system based on four possible severity levels for years.

In his view, the CVSS assessment criteria are only suitable for accurate classification if you know exactly when and how the hardware or software product in question is used and how an exploit affects it. For a project like cURL, which is used billions of times in completely different application scenarios and environments, this simply does not work.

Forced scores

Contrary to what Stenberg initially stated in the blog post, adding a CVSS score to CVEs is by no means mandatory. And so the cURL team, in its role as CNA (CVE Numbering Authority), would be perfectly free to simply omit this information from the entries it creates itself.

The problem is that CISA apparently does not respect this deliberate omission. This is because the authority considers it its duty to always complete entries in the CVE database that it considers to be "incomplete". In its role as Authorized Data Publisher (ADP), it may do so without consulting the CNAs within firmly defined data containers – and does so with the cURL CVEs.

Seemingly arbitrary ups and downs

The time frame available to the vulnerability team per CVE is likely to be severely limited in view of the constantly growing number of vulnerabilities –, as is the team's insight into the specific technical details of each individual vulnerability.

Stenberg sees a high risk of resulting calculation errors here and cites the cURL vulnerability CVE-2024-11053 from the end of last year as a concrete example. While this was classified as "low" by the cURL team itself according to its own system, CISA apparently considered it to be highly dangerous and subsequently added a CVSS base score of 9.1 ("critical") to the CVE entry. Following Stenberg's protest, however, the authority then drastically lowered the relevant score again – to 3.4 ("low").

For Stenberg, this process is an indication of the randomness and arbitrariness of the calculated scores. And for the excessive demands placed on ADPs, who "click together" the scores in the CVSS calculator virtually on a piecework basis and without in-depth insight into the technical details.

The developer does not currently see a solution to the problem: as the cURL team "does not dance the CVSS dance", it will not be spared from such misjudgements.

Mixed community reactions

The reactions to Stenberg's post range from approval to cautious criticism. For example, a member of the IT security team at Sprache Go confirmed that they had also had negative experiences with CISA's "enrichment".

Other voices, on the other hand, consider at least the fundamental criticism of CVSS to be exaggerated. One commentator emphasizes, for example, that the potential of vulnerability assessment is rarely fully exploited. After all, in addition to the omnipresent CVSS Base Score, it also includes options for adapting to changes over time (Temporal Metrics) or to the respective environment of the affected system (Environmental Metrics). These are simply used too rarely. Another agrees – and suggests that the function of the base score as a foundation rather than a final judgment should generally be better communicated.

(ovw)