In this post, we will look at this in more detail in order to understand what the difference between the 9.8 and 10.0 score is.
Vulnerability scoring system & the metrics groups
The Common Vulnerability Scoring System is developed and maintained by the CVSS special interest group, a part of the FIRST membership organization. An overview of the CVSS score can be found in a previous post, but in short, it provides a way to give a severity score for vulnerabilities.
The score consists of a number of metrics. These metrics are collected in two groups, exploitability metrics, and impact metrics. For the latest version, CVSS v3.1, the metrics, and metric groups are as follows:
- Exploitability metrics are used to capture how easy it is to exploit a vulnerability. This group consists of four metrics.
- Attack Vector captures how remote an attacker can be when exploiting the vulnerability. Possibilities here are: network, adjacent, local, and physical.
- Attack Complexity captures if there are conditions, which are outside the attacker’s control, that must be fulfilled for the attack to succeed. The complexity can be low or high.
- Privileges Required refers to the level of privilege the attacker has when exploiting the vulnerability. This metric is given as none, low, or high.
- User Interaction captures if the attack requires that the user is involved in some way. The possibilities here are none or required.
- Impact metrics are used to define to which extent confidentiality, integrity, or availability (also known as the CIA triad) can be lost in a successful attack. For each of these, the potential loss is given as none, low, or high.
- Finally, there is also a metric called scope, which is used to define if the vulnerable component is the same as the impacted component, or if the impact goes beyond the vulnerable component. In the latter case, the scope is changed. A vulnerability with changed scope is regarded as more severe than those with scope unchanged.
CVSS score 9.8 vs 10.0
It is very common to see vulnerabilities with a base score of 9.8, but much less common to see any with CVSS 10.0. The difference in CVSS score is primarily due to the scope metric. It is possible to get a CVSS score of 10.0 only if the scope is changed.
At the same time, the highest possible score when the scope is unchanged is 9.8. This is when all impact scores are high and all exploitability metrics are most severe. This is also the only way to get a CVSS base score of 9.8.
Looking at the statistics for 2017-2019, provided by NIST in the NVD database, we can see how many vulnerabilities have been recorded with scope unchanged/changed and a CVSS score of 9.8 and 10.0 respectively.
|Year||Total||Scope Unchanged||Scope Changed||CVSS 9.8||CVSS 10.0|
Vulnerabilities with a changed scope
We see that vulnerabilities with changed scope amount to about 17% throughout the years and those with CVSS 10.0 are only a small fraction of vulnerabilities. At the same time, about 14% of the vulnerabilities have CVSS 9.8.
If scope is changed, then it is enough that two of the three impact metrics are high for the base score to be 10.0. Thus, there are seven combinations of metrics that can give a base score of 10.0.
Looking at all these vulnerabilities, we can see how these combinations of metrics are distributed. In the table, XYZ corresponds to high (H), low (L), and none (N) for the metrics confidentiality, integrity, and availability.
It is clear that most vulnerabilities with base score 10.0 do have full impact for confidentiality, integrity and availability.
A vulnerability with CVSS 9.8 has the most severe exploitability and impact metrics, but its impact does not extend beyond the vulnerable component.
However, while a vulnerability with CVSS 10.0 also has the most severe exploitability and most often the highest impact metrics, its impact extends also beyond the vulnerable component. Thus, in terms of both exploitability and CIA impact, both 9.8 and 10.0 vulnerabilities can be seen as equal.