Mathieu Morrissette
Hello Devolutions Community! It’s Mathieu Morrissette here from the Devolutions Security Team. I’m currently part of our dedicated Secure Coding and Red Team Department.
Today, I am going to discuss the improvements in CVSS version 4.0, which is the next generation of the Common Vulnerability Scoring System standard. I will focus on how CVSS version 4.0 provides better accuracy, granularity, and flexibility when assessing the severity of a vulnerability. I will also highlight the effects of these enhancements on our security practices.
What is CVSS?
CVSS is an industry-standard framework for assessing the severity of vulnerabilities. To facilitate this process, we use the CVSS calculator available on this website: https://www.first.org/cvss/calculator/3.1
We have been using CVSS version 3.1 for quite a while, and are excited that FIRST (Forum of Incident Response and Security Teams) has released the public preview version 4.0. This latest version represents a significant improvement over its predecessor, delivering enhanced capabilities for accurate vulnerability assessment. A detailed look at this new version is available here: https://www.first.org/cvss/v4-0/
Security Advisories, Security Assessments, and MITRE CNA
In just a moment, we will share our view of CVSS version 4.0, and highlight how we are leveraging new metrics and values to improve our vulnerability scoring process. But first, I would like to quickly outline three core pillars our of program: security advisories, security assessments, and our status as an authorized MITRE CNA.
Security Advisories: We regularly publish security advisories on our website at https://devolutions.net/security/advisories/. As part of our ongoing commitment to transparency and safeguarding your digital environment, these advisories not only keep you informed about any vulnerabilities that may affect our products, but also provide guidance on updating to the latest unaffected versions for optimal protection.
Security Assessments: You may be wondering: how are these vulnerabilities detected? They are detected through rigorous internal and external penetration testing, conducted by highly qualified professionals as part of our periodic security assessments. Plus, we have established a private bug bounty program in collaboration with the YesWeHack platform, which enables experienced hunters from around the world to actively and continuously test our software for any potential vulnerabilities.
MITRE CNA: As trusted and authorized MITRE CNA (Common Vulnerabilities and Exposures Numbering Authority), Devolutions plays a vital role in the vulnerability management ecosystem. By actively participating as a CNA, Devolutions reinforces secure practices and collaborative efforts within the cybersecurity community. When a confirmed vulnerability is reported to us, we work closely with the reporter to ensure proper handling and risk assessment. Part of our responsibility is to archive and publish the CVE record, which serves as a centralized database for identifying and tracking vulnerabilities. We invite you to visit the CVE website at https://www.cve.org/ to discover the comprehensive scope and significance of this critical resource.
Our View on CVSS Version 4.0
CVSS version 4.0 delivers a range of improvements that will greatly enhance our ability to score vulnerabilities for our security advisories. These improvements in accuracy, granularity, and flexibility will help us ensure that we provide our users with precise and actionable information. Let’s dive into the key changes incorporated into this new version, and explore their impact on our vulnerability scoring process.
UI Metric: The expanded User Interaction (UI) metric values, including Passive (P) and Active (A) categories, give us a better understanding of the level of user interaction required to exploit a vulnerability. This distinction enables us to tailor our security advisories and guide our users on the necessary defense measures for both actively and passively exploitable vulnerabilities.
AT Metric: The introduction of the Attack Requirements (AT) metric provides a more detailed view of the complexity and prerequisites that an attacker must overcome to exploit a vulnerability. By accurately assessing the exploitability of vulnerabilities, we can prioritize our remediation efforts effectively and provide our users with actionable guidance.
Provider Urgency Metric: One of the most exciting additions is the Provider Urgency (PU) metric. This assesses the urgency communicated by vulnerability providers, allowing us to prioritize vulnerabilities based on severity and recommended response timelines. By incorporating Provider Urgency into our advisories, we can deliver timely information to our users, enabling them to promptly address critical vulnerabilities.
While the introduction of additional metrics and values may introduce some complexity, we are confident in our ability to adapt and leverage these enhancements to provide accurate vulnerability scoring. We recognize the importance of having the necessary expertise and resources to evaluate vulnerabilities using the new system, ensuring that our risk assessments are precise and our remediation efforts are prioritized effectively.
We are eagerly anticipating the release of CVSS version 4.0, and are excited to integrate it into our vulnerability scoring process. The improvements made align perfectly with our commitment to providing our users with the most reliable and actionable security information. We believe that the comprehensive insights provided by the new metrics will enhance our vulnerability management practices, and further strengthen the security of our users’ systems.
From the Desk of Our CISO, Martin Lemay
As the CISO of Devolutions, I am pleased by the improvements in CVSS preview version 4.0. The enhanced accuracy it offers is a significant advancement in vulnerability scoring. We welcome the increased reliability it brings to our security practices and look forward to leveraging it to ensure more precise vulnerability assessments. This new change looks very promising and our team is ready to adopt it once approved by the industry.
Patrick Pilotte
