Qualys Severity Score
Qualys assigns every vulnerability in the Knowledge Base a Severity Score that is determined by the security risk associated with its exploitation. In addition to this broad guidance the service also takes into consideration factors like complexity of the exploit and likelihood of the exploit to work under normal conditions. Network location and privileges needed by an attacker to execute a successful attack are considered. Prevalence of the affected software and existence of known attacks, worm or malware also plays a role.
The possible consequences related to each vulnerability, potential vulnerability and information gathered severity level are described below. The guidance below is followed for all vulnerabilities.
Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.
Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.
Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail relaying.
Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
CVSS scores in Qualys rely on NIST feeds. These scores are updated in Qualys on a nightly basis based on the latest information from the NIST feeds. So, additions or changes in CVSS scoring should be reflected in Qualys within 24 hours of being published by NIST.
Additionally Qualys exposes CVSS Base and Temporal Scores for each vulnerability. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment.
Most vulnerabilities listed in the NVD have a Base Score, some have a Temporal Score which may be provided by the software vendor. With some vulnerabilities, all of the information needed for NVD analysts to create CVSS scores may not be available. This typically happens when a vendor announces a vulnerability but declines to provide certain details. In such situations, NVD analysts assign CVSS scores using a worst case approach. If the NVD does not provide a CVSS Base score Qualys engineers determine the severity of the vulnerability, and provide a CVSS score that is internally generated and not provided by the NVD. Such scores and footnoted as such in the Qualys Knowledgebase. If there is no Temporal Score, Qualys signature engineers enter the temporal score based on best judgment of the engineer.
Qualys managers may add CVSS Environmental Metrics to Asset Groups if the use of full CVSS scoring methodology is desired.
As of January 2017 NIST has started populating CVSS V3 score to CVEs and have back-ported it to most 2016 CVEs. If a CVE has a v3 score available, our QIDs would have the associated v3 score. While its been a couple of years since CVSSv3 scores were introduced, what we have observed is that while CVSSv2 scores are added early by NIST, there is still a lag for the CVSSv3 scores and many CVEs do not have the CVSSv3 score assigned at all. There is no automatic or numerical equation that can convert v2 score to v3 scores. As of late 2018 it appears that 10% of all the QIDs released in 2018 are missing the CVSSv3 scores and of those 5% of the QIDs already have CVEs. CVSSv3 scores for those QIDs will start appearing as soon as NIST adds scores for them.
Relationship Between Qualys Severity and CVSS Base Scores
Generally Qualys Severity Scores, vendor severity scores, and CVSS Scores will be congruent. This is not always apparent as the Qualys Severity Score is the vendor score, with CVSS Base Score, and normalized into 1-5. For example Microsoft and RedHat have 4 levels of severity and CVSS 10 levels. These need to be mapped into Qualys’ 5 levels of severity. There are some cases where Qualys Severity Scores do not match CVSS scoring. For example Qualys has made some policy decisions regarding some vulnerabilities that differ with NVD analysts a good example of which is Heart Bleed. CVSS rated Heart Bleed as information disclosure and give it a low score. However since Qualys engineers determined that the information disclosed is SSH keys, and therefore a highly critical piece of information, we rate it high. Another reason the Qualys Severity Score does not always match CVSS scores is that in addition to the categorizations described above, Qualys engineers also take into consideration factors like complexity of the exploit and likelihood of the exploit to work under normal conditions. Network location and privileges needed by an attacker to execute a successful attack are considered. Prevalence of the affected software and existence of known attacks, worm or malware also plays a role. Needless to say Qualys takes a lot of effort to provide a value add and makes our scores more relevant.