The Common Vulnerability Scoring System (CVSS)

3. (15 points) The Common Vulnerability Scoring System (CVSS) measures three areas: i) Base Metrics for qualities intrinsic to a vulnerability ii) Temporal Metrics for characteristics that evolve over the lifetime of vulnerability iii) Environmental Metrics for vulnerabilities that depend on a particular implementation A numerical score is computed for each of these metric groups. A vector represents the values of all the metrics as a block of text. For example, AV:L/AC:H/Au:N/C:P/I:P/A:P is a CVSS v2 base vector representing a local attack vector (AV:L), high access complexity (AC:H), no authentication (Au:N), and partial impact on confidentiality (C:P), integrity (I:P), and availability (A:P). The overall numerical score is 3.7 if the temporal and environmental metrics are not defined (ND). a) (3 points) Using the CVSS v2 vector AV:N/AC:L/Au:N/C:N/I:C/A:C, compute the overall score. Show all computations/formulas used. Explain your results. What vulnerability might this be? Verify your score: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator b) (3 points) Now, re-compute the overall score assuming a low target distribution (TD:L). Hence, the CVSS v2 vector is AV:N/AC:L/Au:N/C:N/I:C/A:C/CDP:ND/TD:L/CR:ND/IR:ND/AR:ND. What vulnerability might this 11/21/2018 Writers Hub – Freelance Writing https://www.writershub.org/writer/orders/338033#instructions 4/5 be? Explain any differences in overall CVSS v2 score. c) (3 points) Using the CVSS v3 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, compute the overall score. Show all computations/formulas used. Explain your results. What vulnerability might this be? Verify your score: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator d) (3 points) Now, re-compute the overall score assuming a high privilege required (MPR:H) but all others undefined (X). What vulnerability might this be? Explain any differences in overall CVSS v2 a