If multiple vulnerabilities are detected in your assets, you may be unable to identify the vulnerability that needs to be fixed at the earliest opportunity. To address this issue, Security Center provides the vulnerability scoring system that evaluates vulnerabilities and prioritizes remediation for the vulnerabilities. This way, you can determine the priorities to fix vulnerabilities based on the score of urgency to fix a vulnerability. This topic describes the vulnerability scoring system.
Background information
The Common Vulnerability Scoring System (CVSS) can evaluate the scopes and impacts of vulnerabilities. The CVSS can also evaluate the possibility of exploiting a vulnerability and inform you about the consequences of the vulnerability. However, in actual vulnerability prevention scenarios, the CVSS cannot accurately determine whether a vulnerability is at risk of being exploited. Therefore, the CVSS cannot prioritize vulnerabilities.
Published statistics show that approximately 60% of all Common Vulnerabilities and Exposures (CVEs) are rated as high or critical by the CVSS. However, only less than 3% of the CVEs that are rated as high or critical are most likely to be exploited. For example, if the description of a vulnerability includes keywords such as Adobe or arbitrary code execution, the CVSS gives a high score (usually from 8 to 10) to the vulnerability. However, in most cases, this type of vulnerability has the lowest possibility of being exploited.
Alibaba Cloud analyzes the severity levels of vulnerabilities that are detected in actual attack and defense scenarios, and then develops a vulnerability scoring system based on the principles of CVSS.
Alibaba Cloud vulnerability scoring system
- Technology.
- Exploitability, which can be a proof of concept (PoC), an exploit, a weaponized worm, or a weaponized virus.
- Threat. This factor indicates whether the vulnerability can be exploited to obtain server permissions.
- Number of IP addresses that are affected after the vulnerability is exploited. This factor indicates how much possible the vulnerability is exploited by attackers.
Formula for the score of urgency to fix a vulnerability
The score of urgency to fix a vulnerability dynamically changes. After a vulnerability is disclosed, the Alibaba Cloud vulnerability scoring system gives a score to the vulnerability based on the impacts that may be caused by the vulnerability. The score is called the Alibaba Cloud vulnerability score. When operating systems are updated, some vulnerabilities are fixed. Therefore, fewer vulnerabilities are detected on these systems, and the threat of existing vulnerabilities on the systems is reduced. This lowers the score of urgency to fix this type of vulnerability. In addition, the score of urgency to fix a vulnerability is affected by the deployment environment and the importance of the asset.
Alibaba Cloud provides the following formula to calculate the score of urgency to fix a vulnerability:
Score of urgency to fix a vulnerability = Alibaba Cloud vulnerability score × Time score × Environment score × Asset importance score
| Element | Description | Remarks |
|---|---|---|
| Alibaba Cloud vulnerability score | The score is generated based on the Alibaba Cloud vulnerability scoring system. | The score is used to evaluate the severity level of a vulnerability. |
| Time score | A dynamic time curve is used. The curve is generated based on factors such as the postponement in the deployment of vulnerability mitigation and the popularization of vulnerability exploit methods. Valid values: 0 to 1. | Within three days after a vulnerability is exposed, the possibility that the vulnerability is exploited significantly increases. During this period, the time score increases from 0 to a temporary peak value, which is less than 1. After this period, the time score significantly decreases. Vulnerabilities become easier to be exploited over time due to increased exploitability. The time score increases and approaches 1 within 100 days. |
| Environment score | The score indicates the environmental condition of your server. Security Center calculates the environment score based on factors such as the conditions of exploiting a vulnerability and the status of your server. The environment score is an important element in the preceding formula. |
The following list describes the factors that determine the environment score:
|
| Asset importance score | If you have a large number of servers, the system calculates asset importance scores for different servers based on their importance in different scenarios. The asset importance score is an important element in the preceding formula. | The default value is 1. On the Assets page, you can attach one of the following tags to your assets: Important Assets, General Assets, and Test Assets. The asset importance score varies based on the following types of assets:
|
Priorities to fix vulnerabilities
You can fix vulnerabilities based on priorities, which are determined by the score of urgency to fix a vulnerability.
| Priority to fix a vulnerability | Description | Score of urgency to fix a priority | Suggestion on fixing |
|---|---|---|---|
| High | This priority is assigned to a vulnerability that can be easily exploited by an unauthenticated remote attacker. The vulnerability can be exploited to compromise systems over arbitrary code execution without user interactions. In most cases, this type of vulnerability is exploited by worms or ransomware. | Greater than 13.5 | We recommend that you fix this type of vulnerability at the earliest opportunity. |
| Medium | This priority is assigned to a vulnerability that may adversely affect the confidentiality, integrity, or availability of resources. In most cases, this type of vulnerability cannot be exploited. However, this type of vulnerability is given a high score by the CVSS when they are disclosed on the Internet or at an official website. We recommend that you attach importance to this type of vulnerability. | 7.1 to 13.5 | We recommend that you fix this type of vulnerability based on your business requirements. |
| Low | This priority is assigned to a vulnerability that has the lowest possibility of being exploited or does not pose risks after it is exploited. In most cases, this type of vulnerability is a bug in the source code of a program or a vulnerability that affects compliance and service performance. | Less than 7 | We recommend that you ignore this type of vulnerability. |
- If the environment score of a vulnerability cannot be calculated due to reasons such as network jitters, the priority to fix the vulnerability is Low.
- Urgent and Web-CMS vulnerabilities are assigned the High priority, which is confirmed by Alibaba Cloud security engineers. We recommend that you fix urgent and Web-CMS vulnerabilities at the earliest opportunity.
References
How often does Security Center detect vulnerabilities?
What are the differences between baselines and vulnerabilities?
What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?