Exploit Prediction Scoring System (EPSS) is used to estimate the probability that a vulnerability will be exploited in the system. It helps in prioritizing the vulnerability remediation efforts in conjunction with an existing CVSS score.
CVSS scoring system is used to identify vulnerability and on the basis of its characteristics they are classified into different severity levels but they are limited to assessing the threat while the EPSS fills the gap because it uses current threat information from the CVE database. The EPSS probability score is between 0 and 100 (in percentage) the higher the score of vulnerability the higher the chance of getting exploited.
Need for EPSS Scoring System:
For any company, it’s a big challenge to fix all vulnerabilities as there are too many vulnerabilities present and from all this between 5% to 20% of vulnerabilities are actually fixed but in a network, only 2 to 5% of vulnerabilities are ever seen to be exploited. The EPSS scoring system uses the CVE data to identify the probability of exploitation of any vulnerability which helps the company not only prioritize vulnerability but also to identify whether this vulnerability is going to be exploited in the wild.
How EPSS can be used to prioritize vulnerabilities:
- EPSS can be used in conjunction with an existing CVSS score as this can be used to characterize vulnerabilities into different levels and EPSS can help in prioritizing them by finding out whether the vulnerability has the potential to create damage to the system.
- It can be used in risk acceptance as it is calculated by multiplying the risk by the probability of an impact of that risk so instead of identifying the impact of a risk, we can use the EPSS score to calculate this value and prioritize the vulnerability accordingly.
Examples of vulnerabilities having high EPSS score:
- EPSS score: 91.3%
CVE ID: CVE-2019–0708
Vulnerability Detail: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.
2. EPSS score: 92.0%
CVE ID: CVE-2019–5736
Vulnerability Detail: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
3. EPSS score: 85.0%
CVE ID: CVE-2018–11776
Vulnerability Detail: Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.
Limitation of EPSS:
- The EPSS scoring method does not fully quantify risk; it just provides estimations of dangers.
- Only vulnerabilities with CVE identifiers are taken into account because they serve as a standard identification method used by all of our different data sources. As a result, we disregard further software (or hardware) bugs or configuration errors that could possibly be exploited.
- Revealing details about which vulnerabilities are more likely to be exploited, may alter the strategic behavior of malicious hackers, who might then choose to exploit vulnerabilities that are less likely to be noticed and detected and artificially change the ecosystem of vulnerability exploits.
SecOps Solution is an agent-less Risk-based Vulnerability Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.
To schedule a demo, drop us a note at email@example.com