Viewing the Amazon Inspector score and understanding vulnerability intelligence details
Amazon Inspector creates a score for Amazon Elastic Compute Cloud (Amazon EC2) instance findings.
You can view the Amazon Inspector score and vulnerability intelligence details in the Amazon Inspector console.
The Amazon Inspector score provides you with details that you can compare with metrics in the Common Vulnerability Scoring System
Amazon Inspector score
The Amazon Inspector score is a contextualized score that Amazon Inspector creates for each EC2 instance finding. The Amazon Inspector score is determined by correlating the base CVSS v3.1 score information with information collected from your compute environment during scans, such as network reachability results and exploitability data. For example, the Amazon Inspector score of a finding may be lower than the base score if the vulnerability is exploitable over the network but Amazon Inspector determines that no open network path to the vulnerable instance is available from the internet.
The base score for a finding is the CVSS v3.1 base score provided by the vendor.
RHEL, Debian, or Amazon vendor base scores are supported, for other vendors, or
cases where the vendor hasn't provided a score Amazon Inspector uses the base score from the
National Vulnerability Database
Note
Amazon Inspector score isn't available for Linux instances running Ubuntu. This is because Ubuntu defines its own vulnerability severity that may differ from the associated CVE severity.
Amazon Inspector score details
When you open the details page of a finding you can select the Inspector score and vulnerability intelligence Tab. This panel shows the difference between the base score and the Inspector score. This section explains how Amazon Inspector assigned the severity rating based on a combination of the Amazon Inspector score and the vendor score for the software package. If the scores differ this panel shows an explanation of why.
In the CVSS score metrics section you can see a table
with comparisons between the CVSS base score metrics and the Inspector
score. The metrics compared are the base metrics defined in the
CVSS
specification document
- Attack Vector
-
The context by which a vulnerability can be exploited. For Amazon Inspector findings this can be Network, Adjacent Network, or Local.
- Attack Complexity
-
This describes the level of difficulty an attacker will face when exploiting the vulnerability. A Low score means that the attacker will need to meet little or no additional conditions to exploit the vulnerability. A High score means that an attacker will need invest a considerable amount of effort in order carry out a successful attack with this vulnerability.
- Privilege Required
-
This describes the level of privilege an attacker will need to exploit a vulnerability.
- User Interaction
-
This metric states if a successful attack using this vulnerability requires a human user, other than the attacker.
- Scope
-
This states whether a vulnerability in one vulnerable component impacts resources in components beyond the vulnerable component’s security scope. If this value is Unchanged the affected resource and the impacted resource are the same. If this value is Changed then the vulnerable component can be exploited to impact resources managed by different security authorities.
- Confidentiality
-
This measures the level of impact to the confidentiality of data within a resource when the vulnerability is exploited. This ranges from None, where no confidentiality is lost, to High where all information within a resource is divulged or confidential information such as passwords or encryption keys can be divulged.
- Integrity
-
This measures the level of impact to the integrity of data within the impacted resource if the vulnerability is exploited. Integrity is at risk when the attacker to modify files within impacted resources. The score ranges from None, where the exploit does not allow an attacker to modify any information, to High, where if exploited, the vulnerability would allow an attacker to modify any or all files, or the files that could be modified have serious consequences.
- Availability
-
This measures the level of impact to the availability of the impacted resource when the vulnerability is exploited. The score ranges from None, when the vulnerability does not impact availability at all, to High, where if exploited, the attacker can completely deny availability to the resource, or cause a service to become unavailable.
Vulnerability Intelligence
This section summarizes available intelligence about the CVE from Amazon as well as industry standard security intelligence sources such as Recorded Future, and Cybersecurity and Infrastructure Security Agency (CISA).
Note
Intel from CISA, Amazon, or Recorded Future won't be available for all CVEs.
You can view vulnerability intelligence details in the console or by using the BatchGetFindingDetails API. The following details are available in the console:
- ATT&CK
-
This section shows the MITRE tactics, techniques, and procedures (TTPs) associated with the CVE. The associated TTPs are shown, if there are more than two applicable TTPs you can select the link to see a complete list. Selecting a tactic or technique opens information about it on the MITRE website.
- CISA
-
This section covers relevant dates associated with the vulnerability. The date Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, and the Due date CISA expects systems to be patched by. This information is sourced from CISA.
- Known malware
-
This section lists known exploit kits and tools that exploit this vulnerability.
- Evidence
-
This section summarizes the most critical security events involving this vulnerability. If more than 3 events have the same criticality level the top three most recent events are displayed.
- Last time reported
-
This section shows the Last known public exploit date for this vulnerability.
