Recently i wrote a Script related to a "CIS Benchmark - Word Export". If you have little knowledge of powershell you'll be able to calculate resulting Risk Scores for Checks (based on A;A;A and C,I,A).
#########################################################################################
# Function for CVSS Score #
###########################
#
# Examlpe [High Risk]: CalculateBaseCVSS -AccessVector "network accessible" -AccessComplexity "low" -Authentication "no authentication" -ConfImpact "complete" -IntegImpact "complete" -AvailImpact "complete"
# [Low Risk]: CalculateBaseCVSS
#
# BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
# Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
# Exploitability = 20* AccessVector*AccessComplexity*Authentication
# f(impact)= 0 if Impact=0, 1.176 otherwise
#
# AccessVector = case AccessVector of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# requires local access: 0.395
# @CCS local accessible
# adjacent network accessible: 0.646
# network accessible: 1.0
#
# AccessComplexity = case AccessComplexity of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# high: 0.35
# medium: 0.61
# low: 0.71
#
# Authentication = case Authentication of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# requires multiple instances of authentication: 0.45
# requires single instance of authentication: 0.56
# requires no authentication: 0.704
#
# ConfImpact = case ConfidentialityImpact of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# none: 0.0
# partial: 0.275
# complete: 0.660
#
# IntegImpact = case IntegrityImpact of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# none: 0.0
# partial: 0.275
# complete: 0.660
#
# AvailImpact = case AvailabilityImpact of
# not defined: 0.15 # Added for SIX and CCS Not Defined Values
# none: 0.0
# partial: 0.275
# complete: 0.660
#
Function CalculateBaseCVSS {
param(
$AccessVector="undefined",
$AccessComplexity="undefined",
$Authentication="undefined",
$ConfImpact="undefined",
$IntegImpact="undefined",
$AvailImpact="undefined"
)
# Default f Impact
$fImpact=0
$CVal = @()
$DefaultScoring = @( "`$ConfImpact", "`$IntegImpact", "`$AvailImpact" )
# Scoring for Access Vector
switch ($AccessVector)
{
"localaccess" { $CVal += 0.395;$tmpCheckVal += "0" }
"AdjacentNetworkAccessible" { $CVal += 0.646;$tmpCheckVal += "1" }
"NetworkAccessible" { $CVal += 1.0;$tmpCheckVal += "2" }
default { $CVal += 0.15;$tmpCheckVal += "3" }
}
# Scoring for Access Complexity
switch ($AccessComplexity)
{
"high" { $CVal += 0.35;$tmpCheckVal += "#0" }
"medium" { $CVal += 0.61;$tmpCheckVal += "#1" }
"low" { $CVal += 0.71;$tmpCheckVal += "#2" }
default { $CVal += 0.15;$tmpCheckVal += "#3" }
}
# Scoring for Authentication
switch ($Authentication)
{
"multipleinstanc" { $CVal += 0.35;$tmpCheckVal += "#0" }
"singleinstance" { $CVal += 0.61;$tmpCheckVal += "#1" }
"noauthentication" { $CVal += 0.71;$tmpCheckVal += "#2" }
default { $CVal += 0.15;$tmpCheckVal += "#3" }
}
# Scoring for defaults in $DefaultScoring
foreach ( $imp in $DefaultScoring )
{
switch ($ExecutionContext.InvokeCommand.ExpandString($imp))
{
"none" { $CVal += 0.0;$tmpCheckVal += "#0" }
"partial" { $CVal += 0.275;$tmpCheckVal += "#1" }
"complete" { $CVal += 0.660;$tmpCheckVal += "#2" }
default { $CVal += 0.15;$tmpCheckVal += "#3" }
}
}
$Impact = 10.41 * (1 - (1 - $CVal[3]) * (1 - $CVal[4]) * (1 - $CVal[5]))
$Exploitability = 20 * $CVal[0]*$CVal[1]*$CVal[2]
if (! $Impact -eq 0) {
$fImpact=1.176
}
$BaseScore = [System.Math]::round((((0.6 * $Impact) + (0.4 * $Exploitability) – 1.5) * $fImpact), 1)
"$BaseScore" + " " + "$tmpCheckVal"
Remove-Variable tmpCheckVal
}