MITRE has released a list of the top 25 most dangerous software weaknesses and errors that can be exploited by attackers to compromise our systems.
The non-profit's 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors report is a compilation of errors, bugs, and potential attack vectors developers should make sure they are familiar with in the interest of security.
Ranging from improper certificate validation to memory buffer overflow errors, these software flaws can be used during attack chains to hijack vulnerable systems, cause data leaks, launch denial-of-service (DoS) attacks, and potentially seize control of software as an avenue for wider attacks against PCs and networked devices.
MITRE's list focuses on CWEs, which are baseline software security weaknesses that may become precursors to CVEs -- specific vulnerabilities found in vendor software that can be reported, addressed, and made public.
The group says that CWE lists can serve as "a common baseline standard for weakness identification, mitigation, and prevention efforts."
The list, receiving its first update since 2011, has been generated through a new approach. The original 2011 report relied upon surveys and interviews, whereas the 2019 Top 25 is data-driven.
In this year's roundup, MITRE pulled CVE data from its database alongside information obtained from the National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS).
A scoring algorithm was then applied to create the list of the most common and severe software issues discovered in 2017 and 2018. In total, roughly 25,000 CVEs provided source data.
However, it is worth noting that the list does contain some bias due to the omission of vulnerabilities found and fixed before public release, as well as CVE advisories in which only the impact but not the full technical details have been shared -- or when the language used by vendors is difficult to analyze, resulting in the dismissal of at least 2,600 CVEs.
In addition, detection tools are more likely to find and analyze some specific classes of software errors rather than others which may result in under-representation, and the scoring system is known to inadvertently prioritize implementation flaws over design flaws.
The most dangerous software error, according to MITRE, is CWE-119, described as the "Improper Restriction of Operations within the Bounds of a Memory Buffer." In other words, when software will perform tasks on a memory buffer but is also able to read or write from a location outside of the buffer's boundaries.
If exploited, attackers may be able to execute arbitrary code, hijack systems, steal sensitive data, or cause system crashes.
In second place is CWE-79, the "Improper Neutralization of Input During Web Page Generation" -- also known as cross-site scripting (XSS). XSS vulnerabilities are common and often caused by the failure to properly control or neutralize user input on a web page.
MITRE says that XSS bugs can form when web requests are not managed securely, leading to websites generating pages containing potentially malicious data and serving it to visitors, where code may be injected into a browser session.
There are three types of XSS issue. Reflected XSS occurs when data is read directly from HTTP requests and reflected back; stored XSS is described as when malicious code is stored in a database and read back into an application dynamically, and DOM-Based XSS compromise can take place when a DOM environment is tampered with through a client-side script.
In successful XSS-based attacks, threat actors may be able to eavesdrop on communication, conduct phishing and send visitors to malicious domains, and in some cases, drive-by hacking may also be possible on vulnerable machines.
In third, "Improper Input Validation," CWE-20, occurs when software either fails to validate or incorrectly validates input. When this takes place, attackers can craft input to tamper with data flows, potentially leading to hijacked software, elevated levels of control, or code execution.
TechRepublic: DNS amplification attacks increase by 1,000% since 2018
The fourth most common and severe issue impacting software security today is "Information Exposure," marked as CWE-200. This broad term encapsulates software flaws which lead to the leak of sensitive information related to functionality, products, and environments. Information disclosure can be caused by errors such as PHP scripting problems and cryptography timing errors.
The fifth most prevalent issue is CWE-125, or out-of-bounds read. If software has coding errors which permit the system to read either past the end or before the beginning of a buffer, this can be exploited for the purposes of information leaks and crashes.
Also featured on MITRE's Top 25 list are errors including SQL injections, cross-site request forgery (CSRF), use-after-free flaws, improper authentication problems, and incorrect permission assignments.
The full MITRE Top 25 list is below.
Previous and related coverage
- Skidmap malware buries into the kernel to hide illicit cryptocurrency mining
- Cyberattackers now pose as business executives to secure security certificates
- If you are a Restaurant Depot customer, don't open that phishing email
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0