There’s no shortage of software vulnerabilities developers have to watch out for, and the best practice is to measure and face the most serious ones each organization’s team faces.
Many pros use the CWE (Common Weakness Enumeration) Top 25 Most Dangerous Software Errors list as a guide. Recently the list was updated for the first time in eight years, using a new a data-driven approach based on real-world vulnerabilities reported by security researchers. The original list was more subjective, compiled using interviews.
“These weaknesses are often easy to find and exploit,” the authors of the list note. “They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.”
The new ranking system is based on a formula that accounted for the prevalence and severity of issues. Weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out.
Top of the list
The top vulnerability is “Improper Restriction of Operations within the Bounds of a Memory Buffer,” (CWE-119), which is a long way of saying the software is allowed to read from or write to a memory location that is outside of the intended boundary of the buffer. As a result an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash. It scored 75.56 on the list
The previous number one vulnerability was SQL Injection, which now is sixth on the list with a score of 24.54.
Second on the list is cross-site scripting, followed by improper input validation, information exposure and out-of-bounds read.
As Bleeping Computer notes in an analysis, the new method of compiling the list shows how competing priorities were balanced. Cross-site scripting ranks high despite having a low severity average score because the high likelihood of exploitation could enable an attacker to run unauthorized code or commands and its prevalence in reports. SQL Injection is ranked lower, even though it has the highest average severity and has a high probability to be exploited and impact because it can compromise databases with sensitive data.
Any ranking system has a degree of subjectivity, so developers would be wise to at least keep an eye on the top 10 on the list.
The list was compiled by MITRE, a non-for-profit that operates U.S. government-funded research centres.
‘Serious but hard to exploit’
“The updated list from MITRE is interesting,” Craig Young, computer security researcher for Tripwire said in an email, “but as is typical with these kinds of ‘most dangerous’ lists, there is a lot of contextual information which needs to be considered to really get a sense of the true risk of a given vulnerability. For example, the top weakness category is undoubtedly serious, but also typically very difficult to exploit due to protections within modern operating systems and compilers. Most attackers simply do not have the capability to develop such exploits and many sources have reported that only a small portion of these bugs actually see exploitation. Some of the items towards the end of the list, however, are in fact readily employed by even low-skilled attackers. With each new command injection or deserialization vulnerability, we typically see a wave of exploitation to install things like mining malware or ransomware which is not observed in response to repeated memory safety bugs.
“CWE-119 which describes certain conditions leading to memory corruption sits atop the list with a score of 75, while things like hard-coded credentials, XXE, and deserialization of untrusted data are way at the bottom with single-digit scores. While it is absolutely true that memory corruption bugs are very prevalent, there is a large barrier between knowing about a buffer overflow and crafting a reliable exploit to achieve code execution in a modern operating system. Hard-coded credentials and deserialization attacks, however, can be successfully sprayed across various product versions with little payload variations lending themselves to the kinds of mining malware and ransomware attacks which have become so prevalent. Even OS command injection only scores a measly 11.47 which is 30 points below even cross-site scripting.
“Ask any hacker and I’m sure they’ll tell you, choosing between a command injection and a memory corruption bug where both happen in the same privilege level is no choice at all. Attackers will pick the command injection every time.
“The place where this is most evident is in IoT where several botnets (e.g. Mirai, IoT Reaver, etc.) have been massively successful at compromising hosts through hard-coded credentials and command injection vulnerabilities. Many of the devices also have known buffer overflow flaws, but I cannot recall a single example of an IoT widely propagating by exploiting such a bug.”