MITRE releases new list of top 25 most dangerous software bugs


MITRE shared today this year’s list of the top 25 most dangerous weaknesses plaguing software during the previous two years.

Software weaknesses encompass a wide range of issues, including flaws, bugs, vulnerabilities, and errors in software solutions’ code, architecture, implementation, or design.

Weaknesses can endanger the security of the systems on which the software is installed and running. They can provide an entry point for malicious actors attempting to gain control over affected devices, access sensitive data, or trigger denial-of-service states.

“These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” CISA warned today.

To create this list, MITRE scored each weakness based on its severity and prevalence after analyzing 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities discovered and reported across 2021 and 2022, and a focus on CVE records added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

“After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability), with the average severity of each of those vulnerabilities when they are exploited (as measured by the CVSS score),” MITRE said.

“In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset.”

MITRE’s 2023 top 25 weaknesses are dangerous due to their significant impact and widespread occurrence in software released over the past two years.

Successful exploitation can allow attackers to take complete control of targeted systems, harvest and exfiltrate sensitive data, or trigger a denial-of-service (DoS).

By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.

Rank ID Name Score CVEs in KEV Rank Change
1 CWE-787 Out-of-bounds Write 63.72 70 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.54 4 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 34.27 6 0
4 CWE-416 Use After Free 16.71 44 +3
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 15.65 23 +1
6 CWE-20 Improper Input Validation 15.50 35 -2
7 CWE-125 Out-of-bounds Read 14.60 2 -2
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.11 16 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.41 5 0
11 CWE-862 Missing Authorization 6.90 0 +5
12 CWE-476 NULL Pointer Dereference 6.59 0 -1
13 CWE-287 Improper Authentication 6.39 10 +1
14 CWE-190 Integer Overflow or Wraparound 5.89 4 -1
15 CWE-502 Deserialization of Untrusted Data 5.56 14 -3
16 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 4.95 4 +1
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7 +2
18 CWE-798 Use of Hard-coded Credentials 4.57 2 -3
19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16 +2
20 CWE-306 Missing Authentication for Critical Function 3.78 8 -2
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.53 8 +1
22 CWE-269 Improper Privilege Management 3.31 5 +7
23 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.30 6 +2
24 CWE-863 Incorrect Authorization 3.16 0 +4
25 CWE-276 Incorrect Default Permissions 3.16 0 -5

Warnings regarding software and hardware bugs

In a collaborative effort involving cybersecurity authorities worldwide, a comprehensive compilation of the top 15 vulnerabilities commonly exploited in attacks throughout 2021 was released in April 2022. This joint endeavor involved notable organizations such as the NSA and the FBI.

Furthermore, an inventory of routinely exploited bugs in 2020 was disclosed by CISA and the FBI in conjunction with the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).

CISA and the FBI have also shared a catalog featuring the top 10 most frequently exploited security flaws between 2016 to 2019.

Finally, MITRE also offers a list outlining the most dangerous programming, design, and architecture security flaws plaguing hardware systems.

“CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt,” CISA added today.

“Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”



Source link