MITER today shared this year’s list of the top 25 most dangerous weaknesses that have plagued software over the previous two years.

Software weaknesses encompass a wide range of issues, including flaws, bugs, vulnerabilities, and errors in the code, architecture, implementation, or design of software solutions.

Weaknesses may endanger the security of the systems on which the software is installed and running. They can provide an entry point for malicious actors attempting to take control of affected devices, access sensitive data, or trigger denial of service states.

“These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or cause applications to stop working,” CISA warned Today.

To create this list, MITER scored each weakness based on its severity and prevalence after analyzing 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities discovered and reported in 2021 and 2022. and a focus on CVE records added to CISA. Known Exploited Vulnerabilities (KEV) catalog.

“After the collection, scoping, and remapping process, a scoring formula was used to calculate a weakness ranking order that combines frequency (the number of times a CWE is the root cause of a vulnerability) , with the average severity of each of these vulnerabilities when exploited (measured by CVSS score),” MITER said.

“In both cases, frequency and severity are normalized to the minimum and maximum values ​​observed in the data set.”

The MITER 2023 Top 25 Weaknesses are dangerous due to their significant impact and widespread occurrence in software released in the past two years.

Successful exploitation can allow attackers to take full control of targeted systems, harvest and exfiltrate sensitive data, or trigger a denial of service (DoS).

By sharing this list, MITER is providing the wider community with valuable information regarding the most critical software security weaknesses that require immediate attention.

Rank IDENTIFIER Name Score CVE in KEV Change of rank
1 CWE-787 Writing out of bounds 63.72 70 0
2 CWE-79 Incorrect neutralization of inputs when generating web pages (“Cross-site Scripting”) 45.54 4 0
3 CWE-89 Incorrect neutralization of special elements used in an SQL command (“SQL Injection”) 34.27 6 0
4 CWE-416 Use after free 16.71 44 +3
5 CWE-78 Improperly overriding special elements used in an OS command (“OS command injection”) 15.65 23 +1
6 CWE-20 Incorrect input validation 15.50 35 -2
7 CWE-125 Reading out of bounds 2:60 p.m. 2 -2
8 CWE-22 Improper limitation of a path to a restricted directory (“Path Traversal”) 14.11 16 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0 0
ten CWE-434 Unlimited download of files of dangerous type 10.41 5 0
11 CWE-862 Missing authorization 6.90 0 +5
12 CWE-476 Dereferencing the NULL pointer 6.59 0 -1
13 CWE-287 Incorrect authentication 6.39 ten +1
14 CWE-190 Integer overflow or wrap 5.89 4 -1
15 CWE-502 Deserialize untrusted data 5.56 14 -3
16 CWE-77 Incorrect neutralization of special elements used in a command (“Command Injection”) 4.95 4 +1
17 CWE-119 Improper restriction of operations within a buffer 4.75 7 +2
18 CWE-798 Using Hard-Coded Credentials 4.57 2 -3
19 CWE-918 Server-side request forgery (SSRF) 4.56 16 +2
20 CWE-306 Missing authentication for critical function 3.78 8 -2
21 CWE-362 Executing concurrently using a shared resource with incorrect timing (“Race Condition”) 3.53 8 +1
22 CWE-269 Mismanagement of privileges 3.31 5 +7
23 CWE-94 Poor control of code generation (“Code Injection”) 3h30 6 +2
24 CWE-863 Incorrect permission 3.16 0 +4
25 CWE-276 Incorrect default permissions 3.16 0 -5

Warnings about software and hardware bugs

In a collaborative effort involving cybersecurity authorities around the world, a comprehensive compilation of the best 15 Vulnerabilities Commonly Exploited in Attacks throughout 2021 was released in April 2022. This joint venture involved notable organizations such as the NSA and FBI.

Besides, an inventory of commonly exploited bugs in 2020 was disclosed by CISA and the FBI in conjunction with the Australian Cyber ​​Security Center (ACSC) and the UK’s National Cyber ​​Security Center (NCSC).

CISA and the FBI also shared a catalog featuring the Top 10 most exploited security vulnerabilities between 2016 and 2019.

Finally, MITER also offers a list describing the most dangerous programming, design and architecture security flaws tormenting material systems.

“CISA encourages developers and product security response teams to review the Top 25 CWEs and evaluate the recommended mitigations to determine which are best suited to adopt,” CISA added today.

“Over the coming weeks, the CWE program will release a series of additional articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that helps illustrate how vulnerability management plays an important role in changing the balance of cybersecurity risk.”

Source link