MITRE reveals 25 most dangerous software weaknesses
MITRE has announced its list of the top 25 most dangerous software vulnerabilities that have afflicted the industry over the last two years, after rigorously evaluating and scoring each weakness based on its severity and ubiquity. These vulnerabilities, which include faults, bugs, vulnerabilities, and errors, pose major hazards to the security of software systems.
According to MITRE, Out-of-bounds is the most significant issue on the list, which occurs when software writes data outside of a designated memory area. This allows attackers to launch harmful applications on a victim’s PC. Other important issues include cross-site scripting (XSS), SQL injection, and use after free.
In chronological order, the weakness are Out-of-bounds write (CWE-787), cross-site scripting (CWE-79), SQL injection (CWE-89), use after free (CWE-416), OS command injection (CWE-78), improper input validation (CWE-20), out-of-bounds read (CWE-125), path traversal (CWE-22), cross-site request forgery (CSRF), unrestricted upload of file with dangerous type (CWE-434), missing authorization (CWE-862), NULL pointer dereference (CWE-476), improper authentication (CWE-287).
Others include, the integer overflow or wraparound (CWE-190), deserialization of untrusted data (CWE-502), improper neutralization of special elements used in a command (CWE-77), improper restriction of operations within the bounds of a memory buffer (CWE-119), use of hard-coded credentials (CWE-798), server-side request forgery (SSRF), missing authentication for critical function (CWE-306), concurrent execution using shared resource with improper synchronization (CWE-362), improper privilege management (CWE-269), improper control of generation of code (CWE-94), incorrect authorization (CWE-863), incorrect default permissions (CWE-276).
Their investigation included a thorough assessment of 43,996 items from the National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST) and contains information on vulnerabilities found and reported in 2021 and 2022. MITRE also looked into the CISA’s Known Exploited Vulnerabilities (KEV) catalog’s Common Vulnerabilities and Exposures (CVE) entries.
MITRE stated that it investigated the frequency with which a certain Common Weakness Enumeration (CWE) occurred as the root cause of a vulnerability, as well as the average severity of those vulnerabilities when exploited, as determined by the CVSS score. MITRE went on to say that by normalising the frequency and severity numbers relative to the dataset’s lowest and highest values, it was able to create an objective rank order of the found defects.
The repercussions of these weaknesses include jeopardizing the safety of systems where the affected software is installed and running, exploitation by malicious actors as an entry point to gain unauthorized control over devices, access sensitive data, or trigger disruptive denial-of-service incidents.
The sources for this piece include an article in BleepingComputer.