The MITRE Common Weakness Enumeration (CWE) team’s latest list of most dangerous software flaws includes several that shot up in significance since 2020.
Memory corruption errors remain one of the most common and dangerous weaknesses in modern software.
The MITRE-operated Homeland Security Systems Engineering and Development Institute put the issue on top of its latest list of the 25 most dangerous software weaknesses based on an analysis of Common Vulnerabilities and Exposures (CVE) data and severity scores associated with each CVE.
The MITRE Common Weakness Enumeration (CWE) team counted a total of 3,033 identified security bugs associated with “out-of-bounds” – or memory corruption issues — in the National Vulnerability Database (NVD) over the past two years. The vulnerabilities had an average severity ranking of 8.22 on a scale of 10, which meant most were considered serious to very critical. Among other things, out-of-bounds write errors can crash systems, enable code execution, and cause data corruption.
Cross-site scripting errors (Improper Neutralization of Input During Web Page Generation) — last year’s top-ranking issue — placed second in MITRE’s new 2021 CWE Top 25 Most Dangerous Software Weaknesses list released Wednesday. Cross-site scripting issues allow attacks to steal session and cookie information, send malicious requests to a website, exploit browser vulnerabilities, and carry out other malicious actions. In terms of raw numbers, there were more vulnerabilities related to cross-site scripting in the NVD (3,564) than to the top-ranked memory corruption issue. But these errors ranked lower in the list because they had a significantly lower average severity score (5.80).
Rounding out the top five most prevalent and severe software vulnerabilities in MITREs top 25 list are out-of-bounds read errors, which allow attackers to read sensitive data from different memory locations; improper input validation errors, which can cause software to crash or consume too much resources; and OS command injection, which allows attackers to execute malicious code on the OS.
The MITRE top 25 list is designed to provide software developers, users, and testers insight into some of the most dangerous and prevalent weaknesses that result in exploitable vulnerabilities.
MITRE described the ranking of software security weaknesses in its latest CWE list as highlighting more base-level or specific weaknesses in software rather than the higher-level, so-called class-level flaws that used to dominate such lists previously. As examples, it pointed to the upward movement within the top 25 list of software weaknesses, such as OS command injection, missing authentication for critical function, deserialization of untrusted data, and incorrect default permissions. OS command injection ranked fifth in this year’s list from last year’s 10th spot. Missing authentication issues moved up 13 spots to 11 in this year’s list, deserialization errors moved up eight spots to 13, and incorrect default permission errors shot up 22 spots to 19 in the list.
Overall, the number of base-level CWEs increased from 60% of all CWEs in the top 25 list last year to 71% this year, MITRE says.
Johannes Ullrich, dean of research for the SANS Technology Institute, says the software weaknesses in the MITRE list reflect some of the issues that are cropping up as organizations move to more distributed cloud-based apps built around application programming interfaces (APIs).
List Reflects Broad Trend to Distributed App Environments
In fact, three of the vulnerabilities that showed most upward movement from the last top 25 list are all directly related to environments where large, monolithic applications have been replaced by microservices tied together by different APIs, he says.
Bugs related to “missing authentication for critical function,” for example, result when an improperly protected internal function is exposed via an API to support a decentralized application, Ullrich notes. Similarly, “incorrect default permissions” issues mostly affect things like open S3 Buckets, Azure Blob Storage, and open No-SQL databases, which also are components used in new distributed applications. And insecure deserialization vulnerabilities can crop up when distributed applications use objects to communicate and the objects are deserialized in an insecure manner, he says.
“Speed of software development is often pushing back security,” Ullrich says.
Though tools such as application gateways and authentication services are available to protect distributed application environments, developers don’t often understand or use these technologies, he says.
“Applications are [being] developed before developers have time to fully understand and experiment with these new technologies,” Ullrich adds.
Gary McGraw, noted software security expert and co-founder of the Berryville Institute of Machine Learning, says while lists of common weaknesses like that from MITRE are viewed as useful, software development groups are better off paying attention to the specific issues in their environments.
“It is very disappointing that we are something like 25 years into software security and application security, and we still feel the need to use top 25 lists to get awareness where it needs to be,” he says.
The biggest problem with generalized lists is they provide little insight into conditions that might exist within specific development environments, McGraw argues. Organizations that make assumptions about the security of their development environments solely using such lists could end up arriving at the wrong conclusions. For example, while SQL injection errors often are among the most common vulnerabilities, they are not present in an environment where there is no database. So looking for these flaws merely because they are included in OWASP’s top 10 is pointless, McGraw says.
The better effort for organizations would be to use automated tools to identify weaknesses that are specific to their environments. What matters is that each organization has a top 10 or top 25 list of their own weaknesses and vulnerabilities, McGraw says.