Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/17/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

MITRE Releases 2019 List of Top 25 Software Weaknesses

The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.

MITRE today published a draft of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, a list of the most widespread and critical weaknesses that could lead to severe software vulnerabilities, as the organization explained a release on the news.

Attackers can often exploit these vulnerabilities to assume control over an affected system, steal sensitive data, or cause a denial-of-service condition, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on the list. Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement. 

The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. This year, the team took a new approach to generating the list. The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD) and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank. A scoring formula was used to assess the level of frequency and danger each weakness presents.

This list historically has been compiled by gathering survey responses from a broad group of organizations and by collecting feedback from security analysts, researchers, and developers. Industry pros were asked to nominate weaknesses they considered to be the most widespread or important; a customized part of the CVSS was used to decide on the ranking of each weakness.

"There were a number of positives in this approach, but it was also labor-intensive and subjective," MITRE says. The 2019 list involves a more rigorous and statistical process; instead, it leverages data about reported vulnerabilities to gauge the dangerousness of each weakness.

"We wanted to go with a methodology that was more objective and based on what we're seeing in the real world," says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year's Top 25 is the first release of the list since 2011, Buttner points out, but MITRE's goal going forward is to release a new list for each year.

2019's Top Weaknesses
There were no surprises in this year's Top 25, agree Buttner and Chris Levendis, MITRE CWE project leader. "A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed," Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

The highest-ranking weakness, with a score of 75.56, is CWE-119, buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer." Some languages allow direct addressing of memory locations and don't automatically ensure locations are valid for the memory buffer being referenced. This can cause read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could execute malicious code, change the control flow, read sensitive data, or crash the system.

Buttner and Levendis anticipated buffer overflow would be near top of the list, as it was also near the top in 2011 and it's a well-known weakness throughout the industry.

Next-highest is CWE-79, "Improper Neutralization of Input During Web Page Generation" or cross-site scripting, with a score of 45.69. Software doesn't neutralize, or incorrectly neutralizes, user-controllable input before it's placed in output later used as a web page served to other users. Untrusted data may enter a web app and ultimately execute malicious script.

Number three is CWE-20, or Improper Input Validation, which exists when software doesn't validate or improperly validates input that can affect a program's control flow or data flow. An attacker can write input not expected by the application. This can lead to parts of the system receiving unexpected input, which may cause arbitrary code execution or altered control flow.

Software users can use the Top 25 list to gauge the security practices of the companies they're buying software from before they invest, Levendis says. Those using open source can better learn whether developers are paying attention to those weaknesses, and developers can use the list as a "priority cheat sheet" consisting of weaknesses they should be keeping an eye on.

He adds: "At the most fundamental level, that's what you can use the weaknesses for if you're a consumer of software."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How a PIA Can CYA."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
9/19/2019 | 12:12:47 PM
Interesting topics - what are we doing about it
RankIDNameScore
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56
[2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.69
[3] CWE-20 Improper Input Validation 43.61
  1. CWE-119 - improved coding practices, Mitre has already provided the solution by limiting the size of the input and reducing what characters they can enter, nice
  2. char * copy_input(char *user_supplied_string){
    int i, dst_index;
    char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);
    if ( MAX_SIZE <= strlen(user_supplied_string) ){
    die("user string too long, die evil hacker!"); }
    

  1. CWE-79 - Interesting, there are a number of applications that are using tokens or keys to invalidate this take, for example, kubernetes/docker is giving users the ability to create aspects of micro-segmentation where the application is not allowed to make changes to the application because it is an image and if there are issues associated with the data entered, there should be an exception rule (C/C++) or try (python) to handle errors in the data field
  2. https://www.tutorialspoint.com/python/python_exceptions.htm - Python has a number of error handling concepts to address most if not all of the items mentioned in this section

 
  1. CWE-20 - The same checks can apply from the CWE-79 rule (exception handling)

This seems to come down to creating the following:

  • Improve programming practice and considerations (error checking and validation)
  • Require the programmers to take ongoing educational programming classes
  • Create a Q/A team that reviews code where they provide a repository like Github (validated and tested)
  • Create an automated test environment where the solution is regression tested against various attack scenarios

We just need to keep improving and challenging the status quo.


Todd
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.