Image: Glenn Carstens-Peters
MITRE today shared a list of the top 25 most common and dangerous weaknesses plaguing software during the last two previous years.
Software weaknesses can be flaws, bugs, vulnerabilities, and other types of errors found in a software solution's code, architecture, implementation, or design that could expose the systems it's running on to attacks.
To make this list, the American not-for-profit organization scored each weakness based on both severity and prevalence using Common Vulnerabilities and Exposures (CVE) data from 2018 and 2019 from the National Vulnerability Database (NVD) (roughly 27,000 CVEs), including Common Vulnerability Scoring System (CVSS) scores.
"NVD provides this information in a digestible format that helps drive the data-driven approach in creating the 2020 CWE Top 25," MITRE explained.
"This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable."
Cross-site scripting (XSS) tops the list
The weaknesses listed in MITRE's 2020 CWE Top 25 are dangerous because, besides being easy to find and exploit, attackers can potentially take full control of vulnerable systems, steal sensitive data, or trigger a denial-of-service (DoS) after successful exploitation.
The list embedded below is designed to provide insight to the community at large into the most critical and current software security weaknesses.
| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46.82 |
| [2] | CWE-787 | Out-of-bounds Write | 46.17 |
| [3] | CWE-20 | Improper Input Validation | 33.47 |
| [4] | CWE-125 | Out-of-bounds Read | 26.50 |
| [5] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 23.73 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 20.69 |
| [7] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 19.16 |
| [8] | CWE-416 | Use After Free | 18.87 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 17.29 |
| [10] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 16.44 |
| [11] | CWE-190 | Integer Overflow or Wraparound | 15.81 |
| [12] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 13.67 |
| [13] | CWE-476 | NULL Pointer Dereference | 8.35 |
| [14] | CWE-287 | Improper Authentication | 8.17 |
| [15] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 7.38 |
| [16] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.95 |
| [17] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6.53 |
| [18] | CWE-522 | Insufficiently Protected Credentials | 5.49 |
| [19] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.33 |
| [20] | CWE-798 | Use of Hard-coded Credentials | 5.19 |
| [21] | CWE-502 | Deserialization of Untrusted Data | 4.93 |
| [22] | CWE-269 | Improper Privilege Management | 4.87 |
| [23] | CWE-400 | Uncontrolled Resource Consumption | 4.14 |
| [24] | CWE-306 | Missing Authentication for Critical Function | 3.85 |
| [25] | CWE-862 | Missing Authorization | 3.77 |
Top 10 most exploited vulnerabilities since 2016
Three months ago, on May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) also issued a list of the top 10 most exploited security vulnerabilities between 2016 and 2019.
Malicious actors have most often exploited bugs in Microsoft’s Object Linking and Embedding (OLE) technology, with the Apache Struts web framework being the second most exploited tech, based on the two government agencies' analysis of cyberattacks since 2016.
"Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158," CISA said at the time. "All three of these vulnerabilities are related to Microsoft’s OLE technology."
For instance, Chinese hackers have frequently exploited CVE-2012-0158 starting with December 2018 which shows that targeted organizations failed to patch their systems against this vulnerability, and that threat actors will keep trying to abuse security flaws as long as they're not fixed.
CISA also said that attackers have been focusing on taking advantage of hasty deployments of cloud collaboration services like Ofice 365, as well as on exploiting unpatched Pulse Secure VPN vulnerabilities (CVE-2019-11510) and Citrix VPN (CVE-2019-19781) in 2020, after the sudden move to remote working caused by the COVID-19 pandemic.
The full list of the top 10 most exploited security flaws since 2016 is embedded below, with direct links to their NVD entries.
| CVE | Associated Malware |
| CVE-2017-11882 | Loki, FormBook, Pony/FAREIT |
| CVE-2017-0199 | FINSPY, LATENTBOT, Dridex |
| CVE-2017-5638 | JexBoss |
| CVE-2012-0158 | Dridex |
| CVE-2019-0604 | China Chopper |
| CVE-2017-0143 | Multiple using the EternalSynergy and EternalBlue Exploit Kit |
| CVE-2018-4878 | DOGCALL |
| CVE-2017-8759 | FINSPY, FinFisher, WingBird |
| CVE-2015-1641 | Toshliph, Uwarrior |
| CVE-2018-7600 | Kitty |
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now