Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/17/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

MITRE Releases 2019 List of Top 25 Software Weaknesses

The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.

MITRE today published a draft of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, a list of the most widespread and critical weaknesses that could lead to severe software vulnerabilities, as the organization explained a release on the news.

Attackers can often exploit these vulnerabilities to assume control over an affected system, steal sensitive data, or cause a denial-of-service condition, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on the list. Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement. 

The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. This year, the team took a new approach to generating the list. The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD) and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank. A scoring formula was used to assess the level of frequency and danger each weakness presents.

This list historically has been compiled by gathering survey responses from a broad group of organizations and by collecting feedback from security analysts, researchers, and developers. Industry pros were asked to nominate weaknesses they considered to be the most widespread or important; a customized part of the CVSS was used to decide on the ranking of each weakness.

"There were a number of positives in this approach, but it was also labor-intensive and subjective," MITRE says. The 2019 list involves a more rigorous and statistical process; instead, it leverages data about reported vulnerabilities to gauge the dangerousness of each weakness.

"We wanted to go with a methodology that was more objective and based on what we're seeing in the real world," says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year's Top 25 is the first release of the list since 2011, Buttner points out, but MITRE's goal going forward is to release a new list for each year.

2019's Top Weaknesses
There were no surprises in this year's Top 25, agree Buttner and Chris Levendis, MITRE CWE project leader. "A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed," Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

The highest-ranking weakness, with a score of 75.56, is CWE-119, buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer." Some languages allow direct addressing of memory locations and don't automatically ensure locations are valid for the memory buffer being referenced. This can cause read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could execute malicious code, change the control flow, read sensitive data, or crash the system.

Buttner and Levendis anticipated buffer overflow would be near top of the list, as it was also near the top in 2011 and it's a well-known weakness throughout the industry.

Next-highest is CWE-79, "Improper Neutralization of Input During Web Page Generation" or cross-site scripting, with a score of 45.69. Software doesn't neutralize, or incorrectly neutralizes, user-controllable input before it's placed in output later used as a web page served to other users. Untrusted data may enter a web app and ultimately execute malicious script.

Number three is CWE-20, or Improper Input Validation, which exists when software doesn't validate or improperly validates input that can affect a program's control flow or data flow. An attacker can write input not expected by the application. This can lead to parts of the system receiving unexpected input, which may cause arbitrary code execution or altered control flow.

Software users can use the Top 25 list to gauge the security practices of the companies they're buying software from before they invest, Levendis says. Those using open source can better learn whether developers are paying attention to those weaknesses, and developers can use the list as a "priority cheat sheet" consisting of weaknesses they should be keeping an eye on.

He adds: "At the most fundamental level, that's what you can use the weaknesses for if you're a consumer of software."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How a PIA Can CYA."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...