MITRE’s 2023 List Revealed – The Top 25 Most Dangerous Software Weaknesses Unveiled

by | Jun 30, 2023 | News

MITRE Unveils the Top 25 Most Dangerous Software Weaknesses of the Past Two Years

Post Views: 518

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

MITRE Unveils the Top 25 Most Dangerous Software Weaknesses of the Past Two Years

MITRE, has released its highly anticipated annual list of the top 25 most dangerous software weaknesses that have plagued systems over the previous two years.

These weaknesses encompass a broad range of issues, including flaws, bugs, vulnerabilities, and errors in software code, architecture, implementation, or design.

The consequences of these weaknesses can be severe, posing significant threats to the security of systems where the affected software is installed and running. Malicious actors can exploit these vulnerabilities as entry points to gain control over targeted devices, access sensitive data, or disrupt applications through denial-of-service attacks.

CISA (Cybersecurity and Infrastructure Security Agency) has issued a warning emphasizing the gravity of these weaknesses, stating that they can lead to serious vulnerabilities in software, enabling attackers to compromise systems, steal data, or disrupt critical operations.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

To compile this list, MITRE assessed the severity and prevalence of each weakness by analyzing 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities reported between 2021 and 2022. They also considered CVE records included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

MITRE employed a scoring formula that factored in the frequency of each weakness as the root cause of vulnerabilities and the average severity of those vulnerabilities when exploited, measured by the CVSS score. Both frequency and severity were normalized relative to the dataset’s minimum and maximum values.

The identified top 25 weaknesses are deemed dangerous due to their significant impact and widespread occurrence in software released over the past two years. Exploiting these weaknesses successfully can grant attackers complete control over targeted systems, facilitate the exfiltration of sensitive data, or trigger denial-of-service incidents.

By sharing this list, MITRE aims to provide the cybersecurity community with vital information about the most critical software security weaknesses that demand immediate attention.

2023 CWE Top 25

Rank	ID	Name	Score	CVEs in KEV	Rank Change vs. 2022
1	CWE-787	Out-of-bounds Write	63.72	70	0
2	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	45.54	4	0
3	CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	34.27	6	0
4	CWE-416	Use After Free	16.71	44	+3
5	CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	15.65	23	+1
6	CWE-20	Improper Input Validation	15.50	35	-2
7	CWE-125	Out-of-bounds Read	14.60	2	-2
8	CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	14.11	16	0
9	CWE-352	Cross-Site Request Forgery (CSRF)	11.73	0	0
10	CWE-434	Unrestricted Upload of File with Dangerous Type	10.41	5	0
11	CWE-862	Missing Authorization	6.90	0	+5
12	CWE-476	NULL Pointer Dereference	6.59	0	-1
13	CWE-287	Improper Authentication	6.39	10	+1
14	CWE-190	Integer Overflow or Wraparound	5.89	4	-1
15	CWE-502	Deserialization of Untrusted Data	5.56	14	-3
16	CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	4.95	4	+1
17	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	4.75	7	+2
18	CWE-798	Use of Hard-coded Credentials	4.57	2	-3
19	CWE-918	Server-Side Request Forgery (SSRF)	4.56	16	+2
20	CWE-306	Missing Authentication for Critical Function	3.78	8	-2
21	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	3.53	8	+1
22	CWE-269	Improper Privilege Management	3.31	5	+7
23	CWE-94	Improper Control of Generation of Code (‘Code Injection’)	3.30	6	+2
24	CWE-863	Incorrect Authorization	3.16	0	+4
25	CWE-276	Incorrect Default Permissions	3.16	0	-5

Trending: Exploiting LFI Vulnerabilities

Collaborative Efforts and Essential Mitigations

It is important to note that collaborative efforts involving cybersecurity authorities worldwide have previously compiled lists of commonly exploited vulnerabilities in attacks. In April 2022, a comprehensive compilation of the top 15 vulnerabilities exploited throughout 2021 was released, involving notable organizations such as the NSA and the FBI. Additionally, CISA, the FBI, ACSC, and NCSC disclosed an inventory of routinely exploited bugs in 2020. CISA and the FBI have also shared a catalog featuring the top 10 most frequently exploited security flaws between 2016 and 2019.

MITRE also focuses on hardware systems and provides a list of the most dangerous programming, design, and architecture security flaws affecting such systems.

CISA urges developers and product security response teams to review the CWE (Common Weakness Enumeration) Top 25 list and evaluate recommended mitigations to determine the most suitable actions to take. In the coming weeks, the CWE program plans to publish a series of articles delving into the methodology behind the Top 25, vulnerability mapping trends, and other valuable information that highlights the importance of vulnerability management in shifting the balance of cybersecurity risk.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link