The Threat Within: Analyzing MITRE’s list of the Most Dangerous Software Weaknesses

Given the perpetual changes in cybersecurity, staying informed about the most critical software bugs is paramount. Recently, MITRE released a comprehensive ranking of the Top 25 Most Dangerous Software Weaknesses, which provides valuable insights into vulnerabilities that both software developers and security professionals should be taking into account. While we acknowledge the authority’s expertise and agree with the intel presented, it is essential to consider additional factors to truly understand where risk comes from and prioritize remediation accordingly.

In this blog, we will share data from Armis Research Labs and shed light on crucial CWEs that demand more attention.

Acknowledging MITRE’s Ranking

MITRE has ranked the most dangerous software weaknesses based on a comprehensive analysis, mapping the root cause of Common Vulnerabilities and Exposures (CVEs) to CWEs. Additionally, they took into consideration the number of CVEs associated with each CWE and their average Common Vulnerability Scoring System (CVSS) rating.

Based off data from the previous two years, MITRE ranked the below as the top 3 CWEs, which have consistently demonstrated a high-risk due to the factors outlined:

• Out-of-bounds Write (CWE-787): Ranked at the top of the list, this weakness can lead to buffer overflows and arbitrary code execution. Its prevalence in software systems makes it an attractive target for attackers.
• Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79): Commonly known as XSS, this weakness allows attackers to inject malicious scripts into web applications. Successful exploitation can lead to session hijacking, defacement, or theft of sensitive information.
• Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89): SQL Injection enables attackers to manipulate database queries, potentially bypassing authentication and accessing unauthorized data.

It is important to note that while this ranking can help identify what security matters need attention, MITRE doesn’t encompass two crucial metrics that can truly bring to light the necessary insights to take action: real-world CVE statistics and trends of exploits in the wild. When adding those variables to the mix, Armis Research Labs concludes that some CWEs should be ranked higher.

Insights from the Last 120 Days by Armis Research Labs

After performing an in-depth analysis of current CVE prevalence in the Armis knowledge base, Armis Research Labs findings support MITRE’s top ranking. In fact, our data substantiates the significance of one particular CWE, namely CWE-787, which unsurprisingly, is the most common by far.

When examining exploits over the last 120 days, our researchers have identified the top five CWEs that were targeted the most in exploit attempts over this period. These findings provide valuable insights that can augment MITRE’s list and further ensure its accuracy.

1. CWE-20 – Improper Input Validation
2. CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
3. CWE-918 – Server-Side Request Forgery (SSRF)
4. CWE-94 – Improper Control of Generation of Code (‘Code Injection’)
5. CWE-306 – Missing Authentication for Critical Function

The prevalence of certain CWEs can be attributed to several key factors. Let’s delve into the explanations behind the common exploitation of the top 5 CWEs.

Generality: Improper input validation and path traversal vulnerabilities (CWE-20 and CWE-22) are widespread due to their occurrence across various types of applications and systems. Many developers fail to implement adequate checks and validations, leaving openings for attackers to exploit.

Prevalence in Attack Chain: These vulnerabilities often occur early in the attack chain, making them attractive targets for adversaries. Attackers leverage the weaknesses in input validation, path traversal, server-side request forgery, code injection, and missing authentication to gain initial access, escalate privileges, and execute unauthorized actions.

Specific Input Handling: CWE-20 (Improper Input Validation) and CWE-22 (Path Traversal) involve vulnerabilities related to input handling. Their specific nature makes them more prone to exploitation as they impact how applications process and interpret user input.

Exploitability Across Multiple Layers: CWE-918 (SSRF) and CWE-94 (Code Injection) can be exploited across multiple layers of an application stack. SSRF allows attackers to manipulate server requests, while code injection enables them to execute arbitrary commands. This flexibility in attack vectors increases the likelihood of successful exploitation.

Inadequate Authentication Mechanisms: CWE-306 (Missing Authentication for Critical Function) involves vulnerabilities where critical functions lack proper authentication controls.Attackers specifically target these vulnerabilities to bypass authentication and gain privileged access for performing malicious actions or exfiltrating sensitive data.

These factors contribute to the significant impact on data integrity and confidentiality associated with CWE-20, CWE-22, CWE-918, and CWE-94. Exploiting these vulnerabilities can directly compromise sensitive information, leading to unauthorized disclosure, modification, or destruction.

Furthermore, the CWEs on the list often stem from common coding mistakes or oversights. Insufficient input validation, inadequate access controls, and improper handling of user-generated data are some of the common pitfalls that developers must address to mitigate the risks associated with these CWEs. By addressing these coding pitfalls, organizations can strengthen their defense against potential exploits.

Intelligence as the key to Reducing the Attack Surface

The Top 25 Most Dangerous Software Weaknesses ranking holds significant importance for both developers and engineers, as well as security managers and executives. It helps developers focus on specific vulnerabilities during the development process, adopt secure coding practices, and enhance software security, reducing the likelihood of exploitation, and protecting user data.

For security managers and executives, understanding the greatest risks allows them to make informed decisions regarding resource allocation, budgeting, and strategic planning for their organization’s security initiatives. By aligning their efforts with the vulnerabilities identified in the list, they can prioritize their investments, implement effective security controls, and mitigate the potential impact of cyber threats.

Adding in an extra layer of information capturing the dynamic nature of real-world vulnerabilities and evolving attacker trends will ultimately help bridge the gap between technical vulnerabilities and strategic decision-making, enabling organizations to better manage their overall security posture and protect their valuable assets.